Azure AD Connect Global Settings
Sync deployments always have some configuration settings hanging around, and usually end up in XML files somewhere on the computer running the synchronization service because there has not been a good way to store configuration settings in the synchronization service itself. That seems to have changed in Azure AD Connect with the Global Settings. Global settings are not well documented but they appear to work pretty well. From what I’ve observed they are saved to the ADSync database and survive computer restarts. Here’s a tour…
The command for getting the global settings is Get-ADSyncGlobalSettings.
Get-Help Get-ADSyncGlobalSettings -Full
<#
NAME
Get-ADSyncGlobalSettings
SYNTAX
Get-ADSyncGlobalSettings [-WhatIf] [-Confirm] []
PARAMETERS
-Confirm
Required? false
Position? Named
Accept pipeline input? false
Parameter set name (All)
Aliases cf
Dynamic? false
-WhatIf
Required? false
Position? Named
Accept pipeline input? false
Parameter set name (All)
Aliases wi
Dynamic? false
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
None
OUTPUTS
System.Object
ALIASES
None
REMARKS
None
#>
The help content is minimalist but like any good command it can be run without input.
Get-ADSyncGlobalSettings
<#
Version : 396
SqlSchemaVersion : 615
InstanceId : d112f5f4-4248-4959-8dc8-eac88e531433
Schema : Microsoft.IdentityManagement.PowerShell.ObjectModel.Schema
Parameters : {Microsoft.Synchronize.SynchronizationPolicy, Microsoft.SynchronizationOption.JoinCriteria, Microsoft.UserSignIn.DesktopSsoEnabled, Microsoft.Synchronize.MaintenanceEnabled...}
#>
OK, looks like some version detail and a property named Parameters containing the actual settings. Get-Member sometimes reveals other useful properties and methods, and also tells us the type name:
Get-ADSyncGlobalSettings | Get-Member
<#
TypeName: Microsoft.IdentityManagement.PowerShell.ObjectModel.GlobalSettings
Name MemberType Definition
---- ---------- ----------
AddOrReplaceConfigurationParameter Method void AddOrReplaceConfigurationParameter(string parameterName, string parameterValue), void AddOrReplaceConfigurationParameter(Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter parameter)
Equals Method bool Equals(System.Object obj)
GetHashCode Method int GetHashCode()
GetSchema Method System.Xml.Schema.XmlSchema GetSchema(), System.Xml.Schema.XmlSchema IXmlSerializable.GetSchema()
GetType Method type GetType()
IsStagingModeEnabled Method bool IsStagingModeEnabled()
ReadXml Method void ReadXml(System.Xml.XmlReader reader), void IXmlSerializable.ReadXml(System.Xml.XmlReader reader)
ToString Method string ToString()
WriteXml Method void WriteXml(System.Xml.XmlWriter writer), void WriteXml(System.Xml.XmlWriter writer, bool legacyFormat), void IXmlSerializable.WriteXml(System.Xml.XmlWriter writer)
InstanceId Property guid InstanceId {get;set;}
Parameters Property Microsoft.IdentityManagement.PowerShell.ObjectModel.ParameterKeyedCollection Parameters {get;set;}
Schema Property Microsoft.IdentityManagement.PowerShell.ObjectModel.Schema Schema {get;set;}
SqlSchemaVersion Property int SqlSchemaVersion {get;set;}
Version Property int Version {get;set;}
#>
Hmm, AddOrReplaceConfigurationParameter looks useful, more on that later in this post..
Looking now at the Parameters property…
Get-ADSyncGlobalSettings | Select-Object -ExpandProperty Parameters
<#
Name : Microsoft.OptionalFeature.UserWriteBack
InputType : String
Scope : SynchronizationGlobal
Description :
RegexValidationPattern :
DefaultValue :
Value : False
Extensible : False
PageNumber : 0
Intrinsic : False
DataType : String
Name : Microsoft.Synchronize.StagingMode
InputType : String
Scope : SynchronizationGlobal
Description :
RegexValidationPattern :
DefaultValue :
Value : False
Extensible : False
PageNumber : 0
Intrinsic : False
DataType : String
#>
Each Parameter seems to have a lot of properties, but when viewed with Out-GridView it seems only the Name and Value properties change, the other properties are the same for all Parameters. Spoiler alert: ADSync does let you specify DataType other than String but it seems to be hard coded to only support String.
Here are the names and values:
Get-ADSyncGlobalSettings |
Select-Object -ExpandProperty Parameters |
Format-Table -AutoSize -Property Name, Value, DataType
<#
Name Value DataType
---- ----- --------
Microsoft.Synchronize.SynchronizationPolicy Delta String
Microsoft.SynchronizationOption.JoinCriteria AlwaysProvision String
Microsoft.UserSignIn.DesktopSsoEnabled False String
Microsoft.Synchronize.MaintenanceEnabled True String
Microsoft.OptionalFeature.ExportDeletionThresholdValue 10 String
Microsoft.Version.SynchronizationRuleImmutableTag V1 String
Microsoft.SynchronizationOption.AnchorAttribute mS-DS-ConsistencyGuid String
Microsoft.OptionalFeature.DirectoryExtensionAttributes String
Microsoft.OptionalFeature.FilterAAD False String
Microsoft.GroupWriteBack.Forest String
Microsoft.GroupWriteBack.Container String
Microsoft.SynchronizationOption.UPNAttribute userPrincipalName String
Microsoft.Synchronize.SchedulerSuspended False String
Microsoft.OptionalFeature.DirectoryExtension False String
Microsoft.SynchronizationOption.CustomAttribute String
Microsoft.Synchronize.TimeInterval 00:30:00 String
Microsoft.Synchronize.ServerConfigurationVersion 1.4.18.0 String
Microsoft.SystemInformation.MachineRole RolePrimaryDomainController String
Microsoft.AADFilter.AttributeExclusionList String
Microsoft.OptionalFeature.DeviceWriteBack False String
Microsoft.OptionalFeature.AutoUpgradeState Enabled String
Microsoft.Synchronize.NextStartTime Wed, 15 Jan 2020 21:57:01 GMT String
Microsoft.Synchronize.RunHistoryPurgeInterval 7.00:00:00 String
Microsoft.OptionalFeature.GroupFiltering False String
Microsoft.ConnectDirectories.WizardDirectoryMode AD String
Microsoft.Synchronize.SynchronizationSchedule False String
Microsoft.OptionalFeature.ExchangeMailPublicFolder False String
Microsoft.OptionalFeature.UserWriteBack False String
Microsoft.Synchronize.StagingMode False String
Microsoft.OptionalFeature.ExportDeletionThreshold False String
Microsoft.DeviceWriteBack.Forest String
Microsoft.OptionalFeature.DeviceWriteUp True String
Microsoft.OptionalFeature.HybridExchange False String
Microsoft.AADFilter.ApplicationList String
Microsoft.DirectoryExtension.SourceTargetAttributesMap String
Microsoft.UserWriteBack.Forest String
Microsoft.DeviceWriteBack.Container String
Microsoft.UserWriteBack.Container String
Microsoft.UserSignIn.SignOnMethod PasswordHashSync String
Microsoft.OptionalFeature.GroupWriteBack False String
#>
On a new installation of AAD Connect there are already a lot of Parameters, neat. I do not recommend messing Parameters named like Microsoft.*, the same is true for messing with the Windows registry (you’re asking for trouble).
Can new Parameters be added? Well yes they can! Here’s how:
$globalSettings = Get-ADSyncGlobalSettings
$globalSettings.AddOrReplaceConfigurationParameter('fooName', 'fooValue')
Set-ADSyncGlobalSettings -GlobalSettings $globalSettings
<#
Version : 396
SqlSchemaVersion : 615
InstanceId : d112f5f4-4248-4959-8dc8-eac88e531433
Schema : Microsoft.IdentityManagement.PowerShell.ObjectModel.Schema
Parameters : {Microsoft.Synchronize.SynchronizationPolicy, Microsoft.SynchronizationOption.JoinCriteria, Microsoft.UserSignIn.DesktopSsoEnabled, Microsoft.Synchronize.MaintenanceEnabled...}
#>
Note the Version property did not increment. Calling Get-ADSyncGlobalSettings again shows that the Version actually does increment:
Get-ADSyncGlobalSettings
<#
Version : 397
SqlSchemaVersion : 615
InstanceId : d112f5f4-4248-4959-8dc8-eac88e531433
Schema : Microsoft.IdentityManagement.PowerShell.ObjectModel.Schema
Parameters : {Microsoft.Synchronize.SynchronizationPolicy, Microsoft.SynchronizationOption.JoinCriteria, Microsoft.UserSignIn.DesktopSsoEnabled, Microsoft.Synchronize.MaintenanceEnabled...}
#>
To get the Parameter, just call Get-ADSyncGlobalSettings then use the new Parameter name as the index item:
$globalSettings = Get-ADSyncGlobalSettings
$globalSettings.Parameters['fooName']
<#
Name : fooName
InputType : String
Scope : SynchronizationGlobal
Description :
RegexValidationPattern :
DefaultValue :
Value : fooValue
Extensible : False
PageNumber : 0
Intrinsic : False
DataType : String
#>
That’s it, a nice place to store configuration values for a synchronization service. I’ll be posting later about experiments with global settings and preventing accidental deletions.