Azure Resource Manager to ASM (Classic) vnet peering

A client I’ve been carrying out some Azure work for over the past few months has a split environment between Azure Resource Manager (ARM) & Azure Service Manager (Classic and/or ASM). Their ADFS infrastructure and System centres all currently live in ASM and there was no direct connection through to ARM meaning without some funky routing via the VPNs through the Head Office.

The fix is to setup vnet peering through the portal. This is done via the virtual network > Peering > Create

You’ll need to fill in the following details:

I then got this error:

Failed to add virtual network peering ‘<peering name>’. Error: Subscription <ID> is not registered with NRP.

It was quite difficult to find information on this error message and initally I thought it was due to lack of permissions.

However, the following script fixed the issue (Note: It can take a bit of time for this to go through as it registers extensions with your subscription).

Afterwards you should be able to to create your vnet peering across subscriptions.

Import-Module azurerm
Login-AzureRmAccount

Get-AzureRmProviderFeature -FeatureName AllowClassicCrossSubscriptionPeering -ProviderNamespace Microsoft.Network

#Register the preview capability in your Azure subscription
Register-AzureRmProviderFeature -FeatureName AllowClassicCrossSubscriptionPeering -ProviderNamespace Microsoft.Network
Get-AzureRmProviderFeature -FeatureName AllowClassicCrossSubscriptionPeering -ProviderNamespace Microsoft.Network
 
Register-AzureRmResourceProvider -ProviderNamespace Microsoft.Network
Get-AzureRMResourceProvider -ProviderNamespace Microsoft.Network

Find and Disable Empty GPO Sections

The below script can be used to go query your GPO’s and find empty sections (computer or user), and disable them. This improves the speed of processing GPOs as machines will not look to disabled sections.

This was a recommendation from Microsoft during a recent RAP as a service that I consulted on.

Get-gpo -all | foreach {


    [xml]$GPOAsXML = Get-GPOReport -Guid (Get-GPO -Name $_.DisplayName).Id -ReportType Xml

    If(($GPOAsXML.DocumentElement.Computer.Enabled -eq $true) -and ($GPOAsXML.DocumentElement.Computer.InnerText.Length -eq 6))
    {
        (Get-GPO -Name $_.DisplayName).gpostatus = "ComputerSettingsDisabled"
        $_.DisplayName.ToString().PadRight(60) + " Computer section now disabled!"
        
    }
   
    If(($GPOAsXML.DocumentElement.User.Enabled -eq $true) -and ($GPOAsXML.DocumentElement.User.InnerText.Length -eq 6))
    {
        (Get-GPO -Name $_.DisplayName).gpostatus = "UserSettingsDisabled"
        $_.DisplayName.ToString().PadRight(60) + " User section now disabled!"
    }
   
}

Find unlinked GPO and remove via Powershell

Working on RAP as a service in the past few weeks I have worked with Microsoft to clean up Group Polices. Below are a few of the scripts that were used and their purpose.

Find Unlinked GPOs and export to a CSV:

Import-Module GroupPolicy
function IsNotLinked($xmldata){ 
    If ($xmldata.GPO.LinksTo -eq $null) { 
        Return $true 
    } 
     
    Return $false 
} 
 
$unlinkedGPOs = @() 
 
Get-GPO -All | ForEach { $gpo = $_ ; $_ | Get-GPOReport -ReportType xml | ForEach { If(IsNotLinked([xml]$_)){$unlinkedGPOs += $gpo} }} 
 
If ($unlinkedGPOs.Count -eq 0) { 
    "No Unlinked GPO's Found" 
} 
Else{ 
    $unlinkedGPOs | Select DisplayName,ID | export-csv c:\Source\output\unlinked.csv -NoTypeInformation
}

I like to export to a CSV to clarify exactly what I am removing. Now to remove:

Import-csv C:\Source\Output\unlinked.csv | ForEach-Object {Remove-GPO -guid $_.id}