Azure AD sync objects not syncing – specifically some room and equipment mailboxes

I have a client who is slowly going to O365 and has asked us to pick up where another consultancy left off.

Some objects were not syncing with O365, even though the OU was included in the AADConnect config.

First issue was easy – the UPN suffix on a number of objects had not been changed, updated that, away they went.

The next issue, took me a while to suss out.

Within the Synchronisation service manager, I could see there was 22 “disconnects”… but no details on what that meant…. took a while, but I found that the issue was caused by the mailboxes which were listed as object type “placeholder”. So…..

Open Synchronisation Service Manager

Go to connectors

Right click on your AD connector and select “Search connector space”

Optionally specify a DN to search

Find objects that have a “object type” of “placeholder”


I tried a number of things to try and get rid of “placeholder” – in the end, it was a simple password reset…. don’t have to enable the account, just set the password to something valid, and then it will sync in AADConnect fine.

Considering the accounts are all disabled, and therefore resetting all the passwords doesn’t matter, I ran the following powershell over the top-level resources OU

Get-ADUser -Filter * -SearchScope Subtree -SearchBase “OU=Resources,OU=Contoso,DC=au” | Set-ADAccountPassword -Reset -NewPassword (ConvertTo-SecureString -AsPlainText “ComplexPassword” -Force)




Parallels phone spam

Recently, my staff an I have been subjected to a bunch of phone call spam from

I’m getting calls from a UK number, + 442033276423, asking us to partner…. the first time, it was “no thanks”, subsequent calls have been met with less friendly suggestions, and then a block.

Still, no company with decent software needs to engage in this type of activity – avoid.

*update 4/10/2016*

They still call persistently, two times a day, leaving “silence” voice mails after their number has been blocked. There doesn’t seem to be a way to block the number and prevent them from leaving voicemail…. any app developers out there want to write an app to do that? (if you can do that). Its a windows 10 phone, so you’d have to be willing to write an app for a platform that commands a whopping 0.7% of the handset market and, based on the complete lack of support from Microsoft and the rumour mill, unlikely to exist for much longer!

PS Now… on PC

This –

is awesome.

Assuming it works, and the performance is ok, ill be signing up.

Although its unlikely at release, it would get even better if I could play my one and only PS3 store game, Super Stardust HD.

Microsoft have right royally fucked PC gamers by forcing “Play anywhere” games to be played via the completely shithouse, and non-gaming-aimed, UWP and only on Windows 10.

Sony, it looks like are targeting 7,8.1 and 10…. hopefully it wont have any lame-arse, shit-for-brains nobbles like the xbox “play-anywhere” (was long as you define “anywhere” as within the windows store only on Windows 10)…..

Lumia 550 – Good…. until you try and get a replacement battery

I wrote previously about how good the 550 is for a $200 phone.

Sure, its a little slow sometimes…. but overall, its very good.

Lately, my battery life has been quite diminished…. as per all batteries once they get a little older.

Went online to find a new battery, bl-t5a…. could only find them from US, French or Spanish ebay sellers, who wont ship internationally… the local retailer I purchased the phone from (JB Hifi) doesn’t stock batteries… battery specialist stores, such as battery world cant get them… and Microsoft… well, im not insane enough to even try contacting them.

So, the long and short of it… im screwed. I now get approx. 4-6 hours stand-by time on my phone and basically cannot get another battery for it.

This, extremely important and very unexpected issue, means that the 550, and any other phone without a battery commonly used by android phones has to go in the “avoid at all costs” bucket…… which is unfortunate.

Upgrading Hyper-V integration components via SCCM

Keeping Hyper-V integration components up to date on all your hyper-V guests has a few options, Powershell and SCO being the common ones…. but im one of these whacky people that likes to keep deployment tasks within my deployment tool – SCCM.

Unfortunately, the integration services version doesn’t seem to be exposed via properties exposed by default to SCCM, such as hardware inventory (which includes add/remove programs).

Due to this, we have to use software inventory.

To this end, I enable software inventory for C:\Windows\System32\drivers\vmbus.sys

The version of this, once reported, isn’t quite clean. Instead of 6.3.9600.18398, we get “6.3.9600.18398 (winblue_ltsb.160625-0600)”, so this is what needs to be used in your collection queries in order to have anything show up in your collections.

The resulting query ends up like this

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_SoftwareFile on SMS_G_System_SoftwareFile.ResourceID = SMS_R_System.ResourceId where SMS_G_System_SoftwareFile.FileName = “vmbus.sys” and SMS_G_System_SoftwareFile.FileVersion = “6.3.9600.18398 (winblue_ltsb.160625-0600)”

Licensing mode for the Remote Desktop Session Host is not configured

Had a situation recently when building a 2012 R2 RDS farm that the message

“Licensing mode for the Remote Desktop Session Host is not configured

kept appearing, even though the licensing server was activated etc. and the server was configured to use it.

Thankfully, this site had the answer

$obj = gwmi -namespace “Root/CIMV2/TerminalServices” Win32_TerminalServiceSetting
$obj. SetSpecifiedLicenseServerList(“licserver.domain.local”)

HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM\Licensing Core\LicensingMode
Change the DWORD to 2 for Per Device or 4 for Per User


Update 6/09/2016

An employee mentioned to me that setting the license server and licensing mode via group policy also seems to get around this bug

Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host


Windows 10 refresh tool

While this has no relevance for enterprise admins, it could be very useful when “friends” (the type that think anyone in “IT” should be able to fix their toaster…. as it runs on “that electricity stuff”) ask for help with their recent purchase of bloatware riddled new PC….. the reply can always be “have you got a fresh install of win 10 on it?”

Tim Sweeneys opinion on the future of the windows store

I think he is spot on.

Games for windows live was a disaster, UWP is un-configurable.

Currently, in my opinion, the reason why people use the windows platform is that it is (or maybe was is more accurate) flexible, partly natively and partly because of the huge array of software and hacks out there to get things done, in the way users want to get them done.

We all know that MS wants the apple “closed” model for recurring revenue…. but that means everyone that wants a flexible platform may have to start looking elsewhere.

Scripting Office 365 licensing with disabled services

Have had a few clients request scripts to automatically set assign licenses to users in Office 365 – Generally pretty simple. Recently I had a client ask to disable a particular service within a license – again, not all that difficult – unless you want to actually check if a license/service is already configured and not make any changes. Took a little while to work out, so figured I’d share it with those interested!


Just to set a license for a user is a pretty simple process – all you need is the license ‘SkuId’ value. To get a list of the ones available in your tenant, run: Get-MsolAccountSku. You’ll get a list of the available license SkuId’s and how many are active/consumed. In this article we’ll use an example SkuId of “Contoso:STANDARDWOFFPACK_IW_STUDENT”. Once you have the SkuId, all you need to run to assign the license is:

Set-MsolUser -UserPrincipalName -UsageLocation AU

Set-MsolUserLicense -UserPrincipalName -AddLicenses “Contoso:STANDARDWOFFPACK_IW_STUDENT”


Note: in order to assign a license, you also need to first assign a usage location to the user. If that’s already assigned, you can skip that line.


What if you didn’t want to have all the applications available for the user? For example, the above license includes Yammer Education. In this case, we need to create a ‘License Options’ object first.

$LicenseOption = New-MsolLicenseOptions -AccountSkuId “Contoso:STANDARDWOFFPACK_IW_STUDENT” -DisabledPlans YAMMER_EDU

Set-MsolUserLicense -UserPrincipalName –LicenseOptions $LicenseOption


So where did we get the “YAMMER_EDU” from? You can list the available services for a license by running:

(Get-MsolAccountSku | where {$_.AccountSkuId -eq ‘Contoso:STANDARDWOFFPACK_IW_STUDENT’}).ServiceStatus


What if we wanted to disable multiple services in the License Option? The “-DisabledPlans” option accepts a comma-separated list. For example:

$LicenseOption = New-MsolLicenseOptions -AccountSkuId “Contoso:STANDARDWOFFPACK_IW_STUDENT” -DisabledPlans YAMMER_EDU, SWAY


Ok, so now we know how to get the available licenses and related services – as well as how to assign the license to the user. What if we wanted to check if a license is assigned to a user first? Personally, I’m not a huge fan of just re-stamping settings each time you run a script – so I thought I’d look into it. The easiest method I’ve found is to try bind to the license, then check if it’s $null or not:

$User = Get-MsolUser -UserPrincipalName

$License = $User.Licenses | Where{$_.AccountSkuId -ieq “Contoso:STANDARDWOFFPACK_IW_STUDENT”}

If ($License) {Write-Host “Found License”} else { Write-Host “Didn’t Find License”}


From there we can do whatever we want – if the license is found and that’s all you care about, you can skip – otherwise you can use the other commands to set the license.

So what if we also want to make sure YAMMER_EDU is disabled as well? That’s a little trickier. First we need to bind to the license like we did above, then we need to check the status of the relevant ‘ServicePlan’.

$User = Get-MsolUser -UserPrincipalName

$License = $User.Licenses | Where{$_.AccountSkuId -ieq “Contoso:STANDARDWOFFPACK_IW_STUDENT”}



If($License.ServiceStatus | Where{$_.ServicePlan.ServiceName -ieq “YAMMER_EDU” -and $_.ProvisioningStatus -ine “Disabled”})


Write-Host “YAMMER_EDU isn’t disabled”




At this point it’s probably a good idea to talk about the structure of these objects – you may not need to know it, but for anyone trying to modify these commands it might be helpful.

  • A ‘User’ object contains an attribute ‘Licenses’. This attribute is an array – as a user can have multiple licenses assigned.
  • A ‘License’ object contains two attributes relevant to this script; ‘AccountSkuID’ and ‘ServiceStatus’
    • AccountSkuId is the attribute that matches up with the AccountSkuId we’re using above
    • ServiceStatus is another array – it contains an array of objects representing the individual services available in that license – and their status.
  • The two attributes attached to a ‘ServiceStatus’ object that we care about are:
    • ServicePlan.ServiceName – this is the name to match the service above (eg: YAMMER_EDU)
    • ProvisioningStatus – this can be a bunch of values, but mostly ‘Success’, ‘Disabled’ or ‘PendingInput’. I’d assume there’s also ‘Provisioning’, but I’ve never seen it.


With this in mind, we can put together a script like the following – it reads the UPN and AccountSkuID from a CSV file, though you could use whatever source you like and update the script accordingly.


As with the previous scripts, you need the following:


You’ll also need to update the 6 variables at the top of the script (paths, etc).



#Input File

$File = “D:\_Temp\ExchangeOnline\Source.csv”


#Log Variables

$LogFile = “D:\_Temp\ExchangeOnline\SetLicenses_$((Get-Date).ToString(“yyyyMMdd”)).log”

$AuditFile = “D:\_Temp\ExchangeOnline\SetLicenses_Audit.log”



$AdminUser = “

$PasswordFile = “D:\_Temp\ExchangeOnline\EO_Password.txt”

$KeyFile = “D:\_Temp\ExchangeOnline\EO_AES.key”


Write-Output “$(Get-Date -format ‘G’) ========Script Started========” | Tee-Object $LogFile -Append


#Build the credentials object

Write-Output “$(Get-Date -format ‘G’) Creating credentials object” | Tee-Object $LogFile -Append

$key = Get-Content $KeyFile

$SecurePassword = Get-Content $PasswordFile | ConvertTo-SecureString -Key $key

$Creds = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $AdminUser, $SecurePassword


#Import the MSOnline Module

IMport-Module MSOnline


#Connect to MSOnline

Write-Output “$(Get-Date -format ‘G’) Connecting to MSOnline” | Tee-Object $LogFile -Append

Connect-MsolService -Credential $Creds


#Grab the CSV contents

$CSV = Import-CSV $File

#Go through each entry

Foreach($Line in $CSV)


$samAccountName = $line.samAccountName

$UPN = $Line.UPN

$SKUID = $Line.license


Write-Output “$(Get-Date -format ‘G’) Processing User $UPN” | Tee-Object $LogFile -Append


#Make sure the user exists in MSOnline

If(Get-MsolUser -UserPrincipalName $UPN)


#Found in MSOnline. Put the user account into a variable

Write-Output “$(Get-Date -format ‘G’) – Located in MSOnline” | Tee-Object $LogFile -Append

$User = Get-MsolUser -UserPrincipalName $UPN

#Check the UsageLocation

If($User.UsageLocation -ine “AU”)


Write-Output “$(Get-Date -format ‘G’) – Location not set to AU. Updating…” | Tee-Object $LogFile -Append

#Update it

Set-MsolUser -UserPrincipalName $User.UserPrincipalName -UsageLocation AU

Write-Output “$(Get-Date -format ‘G’) $UPN Location set to AU” | Out-File $AuditFile -Append



#Check if the license is attached to the user

$SetLicense = $false

Write-Output “$(Get-Date -format ‘G’) – Checking for License: $SKUID” | Tee-Object $LogFile -Append

$License = $User.Licenses | Where{$_.AccountSkuId -ieq $SKUID}



#License is attached. Check to make sure that any services to be disabled are actually disabled

Write-Output “$(Get-Date -format ‘G’) – License already attached. Checking if required services are disabled” | Tee-Object $LogFile -Append

If($License.ServiceStatus | Where{$_.ServicePlan.ServiceName -ieq “YAMMER_EDU” -and $_.ProvisioningStatus -ine “Disabled”})


Write-Output “$(Get-Date -format ‘G’) – YAMMER_EDU not disabled.” | Tee-Object $LogFile -Append

$SetLicense = $True



If($SetLicense){Write-Output “$(Get-Date -format ‘G’) – One or more services not disabled. License requires updating.” | Tee-Object $LogFile -Append}




#License is not attached.

Write-Output “$(Get-Date -format ‘G’) – License is not attached. Will be attached.” | Tee-Object $LogFile -Append

$SetLicense = $True





#License is not attached or not configured correctly. Build up the license with required options

$LicenseOption = New-MsolLicenseOptions -AccountSkuId $SKUID -DisabledPlans YAMMER_EDU

#Set the License

Write-Output “$(Get-Date -format ‘G’) – Setting/Updating license” | Tee-Object $LogFile -Append

Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName –LicenseOptions $LicenseOption

Write-Output “$(Get-Date -format ‘G’) $UPN License set/updated for SkuId: $SKUID” | Out-File $AuditFile -Append




Write-Output “$(Get-Date -format ‘G’) – No changes to license required” | Tee-Object $LogFile -Append



# Clear loop variables for the next run

$samAccountName = $Null

$UPN = $Null

$SKUID = $Null

$User = $Null

$License = $Null

$SetLicense = $Null

$LicenseOption = $Null




Write-Output “$(Get-Date -format ‘G’) – Error: User not found in MSOnline” | Tee-Object $LogFile -Append





Write-Output “$(Get-Date -format ‘G’) ========Script Complete========” | Tee-Object $LogFile -Append