Finding Active Directory Duplicates Preventing Azure AD Synchronization

Be the first to vote!

As you’ve possibly seen in a previous post from a few years back, I wrote a tool specifically to identify a gap in our IDFix tool (namely, the inability to identify which objects were duplicates across one or more forests).

I stumbled across the need for it a few days ago while trying to help someone locate an Azure AD Connect export error.  Azure AD reported an object where there were one or more objects with a duplicate SMTP value.

I had to go all prehistoric and email them a copy of the script as opposed to just pointing them to a friendly place to download it, since we decided to retire the TechNet Gallery.

Demo

To see it in action, follow these steps:

  1. Go to a workstation or server where you have the Active Directory RSAT configured (I know you were probably expecting me to say “RSAT Tools,” but “Tools” is redundant in the same way “ATM Machine” is).
  2. Launch an elevated PowerShell prompt.
  3. Run Install-Script Find-DuplicateValues.  If you’ve never used PowerShell gallery and NuGet this way before, you may get prompted a few times, first to update the PATH variable:

    And then to install (or update) the NuGet provider:
  4. If you run into problems, you may need to update your TLS settings.  If you receive a lot of red on your screen with things like “Unable to install NuGet provider,” you can try this (and then close/restart PowerShell :
    
    Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
    
    Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
    
  5. Confirm that you want to install from the PSGallery repository:
  6. Run the script with the following syntax:
    Find-DuplicateValues <user@domain.tld>
  7. Review the output (matching values will be highlighted).
  8. Beat down those responsible, as appropriate.

There are a bunch of extra parameters for working with large environments (thousands of OUs filled with thousands of users, which causes an AD Web Services buffer error) or using the legacy LDAP filter method (which will result in partial matches, if you’re into that sort of thing).

You can install the script using the Install-Script Find-DuplicateValues syntax mentioned earlier or by going to the tool’s page: PowerShell Gallery | Find-DuplicateValues 2.0 Cheers!

Published by Aaron Guilmette

Helping companies conquer inferior technology since 1997. I spend my time developing and implementing technology solutions so people can spend less time with technology. Specialties: Active Directory and Exchange consulting and deployment, Virtualization, Disaster Recovery, Office 365, datacenter migration/consolidation, cheese. View all posts by Aaron Guilmette

Reader Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Exit mobile version