At first we thought it was just one or two users but it transpired that over 80 users were affected!! After investigating whether or not ActiveSync was working as expected (it was) we turned our attention to looking at an issue within the users accounts.
It turned out that the 80 users were all a member of a protected group within Active Directory and weren't getting the correct permissions to sync their phones as per Microsoft's best practices.
In order to get to that stage I used some PowerShell queries which I thought were quite interesting so I'm sharing.
I used the following command to query Active Directory for all users that had the "AdminCount" attribute set to something greater than 0. If set to 1 it indicates the user is either a member of a protected group or has been:
Import-Module ac*
Get-ADuser -filter {admincount -gt 0} -Properties admincount -ResultSetSize $null | export-csv c:\\onyx\document.csv
To find out which groups within the Active Directory environment I was working in were considered a Protected Group I ran the following query:
Import-Module ac*
Get-ADgroup -LDAPFilter "(admincount=1)" | select name
From there I was able to check the groups individually to see which ones contained, if any, the users that were having issues with their phones. All the affected users were a member of the "Print Operators" group. Mystery solved!
No comments:
Post a Comment