On the recommendation of my good friend Darryl, I’ve added some things to my AAD Connect permissions tool:
- Better logging of errors. When running the tool for a large organization that had $ characters in its service account names, the tool would report successful but not leave any log files or indicators where things may have happened. I’ve added a logging function to it that timestamps and displays output to both the screen and a log file.
- Updating a few checks before attempting to load/unload modules. Depending on the order things were run, there were some instances where a Remove-Module would get called without the module having been imported.
- Updated a check for the Active Directory RSAT. There were a few places I missed checking for / prompting for the AD RSAT, which resulted in unexplained errors when calling commands that relied upon commands available on DCs or in the RSAT. My general assumption was that the tool would be run on the AAD Connect server (and, I always install the AD RSAT on the AAD Connect server to assist in troubleshooting), but not everyone does this.
The updated tool is available in the same place as the last: https://gallery.technet.microsoft.com/AD-Advanced-Permissions-49723f74