Anything for sysadmins!


Forcing a full sync with Office 365 Dir Sync

There was a warning in the Application part of the event viewer.

The management agent "TargetWebService" completed run profile "Delta Confirming Import" with a delta import or delta synchronization step type. The rules configuration has changed since the last full import or full synchronization.
</p><p>User Action
</p><p>To ensure the updated rules are applied to all objects, a run with step type of full import and full synchronization should be completed.

Every time you run the Directory Sync Configuration you will force a delta sync, which is an incremental sync and not a full sync. To force a full sync you'll have to do the following.

  1. Start the registry editor - regedit
  2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSOLCoExistence
  3. Find the FullSyncNeeded DWORD and set it to 1
  4. Start the Dir Sync Config Shell –
    %programfiles%\Microsoft Online Directory Sync\DirSyncConfigShell.psc1
  5. Run the CMDlet Start-OnlineCoexistenceSync

You can follow the sync steps by opening the Miisclient located at –

C:\Program Files\Microsoft Online Directory Sync\SYNCBUS\Synchronization Service\UIShell\miisclient.exe

Good luck!


Unusual computer account icon

Today I discovered a weird/unfamiliar looking computer account icon my AD.

Normally I would say that this is a disabled computer account, however experience told me that it should have a read circle with a white cross in it.

After checking the attribute editor I came to the conclusion that the account is indeed disabled.

The computer has been in storage for quite some time, so I figured that the computer hasn't authenticated for too long causing the machine password to expire and thus disabling the account. If you have any other reason why it might disable itself please comment below!


Creating a GPO Central Store

If you're using GPOs, which you most likely are, then you're best off with a central store for your GPOs. The central store is located in the sysvol of the domain. You can find it on your domain controller or through \\domain\sysvol\.

To create a central store you have to create a folder in the sysvol for the policy definitions.

  • Navigate to \\<domain>\sysvol\<domain FQDN>\Policies\
  • Create the folder PolicyDefinitions
  • Create a subfolder in PolicyDefinitions

Now you have a central store, but what's a central store without contents. Let's copy the default files to it.

  • On your DC navigate to C:\Windows\PolicyDefinitions
  • Copy all the files and folders to your central store (ADMX files and language folders like en-US)

If you have any other ADMX files that you want to copy to your central store this is the time!

The central store is automatically consulted by the Group Policy Management Editor. All the installed ADMX templates should now be visible in the GPME under the Administrative Templates section. Here you'll also see that it's pulling from the central store.