| title | Microsoft Entra Connect: ADSyncTools PowerShell Reference |
|---|---|
| description | This document provides reference information for the ADSyncTools.psm1 PowerShell module. |
| ms.date | 04/09/2025 |
| ms.subservice | hybrid-connect |
| ms.topic | reference |
| ms.custom | no-azure-ad-ps-ref, sfi-ga-nochange |
The following documentation provides reference information for the ADSyncTools.psm1 PowerShell module included with Microsoft Entra Connect.
To install the ADSyncTools PowerShell module, do the following steps:
- Open Windows PowerShell with administrative privileges
- Type or copy and paste the following:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Install-Module -Name ADSyncTools
- Hit enter.
- To verify the module was installed, enter or copy and paste the following"
Get-module ADSyncTools - You should now see information about the module.
Clear an Active Directory object mS-DS-ConsistencyGuid
Clear-ADSyncToolsMsDsConsistencyGuid [-Identity] <Object> [<CommonParameters>]
Clears the value in mS-DS-ConsistencyGuid for the target Active Directory object. Supports Active Directory objects in multi-domain forests.
Clear-ADSyncToolsMsDsConsistencyGuid -Identity 'CN=User1,OU=Sync,DC=Contoso,DC=com'
Clear-ADSyncToolsMsDsConsistencyGuid -Identity 'User1@Contoso.com'
'User1@Contoso.com' | Clear-ADSyncToolsMsDsConsistencyGuid
Target object in AD to clear mS-DS-ConsistencyGuid
Type: Object
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: FalseThis cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Connect to a SQL database for testing purposes
Connect-ADSyncToolsSqlDatabase [-Server] <String> [[-Instance] <String>] [[-Database] <String>]
[[-Port] <String>] [[-UserName] <String>] [[-Password] <String>] [<CommonParameters>]
SQL Diagnostics related functions and utilities
Connect-ADSyncToolsSqlDatabase -Server 'sqlserver01.contoso.com' -Database 'ADSync'
Connect-ADSyncToolsSqlDatabase -Server 'sqlserver01.contoso.com' -Instance 'INTANCE01' -Database 'ADSync'
SQL Server Name
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseSQL Server Instance Name
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 2
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseSQL Server Database Name
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 3
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseSQL Server Port (for example, 49823)
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 4
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseSQL Server Login Username
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 5
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseSQL Server Login Password
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 6
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseThis cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Convert Microsoft Entra Connector DistinguishedName to ImmutableId
ConvertFrom-ADSyncToolsAadDistinguishedName [-DistinguishedName] <String> [<CommonParameters>]
Takes a Microsoft Entra Connector DistinguishedName like CN={514635484D4B376E38307176645973555049486139513D3D}
and converts to the respective base64 ImmutableID value, such as QF5HMK7n80qvdYsUPIHa9Q==
ConvertFrom-ADSyncToolsAadDistinguishedName 'CN={514635484D4B376E38307176645973555049486139513D3D}'
Microsoft Entra Connector Space DistinguishedName
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: FalseThis cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Convert Base64 ImmutableId (SourceAnchor) to GUID value
ConvertFrom-ADSyncToolsImmutableID [-Value] <String> [<CommonParameters>]
Converts value of the ImmutableID from Base64 string and returns a GUID value In case Base64 string can't be converted to GUID, returns a Byte Array.
ConvertFrom-ADSyncToolsImmutableID 'iGhmiAEBERG7uxI0VniQqw=='
'iGhmiAEBERG7uxI0VniQqw==' | ConvertFrom-ADSyncToolsImmutableID
ImmutableId in Base64 format
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: FalseThis cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Convert ImmutableId to Microsoft Entra Connector DistinguishedName
ConvertTo-ADSyncToolsAadDistinguishedName [-ImmutableId] <String> [<CommonParameters>]
Takes an ImmutableId (SourceAnchor) like QF5HMK7n80qvdYsUPIHa9Q== and converts to the respective Microsoft Entra Connector DistinguishedName value, such as CN={514635484D4B376E38307176645973555049486139513D3D}
ConvertTo-ADSyncToolsAadDistinguishedName 'QF5HMK7n80qvdYsUPIHa9Q=='
ImmutableId (SourceAnchor)
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: FalseThis cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Convert Base64 Anchor to CloudAnchor
ConvertTo-ADSyncToolsCloudAnchor [-Anchor] <String> [<CommonParameters>]
Takes a Base64 Anchor like VAAAAFUAcwBlAHIAXwBjADcAMgA5ADAAMwBlAGQALQA3ADgAMQA2AC0ANAAxAGMAZAAtADkAMAA2ADYALQBlAGEAYwAzADMAZAAxADcAMQBkADcANwAAAA==
and converts to the respective CloudAnchor value, such as User_00aa00aa-bb11-cc22-dd33-44ee44ee44ee
ConvertTo-ADSyncToolsCloudAnchor "VAAAAFUAcwBlAHIAXwBjADcAMgA5ADAAMwBlAGQALQA3ADgAMQA2AC0ANAAxAGMAZAAtADkAMAA2ADYALQBlAGEAYwAzADMAZAAxADcAMQBkADcANwAAAA=="
"VAAAAFUAcwBlAHIAXwBjADcAMgA5ADAAMwBlAGQALQA3ADgAMQA2AC0ANAAxAGMAZAAtADkAMAA2ADYALQBlAGEAYwAzADMAZAAxADcAMQBkADcANwAAAA==" | ConvertTo-ADSyncToolsCloudAnchor
Base64 Anchor
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: FalseThis cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Convert GUID (ObjectGUID / ms-Ds-Consistency-Guid) to a Base64 string
ConvertTo-ADSyncToolsImmutableID [-Value] <Object> [<CommonParameters>]
Converts a value in GUID, GUID string or byte array format to a Base64 string
ConvertTo-ADSyncToolsImmutableID '00aa00aa-bb11-cc22-dd33-44ee44ee44ee'
'00aa00aa-bb11-cc22-dd33-44ee44ee44ee' | ConvertTo-ADSyncToolsImmutableID
GUID, GUID string or byte array
Type: Object
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: FalseThis cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Export Microsoft Entra Disconnector objects
Export-ADSyncToolsAadDisconnectors [[-SyncObjectType] <Object>] [<CommonParameters>]
Executes CSExport tool to export all Disconnectors to XML and then takes this XML output and converts it to a CSV file with: UserPrincipalName, Mail, SourceAnchor, DistinguishedName, CsObjectId, ObjectType, ConnectorId, CloudAnchor
Export-ADSyncToolsAadDisconnectors -SyncObjectType 'PublicFolder'
Exports to CSV all PublicFolder Disconnector objects
Export-ADSyncToolsAadDisconnectors
Exports to CSV all Disconnector objects
ObjectType to include in output
Type: Object
Parameter Sets: (All)
Aliases:
Required: False
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: FalseThis cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Use ObjectType argument in case you want to export Disconnectors for a given object type only
Exports a CSV file with Disconnector objects containing: UserPrincipalName, Mail, SourceAnchor, DistinguishedName, CsObjectId, ObjectType, ConnectorId and CloudAnchor
Exports all synchronized Mail-Enabled Public Folder objects from Microsoft Entra ID to a CSV file
Export-ADSyncToolsAadPublicFolders [-Credential] <PSCredential> [-Path] <Object> [<CommonParameters>]
This function exports to a CSV file all the synchronized Mail-Enabled Public Folders (MEPF) present in Microsoft Entra ID. It can be used with Remove-ADSyncToolsAadPublicFolders to identify and remove orphaned Mail-Enabled Public Folders in Microsoft Entra ID. This function requires the credentials of a Global Administrator in Microsoft Entra ID and authentication with MFA isn't supported. NOTE: If DirSync is disabled on the tenant, you need to temporarily re-enable DirSync in order to remove orphaned Mail Enabled Public Folders from Microsoft Entra ID.
Export-ADSyncToolsAadPublicFolders -Credential $(Get-Credential) -Path <file_name>
Microsoft Entra Global Administrator Credential
Type: PSCredential
Parameter Sets: (All)
Aliases:
Required: true
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: FalsePath for output file
Type: String
Parameter Sets: (All)
Aliases:
Required: true
Position: 2
Default value: None
Accept pipeline input: false (ByPropertyName)
Accept wildcard characters: falseThis cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
This cmdlet creates the <filename> containing all synced Mail-Enabled PublicFolder objects in CSV format.
Generates a report of certificates stored in Active Directory Computer objects, specifically, certificates issued by the Microsoft Entra hybrid join feature.
Export-ADSyncToolsHybridAadJoinReport [-DN] <String> [[-Filename] <String>] [<CommonParameters>]
Export-ADSyncToolsHybridAadJoinReport [-OU] <String> [[-Filename] <String>] [<CommonParameters>]
This tool checks for all certificates present in UserCertificate property of a Computer object in AD and, for each non-expired certificate present, validates if the certificate was issued for the Microsoft Entra hybrid join feature (that is, Subject Name is CN={ObjectGUID}). Before version 1.4, Microsoft Entra Connect would synchronize to Microsoft Entra any Computer that contained at least one certificate but in Microsoft Entra Connect version 1.4 and later, ADSync engine can identify Microsoft Entra hybrid join certificates and will "cloudfilter" (exclude) the computer object from synchronizing to Microsoft Entra ID unless there's a valid Microsoft Entra hybrid join certificate present. Microsoft Entra Device objects that were already synchronized to AD but don't have a valid Microsoft Entra hybrid join certificate will be deleted from Microsoft Entra ID (CloudFiltered=TRUE) by Microsoft Entra Connect.
Export-ADSyncToolsHybridAzureADjoinCertificateReport -DN 'CN=Computer1,OU=SYNC,DC=Fabrikam,DC=com'
Export-ADSyncToolsHybridAzureADjoinCertificateReport -OU 'OU=SYNC,DC=Fabrikam,DC=com' -Filename "MyHybridAzureADjoinReport.csv" -Verbose
Computer DistinguishedName
Type: String
Parameter Sets: SingleObject
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: FalseAD OrganizationalUnit
Type: String
Parameter Sets: MultipleObjects
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: FalseOutput CSV filename (optional)
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 2
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseThis cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
More Information: Understand Microsoft Entra Connect 1.4.xx.x and device disappearance
Export Microsoft Entra Connect Objects to XML files
Export-ADSyncToolsObjects [-ObjectId] <Object> [-Source] <Object> [-ExportSerialized] [<CommonParameters>]
Export-ADSyncToolsObjects [-DistinguishedName] <Object> [-ConnectorName] <Object> [-ExportSerialized]
[<CommonParameters>]
Exports internal ADSync objects from Metaverse and associated connected objects from Connector Spaces
Export-ADSyncToolsObjects -ObjectId 'aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb' -Source Metaverse
Export-ADSyncToolsObjects -ObjectId 'bbbbbbbb-1111-2222-3333-cccccccccccc' -Source ConnectorSpace
Export-ADSyncToolsObjects -DistinguishedName 'CN=User1,OU=ADSync,DC=Contoso,DC=com' -ConnectorName 'Contoso.com'
ObjectId is the unique identifier of the object in the respective connector space or metaverse
Type: Object
Parameter Sets: ObjectId
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: FalseSource is the table where the object resides which can either ConnectorSpace or Metaverse
Type: Object
Parameter Sets: ObjectId
Aliases:
Required: True
Position: 2
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: FalseDistinguishedName is the identifier of the object in the respective connector space
Type: Object
Parameter Sets: DistinguishedName
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: FalseConnectorName is the name of the connector space where the object resides
Type: Object
Parameter Sets: DistinguishedName
Aliases:
Required: True
Position: 2
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: FalseExportSerialized exports extra XML files with serialized object data
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: 3
Default value: False
Accept pipeline input: False
Accept wildcard characters: FalseThis cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Export Microsoft Entra Connect Run History
Export-ADSyncToolsRunHistory [-TargetName] <String> [<CommonParameters>]
Function to export Microsoft Entra Connect Run Profile and Run Step results to CSV and XML format respectively. The resulting Run Profile CSV file can be imported into a spreadsheet and the Run Step XML file can be imported with Import-Clixml
Export-ADSyncToolsRunHistory -TargetName MyADSyncHistory
Name of the output file
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: FalseThis cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Export ms-ds-Consistency-Guid Report
Export-ADSyncToolsSourceAnchorReport [-AlternativeLoginId] [-UserPrincipalName] <String>
[-ImmutableIdGUID] <String> [-Output] <String> [<CommonParameters>]
Generates a ms-ds-Consistency-Guid report based on an import CSV file from Import-ADSyncToolsSourceAnchor
Import-Csv .\AllSyncUsers.csv | Export-ADSyncToolsSourceAnchorReport -Output ".\AllSyncUsers-Report"
Another example of how to use this cmdlet
Use Alternative Login ID (mail)
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: FalseUserPrincipalName
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: FalseImmutableIdGUID
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 2
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: FalseOutput filename for CSV and LOG files
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 3
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseThis cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Get synced objects for a given SyncObjectType
Get-ADSyncToolsAadObject [-SyncObjectType] <Object> [-Credential] <PSCredential> [<CommonParameters>]
Reads from Microsoft Entra all synced objects for a given object class (SyncObjectType).
Get-ADSyncToolsAadObject -SyncObjectType 'publicFolder' -Credential $(Get-Credential)
Object Type
Type: Object
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: FalseMicrosoft Entra Global Administrator Credential
Type: PSCredential
Parameter Sets: (All)
Aliases:
Required: True
Position: 2
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: FalseThis cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
This cmdlet returns the "Shadow" properties that are synchronized by the sync client, which might be different than the actual value stored in the respective property of Microsoft Entra ID. For instance, a user's UPN that is synchronized with a non-verified domain suffix 'user@nonverified.domain', will have the UPN suffix in Microsoft Entra ID converted to the tenant's default domain, 'user@tenantname.onmicrosoft.com'. In this case, Get-ADSyncToolsAadObject returns the "Shadow" value of 'user@nonverified.domain', and not the actual value in Microsoft Entra ID 'user@tenantname.onmicrosoft.com'.
Get an Active Directory object ms-ds-ConsistencyGuid
Get-ADSyncToolsMsDsConsistencyGuid [-Identity] <Object> [<CommonParameters>]
Returns the value in mS-DS-ConsistencyGuid attribute of the target Active Directory object in GUID format. Supports Active Directory objects in multi-domain forests.
Get-ADSyncToolsMsDsConsistencyGuid -Identity 'CN=User1,OU=Sync,DC=Contoso,DC=com'
Get-ADSyncToolsMsDsConsistencyGuid -Identity 'User1@Contoso.com'
'User1@Contoso.com' | Get-ADSyncToolsMsDsConsistencyGuid
Target object in AD to get
Type: Object
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: FalseThis cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Get Microsoft Entra Connect Run History
Get-ADSyncToolsRunHistory [[-Days] <Int32>] [<CommonParameters>]
Function that returns the Microsoft Entra Connect Run History in XML format
Get-ADSyncToolsRunHistory
Get-ADSyncToolsRunHistory -Days 3
Number of days back to collect History (default = 1)
Type: Int32
Parameter Sets: (All)
Aliases:
Required: False
Position: 1
Default value: 1
Accept pipeline input: False
Accept wildcard characters: FalseThis cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Get Microsoft Entra Connect Run History for older versions of Microsoft Entra Connect (WMI)
Get-ADSyncToolsRunHistoryLegacyWmi [[-Days] <Int32>] [<CommonParameters>]
Function that returns the Microsoft Entra Connect Run History in XML format
Get-ADSyncToolsRunHistory
Get-ADSyncToolsRunHistory -Days 3
Number of days back to collect History (default = 1)
Type: Int32
Parameter Sets: (All)
Aliases:
Required: False
Position: 1
Default value: 1
Accept pipeline input: False
Accept wildcard characters: FalseThis cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Get SQL Server Instances from SQL Browser service
Get-ADSyncToolsSqlBrowserInstances [[-Server] <String>]
SQL Diagnostics related functions and utilities
Get-ADSyncToolsSqlBrowserInstances -Server 'sqlserver01'
SQL Server Name
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseHelper function to get which Azure environment the user belongs.
Get-ADSyncToolsTenantAzureEnvironment [-Credential] <PSCredential> [<CommonParameters>]
This function will call Oauth discovery endpoint to get CloudInstance and tenant_region_scope to determine the Azure environment. https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration
Get-ADSyncToolsTenantAzureEnvironment -Credential (Get-Credential)
The user's PowerShell Credential object:
Type: PSCredential
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseThis cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
The user's PowerShell Credential object
The Azure environment (string)
Gets Client\Server TLS 1.2 settings for .NET Framework
Get-ADSyncToolsTls12 [<CommonParameters>]
Reads information from the Registry regarding TLS 1.2 for .NET Framework:
| Path | Name |
|---|---|
| HKLM:\SOFTWARE\WOW6432Node\Microsoft.NETFramework\v4.0.30319 | SystemDefaultTlsVersions |
| HKLM:\SOFTWARE\WOW6432Node\Microsoft.NETFramework\v4.0.30319 | SchUseStrongCrypto |
| HKLM:\SOFTWARE\Microsoft.NETFramework\v4.0.30319 | SystemDefaultTlsVersions |
| HKLM:\SOFTWARE\Microsoft.NETFramework\v4.0.30319 | SchUseStrongCrypto |
| HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server | Enabled |
| HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server | DisabledByDefault |
| HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client | Enabled |
| HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client | DisabledByDefault |
Get-ADSyncToolsTls12
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
More Information: TLS 1.2 enforcement for Microsoft Entra Connect
Import Microsoft Entra Connect Object from XML file
Import-ADSyncToolsObjects [-Path] <String> [<CommonParameters>]
Imports an internal ADSync object from XML file that was exported using Export-ADSyncToolsObjects
Import-ADSyncToolsObjects -Path .\20210224-003104_81275a23-0168-eb11-80de-00155d188c11_MV.xml
Path for the XML file to import
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: FalseThis cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Import Microsoft Entra Connect Run History
Import-ADSyncToolsRunHistory [-Path] <String> [<CommonParameters>]
Function to Import Microsoft Entra Connect Run Step results from XML created using Export-ADSyncToolsRunHistory
Export-ADSyncToolsRunHistory -Path .\RunHistory-RunStep.xml
Path for the XML file to import
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: FalseThis cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Import ImmutableID from Microsoft Entra ID
Import-ADSyncToolsSourceAnchor [-Output] <String> [-IncludeSyncUsersFromRecycleBin] [<CommonParameters>]
Generates a file with all Microsoft Entra ID synchronized users containing the ImmutableID value in GUID format
Import-ADSyncToolsSourceAnchor -OutputFile '.\AllSyncUsers.csv'
Import-ADSyncToolsSourceAnchor -OutputFile '.\AllSyncUsers.csv' -IncludeSyncUsersFromRecycleBin
Output CSV file
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseGet Synchronized Users from Microsoft Entra ID Recycle Bin
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: FalseThis cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Invoke a SQL query against a database for testing purposes
Invoke-ADSyncToolsSqlQuery [-SqlConnection] <SqlConnection> [[-Query] <String>] [<CommonParameters>]
SQL Diagnostics related functions and utilities
New-ADSyncToolsSqlConnection -Server SQLserver01.Contoso.com -Port 49823 | Invoke-ADSyncToolsSqlQuery
$sqlConn = New-ADSyncToolsSqlConnection -Server SQLserver01.Contoso.com -Port 49823
Invoke-ADSyncToolsSqlQuery -SqlConnection $sqlConn -Query 'SELECT *, database_id FROM sys.databases'
SQL Connection
Type: SqlConnection
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: FalseSQL Query
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 2
Default value: SELECT name, database_id FROM sys.databases
Accept pipeline input: False
Accept wildcard characters: FalseThis cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Remove orphaned synced object from Microsoft Entra ID.
NOTE:
This function requires the credentials of a Global Administrator in Microsoft Entra ID and authentication with MFA isn't supported. If DirSync is disabled on the tenant, you need to temporary re-enable DirSync in order to use this function.
Remove-ADSyncToolsAadObject [-Credential] <PSCredential> [-InputCsvFilename] <Object> [-WhatIf] [-Confirm]
[<CommonParameters>]
Remove-ADSyncToolsAadObject [-Credential] <PSCredential> [-SourceAnchor] <Object> [-SyncObjectType] <Object>
[-WhatIf] [-Confirm] [<CommonParameters>]
Deletes from Microsoft Entra ID one or more synced objects based on SourceAnchor and ObjectType.
The CSV file can be generated using Export-ADSyncToolsAadDisconnectors.
IMPORTANT: This operation might be irreversible. Other than User objects that have a Recycle Bin, any other object types deleted with this function can't be recovered.
Remove-ADSyncToolsAadObject -InputCsvFilename .\DeleteObjects.csv -Credential (Get-Credential)
Remove-ADSyncToolsAadObject -SourceAnchor '2epFRNMCPUqhysJL3SWL1A==' -SyncObjectType 'publicFolder' -Credential (Get-Credential)
Microsoft Entra Global Administrator Credential
Type: PSCredential
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: FalseCSV Input filename
Type: Object
Parameter Sets: CsvInput
Aliases:
Required: True
Position: 2
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: FalseObject SourceAnchor
Type: Object
Parameter Sets: ObjectInput
Aliases:
Required: True
Position: 2
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: FalseObject Type
Type: Object
Parameter Sets: ObjectInput
Aliases:
Required: True
Position: 3
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: FalseShows what would happen if the cmdlet runs. The cmdlet isn't run.
Type: SwitchParameter
Parameter Sets: (All)
Aliases: wi
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalsePrompts you for confirmation before running the cmdlet.
Type: SwitchParameter
Parameter Sets: (All)
Aliases: cf
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseThis cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
InputCsvFilename must point to a CSV file with at least 2 columns: SourceAnchor, SyncObjectType
Shows results from ExportDeletions operation
Removes synchronized Mail-Enabled Public Folders (MEPF) present in Microsoft Entra ID.
You can specify the SourceAnchor/ImmutableID for the target MEPF object to delete or provide a CSV list with a batch of objects to delete that can be obtained with Export-ADSyncToolsAadPublicFolders.
NOTE:
This function requires the credentials of a Global Administrator in Microsoft Entra ID and authentication with MFA isn't supported. If DirSync is disabled on the tenant, you need to temporary re-enable DirSync in order to remove orphaned Mail Enabled Public Folders from Microsoft Entra ID.
Remove-ADSyncToolsAadPublicFolders [-Credential] <PSCredential> [-InputCsvFilename] <Object> [-WhatIf] [-Confirm] [<CommonParameters>]
Remove-ADSyncToolsAadPublicFolders [-Credential] <PSCredential> [-SourceAnchor] <Object> [-WhatIf] [-Confirm] [<CommonParameters>]
Deletes from Microsoft Entra ID a synced Mail-Enabled Public Folder object based on a SourceAnchor or CSV list.
The CSV list can be obtained with Export-ADSyncToolsAadPublicFolders to identify and remove all orphaned Mail-Enabled Public Folders in Microsoft Entra ID.
IMPORTANT: This operation is irreversible. Deleted Mail-Enabled Public Folder objects cannot be restored from Microsoft Entra ID.
Remove-ADSyncToolsAadPublicFolders -InputCsvFilename .\DeleteObjects.csv -Credential (Get-Credential)
Remove-ADSyncToolsAadPublicFolders -SourceAnchor '2epFRNMCPUqhysJL3SWL1A==' -Credential (Get-Credential)
Microsoft Entra Global Administrator Credential
Type: PSCredential
Parameter Sets: (All)
Aliases:
Required: true
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: FalsePath for input CSV file
Type: String
Parameter Sets: InputCsv
Aliases:
Required: true
Position: 2
Default value: None
Accept pipeline input: true (ByPropertyName)
Accept wildcard characters: falseTarget SourceAnchor/ImmutableID
Type: String
Parameter Sets: SourceAnchor
Aliases:
Required: true
Position: 2
Default value: None
Accept pipeline input: true (ByPropertyName)
Accept wildcard characters: falseThis cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
The CSV input file can be generated using Export-ADSyncToolsAadPublicFolders. Path parameters must point to a CSV file with at least 2 columns: SourceAnchor, SyncObjectType.
Shows results from ExportDeletions operation.
Script to Remove Expired Certificates from UserCertificate Attribute
Remove-ADSyncToolsExpiredCertificates [-TargetOU] <String> [[-BackupOnly] <Boolean>] [-ObjectClass] <String>
[<CommonParameters>]
This script takes all the objects from a target Organizational Unit in your Active Directory domain - filtered by Object Class (User/Computer) and deletes all expired certificates present in the UserCertificate attribute. By default (BackupOnly mode) it will only backup expired certificates to a file and not do any changes in AD. If you use -BackupOnly $false, then any Expired Certificate present in UserCertificate attribute for these objects will be removed from Active Directory after being copied to file. Each certificate will be backed up to a separated filename: ObjectClass_ObjectGUID_CertThumprint.cer. The script will also create a log file in CSV format showing all the users with certificates that either are valid or expired including the actual action taken (Skipped/Exported/Deleted).
Check all users in target OU - Expired Certificates will be copied to separated files and no certificates will be removed
Remove-ADSyncToolsExpiredCertificates -TargetOU "OU=Users,OU=Corp,DC=Contoso,DC=com" -ObjectClass user
Delete Expired Certs from all Computer objects in target OU - Expired Certificates will be copied to files and removed from AD
Remove-ADSyncToolsExpiredCertificates -TargetOU "OU=Computers,OU=Corp,DC=Contoso,DC=com" -ObjectClass computer -BackupOnly $false
Target OU to lookup for AD objects
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseBackupOnly won't delete any certificates from AD
Type: Boolean
Parameter Sets: (All)
Aliases:
Required: False
Position: 2
Default value: True
Accept pipeline input: False
Accept wildcard characters: FalseObject Class filter
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 3
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseThis cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Repair Microsoft Entra Connect AutoUpgrade State
Repair-ADSyncToolsAutoUpgradeState
Fixes an issue with AutoUpgrade introduced in build 1.1.524 (May 2017) which disables the online checking of new versions while AutoUpgrade is enabled.
Repair-ADSyncToolsAutoUpgradeState
Resolve a SQL server name
Resolve-ADSyncToolsSqlHostAddress [-Server] <String> [<CommonParameters>]
SQL Diagnostics related functions and utilities
Resolve-ADSyncToolsSqlHostAddress -Server 'sqlserver01'
SQL Server Name
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseThis cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Search an Active Directory object in Active Directory Forest by its UserPrincipalName, sAMAccountName or DistinguishedName
Search-ADSyncToolsADobject [-Identity] <Object> [<CommonParameters>]
Supports multi-domain queries and returns all the required properties including mS-DS-ConsistencyGuid.
Search-ADSyncToolsADobject 'CN=user1,OU=Sync,DC=Contoso,DC=com'
Search-ADSyncToolsADobject -Identity "user1@Contoso.com"
Get-ADUser 'CN=user1,OU=Sync,DC=Contoso,DC=com' | Search-ADSyncToolsADobject
Target User in AD to set ConsistencyGuid
Type: Object
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: FalseThis cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Set an Active Directory object ms-ds-ConsistencyGuid
Set-ADSyncToolsMsDsConsistencyGuid [-Identity] <Object> [-Value] <Object> [<CommonParameters>]
Sets a value in mS-DS-ConsistencyGuid attribute for the target Active Directory user. Supports Active Directory objects in multi-domain forests.
Set-ADSyncToolsMsDsConsistencyGuid -Identity 'CN=User1,OU=Sync,DC=Contoso,DC=com' -Value '00aa00aa-bb11-cc22-dd33-44ee44ee44ee'
Set-ADSyncToolsMsDsConsistencyGuid -Identity 'CN=User1,OU=Sync,DC=Contoso,DC=com' -Value 'GGhsjYwBEU+buBsE4sqhtg=='
Set-ADSyncToolsMsDsConsistencyGuid 'User1@Contoso.com' '11bb11bb-cc22-dd33-ee44-55ff55ff55ff'
Set-ADSyncToolsMsDsConsistencyGuid 'User1@Contoso.com' 'GGhsjYwBEU+buBsE4sqhtg=='
'00aa00aa-bb11-cc22-dd33-44ee44ee44ee' | Set-ADSyncToolsMsDsConsistencyGuid -Identity User1
'GGhsjYwBEU+buBsE4sqhtg==' | Set-ADSyncToolsMsDsConsistencyGuid User1
Target object in AD to set mS-DS-ConsistencyGuid
Type: Object
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: FalseValue to set (ImmutableId, Byte array, GUID, GUID string or Base64 string)
Type: Object
Parameter Sets: (All)
Aliases:
Required: True
Position: 2
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: FalseThis cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Sets Client\Server TLS 1.2 settings for .NET Framework
Set-ADSyncToolsTls12 [[-Enabled] <Boolean>] [<CommonParameters>]
Sets the registry entries to enable/disable TLS 1.2 for .NET Framework:
| Path | Name |
|---|---|
| HKLM:\SOFTWARE\WOW6432Node\Microsoft.NETFramework\v4.0.30319 | SystemDefaultTlsVersions |
| HKLM:\SOFTWARE\WOW6432Node\Microsoft.NETFramework\v4.0.30319 | SchUseStrongCrypto |
| HKLM:\SOFTWARE\Microsoft.NETFramework\v4.0.30319 | SystemDefaultTlsVersions |
| HKLM:\SOFTWARE\Microsoft.NETFramework\v4.0.30319 | SchUseStrongCrypto |
| HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server | Enabled |
| HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server | DisabledByDefault |
| HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client | Enabled |
| HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client | DisabledByDefault |
Running the cmdlet without any parameters will enable TLS 1.2 for .NET Framework
Set-ADSyncToolsTls12
Set-ADSyncToolsTls12 -Enabled $true
TLS 1.2 Enabled
Type: Boolean
Parameter Sets: (All)
Aliases:
Required: False
Position: 1
Default value: True
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: FalseThis cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
More Information: TLS 1.2 enforcement for Microsoft Entra Connect
Test the SQL Server network port
Test-ADSyncToolsSqlNetworkPort [[-Server] <String>] [[-Port] <String>]
SQL Diagnostics related functions and utilities
Test-ADSyncToolsSqlNetworkPort -Server 'sqlserver01'
Test-ADSyncToolsSqlNetworkPort -Server 'sqlserver01' -Port 1433
SQL Server Name
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseSQL Server Port
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 2
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseCreates a trace file from an Active Directory Import Step
Trace-ADSyncToolsADImport [-DC] <String> [-RootDN] <String> [[-Filter] <String>] [[-Credential] <PSCredential>]
[-SSL] [-ADConnectorXML] <String> [<CommonParameters>]
Trace-ADSyncToolsADImport [-DC] <String> [-RootDN] <String> [[-Filter] <String>] [[-Credential] <PSCredential>]
[-SSL] [-ADwatermark] <String> [<CommonParameters>]
Traces all LDAP queries of an Active Directory Import run from a given Active Directory watermark checkpoint (also called a partition cookie). Creates a trace file '.\ADimportTrace_yyyyMMddHHmmss.log' on the current folder. To use -ADConnectorXML, go to the Synchronization Service Manager, right-click your AD Connector and select "Export Connector..."
Trace Active Directory Import for user objects by providing an AD Connector XML file
Trace-ADSyncToolsADImport -DC 'DC1.contoso.com' -RootDN 'DC=Contoso,DC=com' -Filter '(&(objectClass=user))' -ADConnectorXML .\ADConnector.xml
Trace Active Directory Import for all objects by providing the Active Directory watermark (cookie) and AD Connector credential
$creds = Get-Credential
Trace-ADSyncToolsADImport -DC 'DC1.contoso.com' -RootDN 'DC=Contoso,DC=com' -Credential $creds -ADwatermark "TVNEUwMAAAAXyK9ir1zSAQAAAAAAAAAA(...)"
Target Domain Controller
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseForest Root DN
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 2
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseAD objects type to trace. Use '(&(objectClass=*))' for all object types
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 3
Default value: (&(objectClass=*))
Accept pipeline input: False
Accept wildcard characters: FalseProvide the credential to run LDAP query against AD
Type: PSCredential
Parameter Sets: (All)
Aliases:
Required: False
Position: 4
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseSSL Connection
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: 5
Default value: False
Accept pipeline input: False
Accept wildcard characters: FalseAD Connector Export XML file - Right-click AD Connector and select "Export Connector..."
Type: String
Parameter Sets: ADConnectorXML
Aliases:
Required: True
Position: 6
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseManual input of watermark, instead of XML file, for example $ADwatermark = "TVNEUwMAAAAXyK9ir1zSAQAAAAAAAAAA(...)"
Type: String
Parameter Sets: ADwatermarkInput
Aliases:
Required: True
Position: 6
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseThis cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Trace LDAP queries
Trace-ADSyncToolsLdapQuery [-RootDN] <String> [-Credential] <PSCredential> [[-Server] <String>]
[[-Port] <Int32>] [-Filter <String>] [<CommonParameters>]
{{ Fill in the Description }}
Trace-ADSyncToolsLdapQuery -RootDN "DC=Contoso,DC=com" -Credential $Credential
Forest/Domain DistinguishedName
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: FalseAD Credential
Type: PSCredential
Parameter Sets: (All)
Aliases:
Required: True
Position: 2
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: FalseDomain Controller Name (optional)
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 3
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: FalseDomain Controller port (default: 389)
Type: Int32
Parameter Sets: (All)
Aliases:
Required: False
Position: 3
Default value: 389
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: FalseLDAP filter (default: objectClass=*)
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: (objectClass=*)
Accept pipeline input: False
Accept wildcard characters: FalseThis cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Updates users with the new ConsistencyGuid (ImmutableId)
Update-ADSyncToolsSourceAnchor [[-DistinguishedName] <String>] [-ImmutableIdGUID] <String> [-Action] <String>
[-Output] <String> [-WhatIf] [-Confirm] [<CommonParameters>]
Updates users with the new ConsistencyGuid (ImmutableId) value taken from the ConsistencyGuid Report. This function supports the -WhatIf switch.
Note: ConsistencyGuid Report must be imported with Tab delimiter.
Import-Csv .\AllSyncUsers-Report.csv -Delimiter "`t"| Update-ADSyncToolsSourceAnchor -Output .\AllSyncUsersTEST-Result2 -WhatIf
Import-Csv .\AllSyncUsers-Report.csv -Delimiter "`t"| Update-ADSyncToolsSourceAnchor -Output .\AllSyncUsersTEST-Result2
DistinguishedName
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 1
Default value: False
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: FalseImmutableIdGUID
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 2
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: FalseAction
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 3
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: FalseOutput filename for LOG files
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 4
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseShows what would happen if the cmdlet runs. The cmdlet isn't run.
Type: SwitchParameter
Parameter Sets: (All)
Aliases: wi
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalsePrompts you for confirmation before running the cmdlet.
Type: SwitchParameter
Parameter Sets: (All)
Aliases: cf
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseThis cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Gets a list of all the objects with "Source anchor has changed" error.
Get-ADSyncToolsDuplicateUsersSourceAnchor [-ADConnectorName] <Object> [<CommonParameters>]
There are certain scenarios like M&A where Customers add a new forest to Microsoft Entra Connect with duplicate user objects. This causes multiple sync errors if the new connector precedence is higher for the newly joined users. This cmdlet will provide a list of all the objects with "Source anchor has changed" errors.
Get-ADSyncToolsDuplicateUsersSourceAnchor -ADConnectorName Contoso.com
AD connector name for which user source anchors needs to be repaired
Type: Object
Parameter Sets: (All)
Aliases:
Required: true
Position: 1
Default value:
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: FalseThis cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Fixes all the objects with "Source Anchor has changed" error.
et-ADSyncToolsDuplicateUsersSourceAnchor [-DuplicateUserSourceAnchorInfo] <DuplicateUserSourceAnchorInfo> [-ActiveDirectoryCredential <PSCredential>] [-OverridePrompt <Boolean>] [<CommonParameters>]
This cmdlet takes in the list of objects from Get-ADSyncToolsDuplicateUsersSourceAnchor as pipeline input. It then fixes the sync errors by updating the msDS-ConsistencyGuid attribute with the sourceAnchor/immutableID of the original object. The cmdlet has an optional parameter - "Override prompt", which is False by default. If it is set to True, then the user won't be prompted when updating the msDS-ConsistencyGuid attribute.
Get-ADSyncToolsDuplicateUsersSourceAnchor -ADConnectorName Contoso.lab | Set-ADSyncToolsDuplicateUsersSourceAnchor
Get-ADSyncToolsDuplicateUsersSourceAnchor -ADConnectorName Contoso.lab | Set-ADSyncToolsDuplicateUsersSourceAnchor -OverridePrompt $true
User list for which the source anchor needs to be fixed
Type: DuplicateUserSourceAnchorInfo
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value:
Accept pipeline input: True (ByValue, ByPropertyName)
Accept wildcard characters: FalseAD EA/DA Admin Credentials, If not provided default credentials will be used
Type: PSCredential
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value:
Accept pipeline input: False
Accept wildcard characters: FalseType: Boolean
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: FalseThis cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.