Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Script not finding the Azure/Intune Device #14

Open
gokou340 opened this issue Oct 1, 2024 · 20 comments
Open

Script not finding the Azure/Intune Device #14

gokou340 opened this issue Oct 1, 2024 · 20 comments
Labels
enhancement New feature or request

Comments

@gokou340
Copy link

gokou340 commented Oct 1, 2024

Hello,
I'm loving the script so far, but I seem to be having an issue where the script is finding the device in Active Directory, but it is not finding it within Azure or Intune, even though it is there.

I'm wondering if it has something to do with the length of the computer name in AD.

For Example:
In AD, the computer was named My-Computer-Name-Is-Gokou340, but the character limit makes it My-Computer-Name-Is, The DNS name is still My-Computer-Name-Is-Gokou340, but the SAMAccount name is My-Computer-Name-Is, in Intune and Azure, the name of the device is My-Computer-Name-Is-Gokou340

It seems that any device in AD that has a longer than allowed name is not being found in Azure.

I'm happy to provide any logging or details that you may need!

Thank you again for your work on this script!

@PrzemyslawKlys
Copy link
Member

The comparison is done using $Device.Name

try {
[Array] $Devices = Get-MyDevice -Synchronized -WarningAction SilentlyContinue -WarningVariable WarningVar
} catch {
Write-Color "[e] ", "Error getting computers from AzureAD: ", $_, " Terminating!" -Color Yellow, Red, Yellow, Red
return $false
}
#[Array] $Devices = Get-MyDevice -Synchronized -WarningAction SilentlyContinue -WarningVariable WarningVar
if ($WarningVar) {
Write-Color "[e] ", "Error getting computers from AzureAD: ", $WarningVar, " Terminating!" -Color Yellow, Red, Yellow, Red
return $false
}
if ($Devices.Count -eq 0) {
Write-Color "[e] ", "No computers found in AzureAD, terminating! Please disable Azure AD integration or fix connectivity." -Color Yellow, Red
return $false
}
foreach ($Device in $Devices) {
$AzureInformationCache.AzureAD[$Device.Name] = $Device
}

I guess you could try installing GraphEssentials (which is integrated into cleanup monster) and run

$Devices = Get-MyDevice -Synchronized 

Maybe the SamAccountName is stored as something else

And see what we have there that would allow us to compare against, but I guess I can try and do testing internally as well.

@gokou340
Copy link
Author

gokou340 commented Oct 1, 2024

I'm running this now.

Are you comparing the SamAccountName with the $Device.Name from Azure/Intune?

@gokou340
Copy link
Author

gokou340 commented Oct 1, 2024

I can confirm that the name in $Devices.Name is "My-Computer-Name-Is-Gokou340", whereas the Active Directory is "My-Computer-Name-Is"

@PrzemyslawKlys
Copy link
Member

Can you do get-adcomputer xxx and tell me which property holds proper value to match?

@PrzemyslawKlys
Copy link
Member

It's a bit weird because in my AD:

image

The Name holds the real, long value and only SamAccountName is short

@gokou340
Copy link
Author

gokou340 commented Oct 1, 2024

It looks like the DNSHostname is the only one that has the full length name that matches Azure. The Name shows the shortened version.

@PrzemyslawKlys
Copy link
Member

Ye

image
image

Why would you have that? I'm first time seeing someone ignore messages from windows about going over 15 chars

@gokou340
Copy link
Author

gokou340 commented Oct 2, 2024

From what I have seen, with Windows 10/11, if you rename the computer by going through the normal settings, it lets you rename it longer than 15 characters.

We also have techs that will still go beyond the 15 character limit regardless.

Is there a way to have it choose to have it match with the DNSName?

@PrzemyslawKlys
Copy link
Member

The problem is it won't match. You would need to explicitly remove dnsname from it and just leave the hostname before comparing. If you go and rename machine you get a big warning there will be issues so I guess your techs are special ;p

@PrzemyslawKlys
Copy link
Member

i could potentially trim Name from Graph to 15 chars instead to compare with name in AD, but not sure what will be the problems with that

@gokou340
Copy link
Author

gokou340 commented Oct 2, 2024

The problem is it won't match. You would need to explicitly remove dnsname from it and just leave the hostname before comparing. If you go and rename machine you get a big warning there will be issues so I guess your techs are special ;p

Hahaha, yes. They can be :)

Regarding the warning, yes, this is true if you do it the typical way. However, if you are on Windows 11, and you Right Click Start, go to Settings, scroll down to About, then select Rename, you can use up to 63 Characters. I just tested on my machine. However, NetBios is still limited.

@gokou340
Copy link
Author

gokou340 commented Oct 2, 2024

i could potentially trim Name from Graph to 15 chars instead to compare with name in AD, but not sure what will be the problems with that

Is this something that could be done with a switch? I would be more than happy to test it out!

@PrzemyslawKlys
Copy link
Member

PrzemyslawKlys commented Oct 2, 2024

I wonder if "trimming" available Name in Graph

image

But wonder if it's possible that if we do we end up with more than 1 computer with the name.

FOr example:

  • Windows2019VeryLongNameOk-420OK
  • Windows2019VeryLongNameOk-420OI
  • Windows2019VeryLongNameOk-420OH

What will be the name in AD vs the NAME in Graph after trimming. I could in theory take DNsName and just split it on first "." but again not 100% sure

@gokou340
Copy link
Author

gokou340 commented Oct 2, 2024

Oh yes, I see what you mean. That would certainly be a problem. I'm not sure if we have any of those in our environment. I'm assuming there is no ID that correlates between AD and Azure AD, like the Object or Device ID

@gokou340
Copy link
Author

gokou340 commented Oct 3, 2024

I seemed to have found why our AAD Connect is using the DNSHostname as the name for the computer object.

In our Sync rules, the displayname has the expression of the following:
IIF(IsNullOrEmpty([displayName]),Word([dNSHostName],1,"."),[displayName])

I am going to adjust this to use a different field. I am closing this ticket as it is not an issue with the script.

@gokou340 gokou340 closed this as completed Oct 3, 2024
@PrzemyslawKlys
Copy link
Member

Oh, so you mean your it guys actually use proper names?

@gokou340
Copy link
Author

gokou340 commented Oct 3, 2024

Oh, so you mean your it guys actually use proper names?

Based on what I can see on different AAD Connect environments, they used to use the displayname and cn as backup:
'IIF(IsNullOrEmpty([displayName]),[cn],[displayName])'

But in more recent versions it is
'IIF(IsNullOrEmpty([displayName]),Word([dNSHostName],1,"."),[displayName])'

Based on this article, it looks like Azure AD overrides with the Device Registration Service to use the dNSHostname: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/the-mysterious-case-of-the-a-k-a-dollar-sign-character-in-hybrid/ba-p/768326

@gokou340
Copy link
Author

gokou340 commented Oct 3, 2024

So, it looks like the Azure Device Registration Service will eventually rename the DisplayName when it is longer than 15 characters. So this means that even if I update the Sync Rules, it will still change it.

Do you think it would be possible to pull the hostname from the dnshostname field to correlate that way?

@PrzemyslawKlys PrzemyslawKlys reopened this Oct 3, 2024
@PrzemyslawKlys
Copy link
Member

Ye, it's possible. It's on TODO

@PrzemyslawKlys PrzemyslawKlys added the enhancement New feature or request label Oct 31, 2024
@PrzemyslawKlys
Copy link
Member

Regarding that DNSHostName, I had a situation today for one of the Clients where the DNSHostName search returned me 5 devices. So SamAccountName was different, but they all shared the same DNSHostName. Don't know who made that, how that happened but that means it's possible to have duplicates in AD on that field which makes this request a bit complicated with potential to blow up

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants