I just lost my domain controllers, I think there's something wrong with WS2019 because adding servers to the new directory gets me an error of identical SID. I though it was because I was cloning them as I have all the time but even new servers from scratch have the same problem. I digress… Before I lost everything I had a federated domain with Azure AD, I was also doing password hash sync which let me keep a list of my users in Azure AD.
Now I want to get the list back into my directory but the options in the sync service of Azure AD Connect to import from Azure are not there anymore...or maybe weren't there at all, I had used them but only on-prem to Azure.
Though some search I came across of a way to download the users in PowerShell into a CSV file that didn't work either maybe bc it was too old--but it did help me making sense of what I need to do. I ended up downloading the the list from the Azure portal and now I'm at the import part.
The Azure AD file contains the attribute objectId with values like4313f321-2a48-405d-bea4-519dfb3755c8. It also contains:
- userPrincipalName
- displayName
- surname
- givenName
- objectId
- userType
- jobTitle
- department
- accountEnabled
- usageLocation
- streetAddress
- state
- country
- physicalDeliveryOfficeName
- city
- postalCode
- telephoneNumber
- mobile
- authenticationPhoneNumber
- authenticationAlternativePhoneNumber
- authenticationEmail
- alternateEmailAddress
- ageGroup
- consentProvidedForMinor
- legalAgeGroupClassification
Probably even more, I haven't tested. What I would like to know is if I can import users with their unique IDs in Active Directory so they get their stuff back after they reset password. I issuedGet-Help New-ADUser -Online to get everything available in a 2019 server and it took me to an old article for starters--tons of issues with 2019--eventually I found the current information for New-ADUser but with no option for something that I don't know how to enter (or which is) its unique identifier.
There's a vague option to enter more options within options but it's just that: vague.
I explored some more and realized that while the script I got earlier (from Microsoft) doesn't work,Get-MsolUser from the MSOnline module does, furthermore, it has a GUID parameter. So I'm thinking now of write a more complex cmdlet to pipe straight from AAD into AD, maybe not using New-ADUser but something else like New-ADObject.
The problem is that my PowerShell knowledge comes mostly from pure dumb luck that they aliased the BASH commands to cmdlets so I'm not that lost. And not even good in BASH either. Could you help me with the cmdlets I need to form pipe instruction?
I though about importing and if it doesn't work quite alright use the do another pipe but withSet- instead fo New-to "fine-tune" the entries. But I still don't know how to use things enclosed in symbols like{}, what parenthesis do, what in the hell ($_.Firstname + "." + $_.Lastname) means which I got from the second part of the script I was going to use and I just learned about foreach-object using some Kerberos cmdlet the other day, apparently needed here as well but it wasn't as straightforward as it sounded, at least not inthat case. Being self-thought, I don't know where to get the resources to learn all of this.Pure dumb luck.
I really appreciate you help in this. This is my last chance to recover data from the servers that are offline right now--well, I guess as admin I can always change ownership but there's an Exchange Server that I won't be able to fool that easily. :/ Thanks!
I bet you think this post is about you. Don't you…don't you. ♪