Let’s start with a little history, it will hopefully put this script into a bit of context. When I started in my job, one of my first large projects was a change to our Office 365 tenant. When I started there, it was being managed by a system called OpenHive. The vendor that looked after OpenHive was Capita so anyone who has the misfortune of having to work with their services will have an inkling as to why we wanted to move away from them. OpenHive was an Active Directory domain hosted by Capita which used ADFS servers at Capita to authenticate people. This meant that we had to maintain two user databases and people had to remember at least two passwords, one for the local domain and one for their email.
We ended up giving Capita notice that we no longer wished to use their service. We evicted them from our Office 365 tenant, de-federated it from their ADFS and moved management of it in-house. We also installed Azure AD Connect to synchronise users and passwords with Office 365 so people didn’t have to remember two passwords. Existing users were matched using SMTP matching, new users were synced across. One thing I didn’t realise was that the user accounts in Azure AD needed the ImmutableID field removed from them before sync would work but I found that one out eventually.
One problem that we had was the quality and consistency of the data that was being transmitted over to Azure AD which was making our address book look messy to say the least. Another more significant problem was with the UPN suffix of the users: Our domain name uses a non-routable domain suffix (.internal in this case) so whenever a user was getting synced to Office 365, it was getting created with a username with the tenant’s onmicrosoft.com address instead of the default domain name. This was a nuisance.
The system that we use to manage our users is RM Community Connect 4 (CC4). To put it politely, CC4 is a bit shit. That aside, CC4 is basically an interface on top of Active Directory; in theory you’re supposed to create and edit users in there. It creates the AD account, the user area, a roaming profile and other things. However, the AD attributes that CC4 is capable of editing are very limited and one of things that it can’t change is the user’s UPN.
Admittedly, all of this can be changed relatively easily using the ADUC MMC that comes with the Remote Server Administration Tools but while this would solve the UPN problem, it would still be hard to enforce a consistent pattern of data to be transmitted to Azure. I therefore decided we needed a tool to help us with this.
I’m no programmer, it’s been a long time since I did any kind of programming in a serious manner and that was with Turbo Pascal and Delphi. However, I found out that PowerShell has quite a strong forms library so I decided to give it a go using that. This is what I came up with:
It’s nothing fancy but I’m quite pleased nevertheless. Most of the fields are entered manually but the UPN suffix and the School Worked At fields are dropdown menus to make sure that consistent data is entered. The bit that I really like is that when you choose a school from the dropdown menu, the rest of the School fields are automatically populated. The “O365 licence” box populates the ExtensionAttribute15 attribute inside the user’s account, I’m using this for another script which licenses users inside Office 365. I’ll post that one another time.
The script is almost 400 lines long so I’m not going to post it into the body of this article. Instead, I’ll attach a zip file for you download.
I don’t know how useful people will find this but I thought I’d put it up anyway in the hope that someone might like it. This has been tested on Windows 7, 8.1, 10, Server 2012 and 2016. It seems to work with PowerShell 2.0 and newer. You will need the Active Directory PowerShell module that comes with RSAT for this to work. Do what you like with it, reuse it, repost it, whatever. It’d be nice if you gave me a little credit if you do but other than that, I’m not too fussed. The usual “I’m not responsible if this hoses your system” disclaimer applies.