Fixing Office 365 Azure AD Sync issues

Symptoms: You have synced the AD users, but you have duplicates or two of a similar user (reception@ and receptionist@). You try to edit the UPN of either user and you receive an error saying that the attribute must be unique.

On the sync service you get an error saying the attribute(usually the UPN) must be unique.
Background: UPN = username (and usually email address)

ImmutableID (anchor) = used to link an AD user to an Office 365 user (after UPN matching)

In AD there exists an account with a UPN:

In Office 365 there exists an account with a UPN:

These two accounts are the same user, but their O365 email address does not match up with their UPN (not usually a problem, but during the initial sync it is)
The problem: The AD sync service is started and AD users are synced with Office 365 users.

You log into Office 365 and see two users now: and

You try to un-sync an…

Fixing Group Policy Replication issues

I ran into an issue where GPUpdate kept returning the error below:

"Computer policy could not be updated successfully.  The following errors were encountered: The processing of Group Policy failed.  Windows attempted to read the file \\COMPANY.LOCAL\sysvol\<FQDN>\Policies\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}\gpt.ini from a domain controller and was not successful.  Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:

a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.

To diagnose the failure, review the event log or invoke gpmc.msc to access information about Group Policy results."

In my case the DCs got out of sync and the fix was to complete an author…

Duplicate Printers Showing Up in Windows

The Issue:You delete a printer, but it keeps coming back (and it probably doesn't work properly)There are multiple print queues for the same printer
You can't delete a printer This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator.Cause I don't have a solid root cause for this issue, but here are some theories  Printers were deployed through GPO at one point and the policy didn't get removed properly.Printer spooler was restarted at the wrong timeIf you clear HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Providers\Client Side Rendering Print Provider and restart the spooler before restarting the computer there is a chance that printers will be duplicated.General printer corruptionSolutionThese steps will likely result in all users losing their printer preferences and default printers.
These are some preemptive things that will not solve the issue, but can help you have a better star…

Enabling Webcam on RDS

This will show you what you need to do in order to enable webcam access on an RDS server.

NOTE: Using a webcam on RDS will result in significant CPU usage (30%+ in my case). This might be due to the raw USB data having to be transmitted through RDP. You should recommend that users instead use their webcams from their local computers.

The setup is actually easy but I ran into some issues that you'll see below.
My configuration:
Server 2016 RD gatewayServer 2016 RD Session hostWindows 10 1809 workstationVMware 5.5 hosting both VMsBuilt in laptop webcam and Logitech C270 webcam
Enabling:If you are using an RD Gateway, make sure that redirection is enabled for the collection (not 100% sure this is required). No further gateway config is required. On the workstations, or on a GPO applied to workstations, enable the setting below:Computer Configuration/Administrative Templates/Windows Components/Remote Desktop Services/Remote Desktop Connection Client/RemoteFX USB Device Redirection/Allow …

Set custom scaling option for Server 2012+ RDS

If you log into a Server 2012+ RDS from a Windows 7 machine you will find that you cannot change the scaling (Text Size, DPI, etc.) of the desktop. This is due to the fact that by default, Server 2012 RDS will use the scaling settings of your Windows 8+ machine. If you are on Windows 7 you will only have the option for the default resolution.

Thankfully, there are some reg keys that allow us to work around this.
For all users on a machine (this will break auto scaling for Win 8 machines): Create the following reg key on the RDS server
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\IgnoreClientDesktopScaleFactor
Value: 1
For select users (if you only have a few Win 7 machines to deal with): HKEY_CURRENT_USER\Control Panel\Desktop\LogPixels
Value: 78 (hex) for 120 DPI (you can find other values in the links below)


Single Sign on for RDWeb on Server 2016

This guide will show you how to streamline your sign in experience so that users do not get any security prompts.

By default you might see the warning below every time you try to connect to a collection:
The Final Result
Users enter their password into RD WebWe will not be passing Windows credentials to the website automatically since it will not work from external computers, and it might cause some confusion.Users select their collectionUsers are now on their remote desktop (no other prompts) You will also get a lock on your RDP bar confirming that the identity of the server was verified. RequirementsServer 2016 (Most of this should work on 2012)SSL certificate for one domain (Wildcard not required)Remote Desktop Gateway Role DeployedWindows workstations using Internet Explorer My Test EnvironmentServer 2016Single server handling RD Web, RD Gateway, RD Connection broker3 RD Session Host serversInternal AD Domain name of example.LOCALExternal domain name example.COMRDWeb URL: remote.ex…

Office 365 Can't Modify Calendar After Hybrid Migration

Had an issue this morning where a user could not modify another user's calendar. The user had PublishingAuthor permission to the calendar, both users were on Office 365, I had waited 24 hours after reapplying the permissions. The user could see the full details of the calendar, but she could not modify it. Right clicking on the calendar would only show the greyed out items below.

Right clicking on the calendar permissions would return the error below:
Cannot display the folder properties. The folder may have been deleted or the server where the folder is stored may be unavailable. Cannot display folder properties. You don't have appropriate permissions to perform this action.
I created a whole new profile on a different computer to test. I waited for the cache to finish building but I still had the issue. Ultimately, the solution was to add the calendar from the Online Global Address List, and not the Offline Global Address List.

Clear all of the Office/Outlook related credentia…