Openconnect on Mac for Cisco and Fortinet

Openconnect as a replacement for Cisco AnyConnect is amazing. I had to use a Fortinet VPN concentrator and noticed that Openconnect added support for it in March of 2021. Here are the brew commands I used to install the version that had that support.

brew install autoconf automake
brew install openconnect -s --head
You can see fortinet in the protocol options

FIM Management Agent failing to run

If the FIM MA fails to run any Import or Export operation and you have this error in the event log.

.Net SqlClient Data Provider: System.Data.SqlClient.SqlException (0x80131904): Execution Timeout Expired. The timeout period elapsed prior to completion of the operation or the server is not responding. —> System.ComponentModel.Win32Exception (0x80004005): The wait operation timed out

Running Sync.ClearExport from https://social.technet.microsoft.com/wiki/contents/articles/11331.fim-2010-r2-troubleshooting-stopped-server-error-on-the-fim-service-management-agent.aspx

Direct Access Load Balancer Health Check

By using the code from https://github.com/takeshixx/ip-https-tools/blob/master/ip-https-discover.nse as a base. The following health check for a load Balancer will determine if Direct Access is availability and accepting new connections

Our our F5, we have a HTTP Monitor that is sending the string

GET / HTTP/1.1\r\nHOST: <DADNSNAME>\r\nContent-Length: 18446744073709551615\r\nConnection: Close\r\n\r\n

Replace <DADNSNAME> with the FQDN of your DA implementation

The receive string is

HTTP/1.1 * (200)

MIM – FOREIGN KEY constraint

I do not take credit for this fix, I am going to copy and paste it verbatim from another forum post.

Ugh, this one was a pain-in-the-ass to figure out, but I did, so I thought I would share. The other day, I had to add a custom resource type to the portal — computer and contact types to be specific. After I did all tedeious work of expanding the schema, granting permissions to the synchronization engine to control them, added their types to the synchronization filter, defined the synchronization rules, blah, blah blah; when I attempted to export them from my ADMA into my FIMMA, I was getting the following error:

Microsoft.ResourceManagement: Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other —>
System.Data.SqlClient.SqlException: Reraised Error 50000, Level 16, State 1, Procedure ReRaiseException, Line 31,
Message: Reraised Error 50000, Level 16, State 1, Procedure ReRaiseException, Line 31, Message: Reraised Error 547,
Level 16, State 1, Procedure UpdateResource, Line 462, Message: The INSERT statement conflicted with the
FOREIGN KEY constraint “FK_ObjectValueReference_BindingInternal”. The conflict occurred in database “FIMService”, table “fim.BindingInternal”.
at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection)
at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj)
at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)
at System.Data.SqlClient.SqlDataReader.ConsumeMetaData()
at System.Data.SqlClient.SqlDataReader.get_MetaData()
at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString)
at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async)
at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, DbAsyncResult result)
at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method)
at System.Data.SqlClient.SqlCommand.ExecuteReader(CommandBehavior behavior, String method)
at System.Data.SqlClient.SqlCommand.ExecuteReader()
at Microsoft.ResourceManagement.Data.DataAccess.ProcessRequest(RequestType request)
— End of inner exception stack trace —
at Microsoft.ResourceManagement.Utilities.ExceptionManager.ThrowException(Exception exception)
at Microsoft.ResourceManagement.Data.Exception.DataAccessExceptionManager.ThrowException(SqlException innerException)
at Microsoft.ResourceManagement.Data.DataAccess.ProcessRequest(RequestType request)
at Microsoft.ResourceManagement.ActionProcessor.ActionDispatcher.ProcessInputRequest(RequestType request)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction(RequestType request)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction[ResponseBodyType](RequestType request)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request, Guid requestIdentifier, Object redispatchSingleInstanceKey, Boolean isRedispatch)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request)
at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Create(Message request)

If you are reading this, likely you are having this problem too and likely it is because in defining the schema of the custom resource type, you included a binding to the Domain attribute. Well, after conferring with the product group, it turns out that whenever you create or update a binding of a resource to a Domain attribute, you must also create a second binding for the DomainConfiguration attribute to that resource type as well. *Woof* Nice for them to make that obvious… 

Anyway, the short of it is: whenever you create (or update) a binding to the Domain attribute, you must also create a DomainConfiguration binding. After doing so, refresh the schema of the FIMMA in the sync engine, run a full import, sync, and export, and celebrate that this nut has been cracked… freeing you up for the next one.

If you are reading this, likely you are having this problem too and likely it is because in defining the schema of the custom resource type, you included a binding to the Domain attribute. Well, after conferring with the product group, it turns out that whenever you create or update a binding of a resource to a Domain attribute, you must also create a second binding for the DomainConfiguration attribute to that resource type as well. *Woof* Nice for them to make that obvious… 

Anyway, the short of it is: whenever you create (or update) a binding to the Domain attribute, you must also create a DomainConfiguration binding. After doing so, refresh the schema of the FIMMA in the sync engine, run a full import, sync, and export, and celebrate that this nut has been cracked… freeing you up for the next one.

https://docs.microsoft.com/en-us/archive/blogs/karchworld_identity/a-note-when-creating-a-custom-resource-types-that-has-a-domain-attribute-binding

https://web.archive.org/web/20200422225723/https://docs.microsoft.com/en-us/archive/blogs/karchworld_identity/a-note-when-creating-a-custom-resource-types-that-has-a-domain-attribute-binding

MIM – System.UnauthorizedAccessException: Access is denied

If MIM fails to install with the error:

Calling custom action Microsoft.IdentityManagement.ServerCustomActions!Microsoft.IdentityManagement.ServerCustomActions.CustomActions.AddServiceToPerformanceMonitors
Adding FIMService account to ‘Performance Monitor Users’ group
Property name = ‘ServiceAccount’, value = ‘XXXXX\XXXXX$’.
DomainName=’XXXXX’
AccountName=’XXXXX$’
Domain AD found
Exception thrown by custom action:
System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. —> System.UnauthorizedAccessException: Access is denied.

Check your domain controllers for the following error in the event log

This is due to Network access: Restrict clients allowed to make remote calls to SAM being set on the domain controllers.

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls

Bulk Intune IOS Content Filter

I had a requirement to block a list of URLs utilizing IOS content filter. I realized the Intune management UI does not have a upload button.

Please see below for the Powershell code. Please have an existing content filter in the policy. This will not create it.

##Connect to MSGraph
Connect-MSGraph -PSCredential $cred

#GET List of Sites
$BlockList = [string[]](Get-Content c:\temp\weblist.txt)

#Get the Policy we want to update
$Pol = Get-IntuneDeviceConfigurationPolicy | ? DisplayName -eq  "iOS MDM Corporate Features"

#The content filter settings are only in MS Graph Beta, so lets get that version
$URL = $pol.iosDeviceFeaturesConfigurationReferenceUrl -replace "v1.0","beta"
$PolBeta = Invoke-MSGraphRequest -Url $URL

#Create a copy of the filter and add our URLs
$ContentFilter = $PolBeta.contentFilterSettings
$ContentFilter.blockedUrls = $BlockList

#Create our iosDeviceFeaturesConfiguration Shell with the new contentFilter settings
$IOSF = @{
    '@odata.type' = '#microsoft.graph.iosDeviceFeaturesConfiguration' ;
    contentFilterSettings = $ContentFilter
}

#Patch the policy with new config.
Invoke-MSGraphRequest -Url $URL -HttpMethod PATCH -Content $($($IOSF | ConvertTo-Json) -replace "`r`n","" -replace " ","") -Verbose

A little background:

We are using the Microsoft.Graph.Intune PS modules. The contentFilterSettings only exist in the MS Graph beta; I had to get creative to update the policy.

AADC / Object Cannot Be Found

With Azure AD Connect I was getting the following errors for several objects. “The operation failed because the object cannot be found” and “
unexpected-error”

Please do a 2 full backups of your database at two locations. Run the SQL below to list how many errors

select cs.ma_id, ma.[ma_name] ,count(*) as [count],min([initial_import_error_date]) as [min initial import error date]
from dbo.mms_connectorspace cs
join [dbo].[mms_management_agent] ma
on ma.[ma_id] = cs.[ma_id]
join (

SELECT [mv_object_id]
,mv.[object_id] as [mv.object_id]
      ,[cs_object_id]
      ,[lineage_id]
      ,[lineage_date]
  FROM [FIMSynchronizationService].[dbo].[mms_csmv_link] csmv

full outer join [FIMSynchronizationService].[dbo].[mms_metaverse] mv

on mv.[object_id] = csmv.[mv_object_id]
where mv.[object_id] is null
)b
on b.cs_object_id = cs.object_id
group by cs.ma_id, ma.[ma_name]
order by count(*) desc

The follow code will save the objects with errors to a temporary table and then delete them.

SELECT [mv_object_id]
,mv.[object_id] as [mv.object_id]
      ,[cs_object_id]
      ,[lineage_id]
      ,[lineage_date]
into #wehackedit
  FROM [FIMSynchronizationService].[dbo].[mms_csmv_link] csmv
full outer join [FIMSynchronizationService].[dbo].[mms_metaverse] mv
on mv.[object_id] = csmv.[mv_object_id]
where mv.[object_id] is null

delete from dbo.mms_connectorspace
where object_id in
(
select cs_object_id from #wehackedit
)

delete from dbo.mms_csmv_link
where mv_object_id in
(
select [mv_object_id] from #wehackedit
)

The credit goes to Joe for this fix

Exchange/Office 365 add domains from EML files to SPAM block list

The script reads EML files from a directory and parses the header.from and adds the domain to the SPAM block list.

 <#
Stephen

Spam Filter
#>

Connect-ExchangeOnlineShell
$SpamFolder = "C:\Users\Administrator\Desktop\spam"

$DomainsNeverBlock = @('gmail.com','outlook.com','aol.com','yahoo.com')

$DefaultPolicy = Get-HostedContentFilterPolicy -Identity "Default"

$regex = [regex]"header\.from=(.*);"

Get-ChildItem -Path $SpamFolder -File | % {
    #Get-Content $_.FullName
    $from = (Get-Content $_.FullName | Select-String 'header.from')
    if($from -match $regex) {
        $domain = $Matches[1]
        if(-not $DomainsNeverBlock.Contains($domain)) {
            Write-Warning "Blocking Domain $domain"
           $DefaultPolicy | Set-HostedContentFilterPolicy -BlockedSenderDomains @{Add=$domain} -Confirm
        }
    }
}

#Sync Spam Policies
$OnPremPolicy = Get-HostedContentFilterPolicy -Identity "Cloud quarantine for on prem users"
$DefaultPolicy = Get-HostedContentFilterPolicy -Identity "Default"

$OnPremPolicy | Set-HostedContentFilterPolicy -AllowedSenderDomains $DefaultPolicy.AllowedSenderDomains -AllowedSenders $DefaultPolicy.AllowedSenders -BlockedSenders $DefaultPolicy.BlockedSenders -BlockedSenderDomains $DefaultPolicy.BlockedSenderDomains
 

Dell Quick Connect Account Maintenance

Here is a group of Powershell scripts I wrote for account maintenance utilizing Dell Quick Connect

List accounts older than 2 years to remove HomeDirectory

#two years
$DaysInactive = 730
$lastLogonTimestamp= $srcObj["lastLogonTimestamp"]
$pwdLastSet = $srcObj["pwdLastSet"]

$response = $FALSE
$LastLoginResponse = $FALSE
$pwdLastSetResponse = $FALSE

if($lastLogonTimestamp){
	$LastLogonConverted = [datetime]::FromFileTime([int64]::Parse($lastLogonTimestamp))
 
	if( ((get-date) - $LastLogonConverted ).days  -ge $DaysInactive ){
		$LastLoginResponse = $TRUE
	}
}

if($pwdLastSet){
	$pwdLastSetConverted = [datetime]::FromFileTime([int64]::Parse($pwdLastSet))
	if( ((get-date) - $pwdLastSetConverted ).days  -ge $DaysInactive ){
		$pwdLastSetResponse = $TRUE
   }
}

if($LastLoginResponse -or $pwLastSetResponse){
	$response = $TRUE
}

$response

Based on the OU determine HomeDirectory Location

$ParentPath = $dstObj["distinguishedName"]
$Path = ""

if($ParentPath){
    if($ParentPath.Contains("Admins") -or $ParentPath.Contains("Staff") ){
        $Path = "\\fs-c108-01\staff_home$\"
    }elseif($ParentPath.Contains("Faculty")){
        $Path = "\\fs-c108-04\faculty_home$\"
    }elseif($ParentPath.Contains("Students") -or $ParentPath.Contains("Seminar")){
        $Path = "\\fs-c108-03\student_home$\"
    }else{
        Write-Error "Cannot Find Where to Put Home Directory"
    }

    $Path +=  $dstObj["sAMAccountName"]
}else{
    Write-Error "ParentPath Null"
}

$Path

Create HomeDirectory and Assign Permissions

$ParentPath = $srcObj["distinguishedName"]
$User = $srcObj["sAMAccountName"] 
$DomainUser = "fitsuny\"

$DomainUser += $User

$Path = ""

if($ParentPath){
	if($ParentPath.Contains("Admins") -or $ParentPath.Contains("Staff") ){
		$Path = "\\fs-c108-01\staff_home$\"
	}elseif($ParentPath.Contains("Faculty")){
 		$Path = "\\fs-c108-04\faculty_home$\"
	}elseif($ParentPath.Contains("Students") -or $ParentPath.Contains("Seminar")){
		$Path = "\\fs-c108-03\student_home$\"
	}else{
 		Write-Error "Cannot Find Where to Put Home Directory"
}

$Path +=  $srcObj["sAMAccountName"]
}else{
 Write-Error "ParentPath Null"
}

$HasDir  = Test-Path $Path

if($HasDir){
 Write-Error "Directory Exists"
}else{
 New-Item $Path -type directory
    $acl = Get-Acl $Path
 	$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($DomainUser,"FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
    $acl.AddAccessRule($rule)

    Set-Acl $Path $acl
}

Remove HomeDirectory

$Path = $dstObj["Path"]
$Folder = $dstObj["Folder"]

$FullPath = $Path
$FullPath += $Folder

#Not Stable
#Remove-Item -Recurse -Force $FullPath

cmd /c rd /s /q $FullPath

$HasDir  = Test-Path $FullPath
if($HasDir){
 Throw "Unable to delete home directory"
}