Script not finding the Azure/Intune Device

[gokou340]

Hello, I'm loving the script so far, but I seem to be having an issue where the script is finding the device in Active Directory, but it is not finding it within Azure or Intune, even though it is there.

I'm wondering if it has something to do with the length of the computer name in AD.

For Example: In AD, the computer was named My-Computer-Name-Is-Gokou340, but the character limit makes it My-Computer-Name-Is, The DNS name is still My-Computer-Name-Is-Gokou340, but the SAMAccount name is My-Computer-Name-Is, in Intune and Azure, the name of the device is My-Computer-Name-Is-Gokou340

It seems that any device in AD that has a longer than allowed name is not being found in Azure.

I'm happy to provide any logging or details that you may need!

Thank you again for your work on this script!

[PrzemyslawKlys]

The comparison is done using $Device.Name

https://github.com/EvotecIT/CleanupMonster/blob/5fd49a3a347a23159d810e154d6a6c7e476894ed/Private/Get-InitialGraphComputers.ps1#L30-L47

I guess you could try installing GraphEssentials (which is integrated into cleanup monster) and run

$Devices = Get-MyDevice -Synchronized 

Maybe the SamAccountName is stored as something else

And see what we have there that would allow us to compare against, but I guess I can try and do testing internally as well.

[gokou340]

I'm running this now.

Are you comparing the SamAccountName with the $Device.Name from Azure/Intune?

[gokou340]

I can confirm that the name in $Devices.Name is "My-Computer-Name-Is-Gokou340", whereas the Active Directory is "My-Computer-Name-Is"

[PrzemyslawKlys]

Can you do get-adcomputer xxx and tell me which property holds proper value to match?

[PrzemyslawKlys]

It's a bit weird because in my AD:

The Name holds the real, long value and only SamAccountName is short

[gokou340]

It looks like the DNSHostname is the only one that has the full length name that matches Azure. The Name shows the shortened version.

[PrzemyslawKlys]

Ye

Why would you have that? I'm first time seeing someone ignore messages from windows about going over 15 chars

[gokou340]

From what I have seen, with Windows 10/11, if you rename the computer by going through the normal settings, it lets you rename it longer than 15 characters.

We also have techs that will still go beyond the 15 character limit regardless.

Is there a way to have it choose to have it match with the DNSName?

[PrzemyslawKlys]

The problem is it won't match. You would need to explicitly remove dnsname from it and just leave the hostname before comparing. If you go and rename machine you get a big warning there will be issues so I guess your techs are special ;p

[PrzemyslawKlys]

i could potentially trim Name from Graph to 15 chars instead to compare with name in AD, but not sure what will be the problems with that

[gokou340]

The problem is it won't match. You would need to explicitly remove dnsname from it and just leave the hostname before comparing. If you go and rename machine you get a big warning there will be issues so I guess your techs are special ;p

Hahaha, yes. They can be :)

Regarding the warning, yes, this is true if you do it the typical way. However, if you are on Windows 11, and you Right Click Start, go to Settings, scroll down to About, then select Rename, you can use up to 63 Characters. I just tested on my machine. However, NetBios is still limited.

[gokou340]

i could potentially trim Name from Graph to 15 chars instead to compare with name in AD, but not sure what will be the problems with that

Is this something that could be done with a switch? I would be more than happy to test it out!

[PrzemyslawKlys]

I wonder if "trimming" available Name in Graph

But wonder if it's possible that if we do we end up with more than 1 computer with the name.

FOr example:

• Windows2019VeryLongNameOk-420OK
• Windows2019VeryLongNameOk-420OI
• Windows2019VeryLongNameOk-420OH

What will be the name in AD vs the NAME in Graph after trimming. I could in theory take DNsName and just split it on first "." but again not 100% sure

[gokou340]

Oh yes, I see what you mean. That would certainly be a problem. I'm not sure if we have any of those in our environment. I'm assuming there is no ID that correlates between AD and Azure AD, like the Object or Device ID

[gokou340]

I seemed to have found why our AAD Connect is using the DNSHostname as the name for the computer object.

In our Sync rules, the displayname has the expression of the following: IIF(IsNullOrEmpty([displayName]),Word([dNSHostName],1,"."),[displayName])

I am going to adjust this to use a different field. I am closing this ticket as it is not an issue with the script.

[PrzemyslawKlys]

Oh, so you mean your it guys actually use proper names?

[gokou340]

Oh, so you mean your it guys actually use proper names?

Based on what I can see on different AAD Connect environments, they used to use the displayname and cn as backup: 'IIF(IsNullOrEmpty([displayName]),[cn],[displayName])'

But in more recent versions it is 'IIF(IsNullOrEmpty([displayName]),Word([dNSHostName],1,"."),[displayName])'

Based on this article, it looks like Azure AD overrides with the Device Registration Service to use the dNSHostname: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/the-mysterious-case-of-the-a-k-a-dollar-sign-character-in-hybrid/ba-p/768326

[gokou340]

So, it looks like the Azure Device Registration Service will eventually rename the DisplayName when it is longer than 15 characters. So this means that even if I update the Sync Rules, it will still change it.

Do you think it would be possible to pull the hostname from the dnshostname field to correlate that way?

[PrzemyslawKlys]

Ye, it's possible. It's on TODO

[PrzemyslawKlys]

Regarding that DNSHostName, I had a situation today for one of the Clients where the DNSHostName search returned me 5 devices. So SamAccountName was different, but they all shared the same DNSHostName. Don't know who made that, how that happened but that means it's possible to have duplicates in AD on that field which makes this request a bit complicated with potential to blow up