SamAccountName in Azure ADDS - azure-ad-domain-services

Is it possible to retrieve SamAccountName in Azure ADDS?
For example, John join company A as john#a.com, there is a child domain called A1, another John joins in as John#a1.com the UPN works fine, but SamAccountName will be different as per screenshot in Azure ADDS.
in VS, there is only UserID, which is the SamAccountName, so I need to get this SamAccountName automatically.
enter image description here
enter image description here

Well, I just install AD powershell on one of the domain server and wrote a script to pull the Sam name

Related

Is there cmdlet to use on powershell AD to use display name as Identity or on script to user to group?

I'm new to powershell so I started using it in AD. My issue is I can't find a script to use the user display name, for example if I want to add a user to a group with just the first and last name or displayname is that possible?

How to translate or query SAM account name of cached domain user using UPN name from local cache in credential provider when domain is offline?

I am writing a credential provider in Windows and I am trying to add UPN name login support to it and doing so I used TranslateNameW TranslateNameW(UPName, NameUserPrincipal, NameSamCompatible, buffer, &size);which gives me SAM account name when provided with UPN name and vice versa and this works only when the domain is online and won't work when the domain is offline.
The problem here is when the domain user is cached and when the domain is offline I am not able to convert that UPN to SAM name and then windows is throwing me an error saying We can't sign you in with this credential because your domain isn't available. Make sure your device is connected to your organisation's network and try again if you previously signed on this device with another credential you can sign in with that credential. Windows password credential provider works just fine in this scenario it is able to translate UPN to SAM even when the domain is offline.
I can't parse the UPN name and convert it into SAM name cause it is not guaranteed that UPN name always matches with SAM name i.e if UPN is johndoe#example.com SAM Name need not necessarily be johndoe it can be jdoe or anything.
So, my question is how can I access SAM account name of that cached domain user when the domain is offline, Is there any function in VC++ that returns SAM name when provided with UPN when the domain is offline? How can I handle this scenario?

Adding users to Exchange admin role groups via API?

Is it possible to add users/members to Exchange admin role groups via an API? The equivalent PowerShell cmdlet would be Add-RoleGroupMember and the specific group I wish to add to is View-only Organization Management.
Microsoft Graph has an endpoint to add to directory roles, however I can't seem to find a "View-only Organization Management" group listed in my tenant's DirectoryRoles or DirectoryRoleTemplates, so I suspect MS Graph hasn't got access to these Exchange role groups. Poking around the Outlook API has not revealed much in the form of user/member functions either.
Extra info added from further poking around
I ran this PowerShell cmdlet:
Add-RoleGroupMember
-identity "View-only Organization Management"
-member "user#domain.onmicrosoft.com"
Then ran:
Get-RoleGroupMember -identity "View-Only Organization Management"
To confirm that the user was in fact added to it. I then ran the following MS Graph call:
GET https://graph.microsoft.com/v1.0/users/user#domain.onmicrosoft.com/memberOf
And it returned zip:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#directoryObjects",
"value": []
}
So it looks like this particular View-only Organization Management roleGroup is not accessible via MS Graph? Are there any other APIs that would allow me to add to this roleGroup?
So https://graph.microsoft.com/v1.0/directoryRoleTemplates lists the available out-of-the-box "Directory" roles that you can set. I put Directory in quotes, because these roles do include Exchange, SharePoint and Skype service admins (as well as other roles). The thing to note here is that only the "implicit" user role and the Company Administrator role are available from the get go. The others need to be enabled/activated if you want them to show up and use them. This is described here: https://graph.microsoft.io/en-us/docs/api-reference/v1.0/resources/directoryrole.
Once you've activated the "Exchange Service Admin" role, you should be able to assign users to this role using https://graph.microsoft.io/en-us/docs/api-reference/v1.0/api/directoryrole_post_members.
If you are looking to use Azure AD PowerShell, this capability is ALSO available. You can find info here for V2 Azure AD PowerShell https://learn.microsoft.com/en-us/powershell/azuread/v2/azureactivedirectory. In the search type "DirectoryRole" and you'll find all the DirectoryRole cmdlets.

Local user account created with Powershell is NOT shown in settings "Family & Other people"

I am working on Windows 10 Assigned Access for Desktop for version 1607.
Mission: I need to get Assigned Access to work with Powershell.
Steps done:
I create a new LocalUser account with New-LocalUser and I enable the account with Enable-LocalUser. To check if the account is added, I run Get-LocalUser and see that the account is created (see attachment).
Issue:
To double check I go to the PC settings for Accounts-Family & other people, but I cannot see the new local user account "KioskTest".
I have restarted the computer but the account is not added to "Family & Other people".
I have spent some time on this and I would really appreciate your help, How can I make sure that the added Local user "KioskTest" is shown in the PC Accounts settings-Family & other people, when using Powershell?
I can Set-AssignedAccess, when I do Get-AssignedAccess I can see that it is there. Trouble is, I cannot login to the local user account because I cannot find the account in the settings for the PC.
It's like powershell has "hidden" the local user account from my client computer!!!
ADDED information + updated images:
After some trial and error I found out the following:
Using NET USER username password/ADD --works perfectly! I can find the user account and login as a customer would. The account is part of the LocalGroupMember
The local user account created with New-LocalUser with Powershell does NOT appear in the PC account settings BUT if you click on set assigned access in the Family & other people the system finds the local user account (see attachment). However you cannot login to the account as it seemingly does not have a group membership! Not great for testing :(
Thanks for taking the time,
Karina
See attachment:
Powershell Get-AssignedAccess
PC Account settings Family & other people
In my case it was a group membership issue. I have created some users with powershell new-localuser, but they did not show up in any GUI and I was unable to log on. The users were only visible in powershell with get-localuser and lusmgr. In settings, control panel 'user accounts' and login screen they did not show up.
I just had to add the new users to the local 'users' group. Once this was done, the new users were visible in all settings and available for login.
I was unaware of that local security policy (local policy/user rights assignment/allow log on locally) restricting login to 'Guest,Administrators,Users,Backup Operators'.
Either add the users to one of these groups or add them to the local security policy.
This isn't really a PowerShell issue and might be better suited for SuperUser. But I would guess that this is an issue with group membership. Unfortunately get-localuser doesn't give membership. So something like this would be the PowerShell way to check which user objects belong to which local groups.
Get-Localgroup | % { "`n$($_.name)`n"; get-localgroupmember $_}
Then check through which groups other user objects are a member of and add the KioskTest account to that group using this:
Add-LocalGroupMember -Group "ExampleGroup" -Member "KioskTest"
To validate user is created or not, the below simple command helps. You may try it.
In case user is created you will get below output
Command- net user TestUser2
Output-
User name TestUser2
When user is not present
Command- net user TestUser
output-
The user name could not be found.
I had the same issue. The problem was that when specifying the group I didn´t take into account that before the name of the group needs to go domain or in my case, name of the virtual machine. Therefore the command will look like this:
... -Group "DomainName\ExampleGroup" ...
You can check the existing groups on your machine by typing lusrmgr in Window´s run window.

How to check if user is a Domain User or Local User?

I want to be able to check if the user running the current thread is:
a Domain User
a Local User of the machine
There are some cavaets:
i do not know (or care) if the machine is domain joined
because the domain of the logged in user could be from a different from the machine domain
and because the domain of the user that the process is running as could from the logged in user or machine domains
and because the domain of the user that the thread is running as could be from the process, logged in or machine domains
In other words, i want:
public static Boolean IsLocalUser()
{
//code here
}
Research Effort
What follows is extraneous bonus information. It adds nothing to the question, but is here solely to make the question longer.
Check if machine is domain joined using NetGetJoinInformation
I can use NetGetJoinInformation to check if the local machine is joined to a domain:
NetGetJoinInformation(null, ref domain, ref joinStatus);
Returns:
NetSetupUnknownStatus: The status is unknown.
NetSetupUnjoined: The computer is not joined.
NetSetupWorkgroupName: The computer is joined to a workgroup.
domain contains name of workgroup (e.g. WORKGROUP)
NetSetupDomainName: The computer is joined to a domain.
domain contains the legacy NetBIOS name of the domain (e.g. STACKOVERFLOW)
Check if machine is domain joined using DsRoleGetPrimaryDomainInformation
I can use DsRoleGetPrimaryDomainInformation to check if the local machine is joined to a domain:
DsRoleGetPrimaryDomainInformation(null,
DsRolePrimaryDomainInfoBasic,
DSROLE_PRIMARY_DOMAIN_INFO_BASIC);
Returns a DSROLE_PRIMARY_DOMAIN_INFO_BASIC structure:
MachineRole
DsRole_RoleStandaloneWorkstation: the machine is not domain joined
DsRole_RoleStandaloneServer: the machine is not domain joined
DsRole_RoleMemberWorkstation: the machine is domain joined
DsRole_RoleMemberServer: the machine is domain joined
DsRole_RoleBackupDomainController: the machine is domain joined
DsRole_RolePrimaryDomainController: the machine is domain joined
DomainNameDns: returns the DNS Domain name (e.g. stackoverflow.com) (optional)
DomainNameFlat: returns the legacy NetBIOS domain name (e.g. STACKOVERFLOW)
But, again, telling me name name of the domain that the machine is joined to doesn't help when the user is not a domain user, or the user is from a different domain
Getting the name of the current user using GetUserName
Windows does provide a GetUserName function:
GetUserName(buffer, Length(buffer));
returns the name of the user, e.g. lsimpson
Getting the name of the current user using GetUserNameEx
Windows does provide a GetUserNameEx function, that allows you to return the username in different formats:
NameUnknown: (nothing)
NameFullyQualifiedDN: CN=John Smith,OU=Stackoverflow Users,DC=stackoverflow,DC=com
NameSamCompatible: STACKOVERFLOW\jsmith
NameDisplay: John
NameUniqueId: {C1AF1DE6-363D-42A7-BB0D-9D1EDDC44B81}
NameCanonical: stackoverflow.com/Stackoverfow Users/John Smith
NameUserPrincipal: jsmith#stackoverflow.com
NameCanonicalEx: stackoverflow.com/Stackoverflow Users/John Smith
NameServicePrincipal: (nothing)
NameDnsDomain: STACKOVERFLOW.COM\jsmith
also
NameUnknown:
NameFullyQualifiedDN:
NameSamCompatible: HYDROGEN\john
NameDisplay:
NameUniqueId:
NameCanonical:
NameUserPrincipal:
NameCanonicalEx:
NameServicePrincipal:
NameDnsDomain:
KB11154: How to retrieve current user and domain name
Microsoft has a knowledge base article:
How to retrieve current user and domain names on Windows NT, Windows 2000, or Windows XP
it involves:
OpenThreadToken
OpenProcessToken (if there is no thread token)
GetTokenInformation - to get a TOKEN_USER
LookupAccountSid - to get a username and domain name from a TOKEN_USER
In the end it returns:
username: e.g. jsmith
domain: e.g. HYDROGEN, STACKOVERFLOW
Good afternoon!
I looked into some of the other solutions posted for this problem, but most of them do not take into account the caveats that you listed. Most of the relevant solutions are from the following post:
Check if user is a Domain User or Local User
Of these solutions, the following seems to be the most in line with what you proposed:
bool IsLocalUser(string accountName)
{
var domainContext = new PrincipalContext(ContextType.Machine);
return Principal.FindByIdentity(domainContext, accountName) != null;
}

Resources