Managing Microsoft Office and Active Directory are core responsibilities for any Windows administrator. This comprehensive guide provides a complete toolkit for automating and troubleshooting these critical systems. You will learn how to perform silent installations of Office 2021 while removing older versions, resolve complex firewall-related activation issues, master the Get-ADUser cmdlet to query and report on AD users, and navigate the tricky process of rejoining a machine to a domain in a hybrid Azure AD environment. This pillar post consolidates four essential guides into a single, indispensable resource for streamlined IT administration.
Part 1: Automate Office 2021 Installation & Removal of Old Versions
When deploying Microsoft Office 2021, one of the key considerations is how to handle older, existing versions like Office 2010. By default, the modern Office installer will automatically remove these older versions, but for automated or customized deployments, you need more control. This guide walks through how to use the Office Deployment Tool (ODT) to create a silent, automated installation of Office 2021 that also cleanly removes any older Office versions.
The Challenge: Click-to-Run vs. MSI
You can’t have Office 2010 and Office 2021 installed side-by-side because they use different installer technologies:
- Office 2010 uses the traditional MSI (Windows Installer) technology.
- Office 2021 uses the modern Click-to-Run (C2R) technology. The Office 2021 installer is designed to remove older MSI-based versions to prevent conflicts.
Creating the configuration.xml File
The configuration.xml file is the heart of the ODT. Create a file named configuration.xml with the following content to silently install Office 2021 and automatically remove older versions.
<Configuration>
<Add OfficeClientEdition="64" Channel="PerpetualVL2021">
<Product ID="ProPlus2021Volume">
<Language ID="en-us" />
<ExcludeApp ID="Groove" />
<ExcludeApp ID="Lync" />
</Product>
</Add>
<!-- This is the key element to remove old versions -->
<RemoveMSI All="True" />
<Display Level="None" AcceptEULA="TRUE" />
<Property Name="AUTOACTIVATE" Value="1" />
<Property Name="FORCEAPPSHUTDOWN" Value="TRUE" />
</Configuration><RemoveMSI All="True" />: This is the most important part. It instructs the installer to automatically and silently remove any older MSI-based Office versions.<Display Level="None" ...>: This makes the installation completely silent.
Running the Installation
Once you have downloaded the ODT (which includes setup.exe) and created your configuration.xml file in the same directory, run the installation from an elevated Command Prompt or PowerShell:
setup.exe /configure configuration.xmlThe installation will run completely silently in the background, removing Office 2010 and then installing Office 2021.
Part 2: Fixing Office Activation Firewall Issues
After installation, Office activation can fail in a corporate network if it cannot communicate with Microsoft’s activation servers. This is almost always a firewall issue.
Required Domains for Activation
Your firewall must allow outbound TCP traffic on ports 80 (HTTP) and 443 (HTTPS) to the following domains:
*.microsoft.com*.office.com*.live.comactivation.sls.microsoft.comols.officeapps.live.comodc.officeapps.live.comofficecdn.microsoft.comcrl.microsoft.comgo.microsoft.comnexus.officeapps.live.com
Configuring Windows Firewall with PowerShell
This PowerShell script creates the necessary outbound firewall rules. Run it as an Administrator.
# Microsoft Office Activation - Allow Outbound to Required Domains
$domains = @(
"*.microsoft.com", "*.office.com", "*.live.com", "activation.sls.microsoft.com",
"ols.officeapps.live.com", "odc.officeapps.live.com", "officecdn.microsoft.com",
"crl.microsoft.com", "go.microsoft.com", "nexus.officeapps.live.com"
)
$ports = @(80, 443)
foreach ($domain in $domains) {
foreach ($port in $ports) {
$ruleName = "Allow Office Activation - $domain`:$port"
if (-not (Get-NetFirewallRule -DisplayName $ruleName -ErrorAction SilentlyContinue)) {
New-NetFirewallRule -DisplayName $ruleName `
-Direction Outbound -Action Allow `
-Protocol TCP -RemotePort $port `
-RemoteAddress $domain -Profile Any
Write-Host "Created rule: $ruleName"
}
}
}
Write-Host "Office activation firewall rules applied!"After applying the rules, test connectivity:
Test-NetConnection activation.sls.microsoft.com -Port 443TcpTestSucceeded is True, Office activation should now work.
Part 3: Querying Active Directory with Get-ADUser
Querying Active Directory (AD) is a fundamental task for any Windows administrator. PowerShell’s Get-ADUser cmdlet is the most powerful and flexible tool for the job.
Prerequisites
You need the Active Directory module for PowerShell, which is part of the Remote Server Administration Tools (RSAT). You can install it via “Optional features” on Windows 10/11 or Install-WindowsFeature on a server.
Basic Usage
# Get a single user
Get-ADUser -Identity "jdoe"
# Get all users (can be slow in large environments)
Get-ADUser -Filter *
Filtering Users
The real power comes from the -Filter parameter.
# Find users with the last name "Smith"
Get-ADUser -Filter 'Surname -eq "Smith"'
# Find users in a specific OU
Get-ADUser -Filter * -SearchBase "OU=Sales,DC=mydomain,DC=com"
# Find all enabled users
Get-ADUser -Filter 'Enabled -eq $true'
Selecting Properties and Exporting to CSV
By default, Get-ADUser only returns a few properties. Use -Properties to get more, and Export-Csv to create a report.
# Find all enabled users in the Sales OU, select properties, and export
Get-ADUser -Filter 'Enabled -eq $true' -SearchBase "OU=Sales,DC=mydomain,DC=com" -Properties EmailAddress, Department |
Select-Object Name, SamAccountName, EmailAddress, Department |
Export-Csv -Path "C:\Reports\SalesUsers.csv" -NoTypeInformation
Write-Host "Report has been saved to C:\Reports\SalesUsers.csv"Part 4: Troubleshooting Domain Join & Windows Identity with dsregcmd
Leaving and rejoining a computer to an AD domain can create “ghost” identities in hybrid environments, leading to conflicts. This workflow helps you diagnose and fix these issues.
Step 1: Decode Device Identity with dsregcmd
dsregcmd /status is your primary tool for troubleshooting device identity. The Device State section tells you if the machine is DomainJoined, AzureAdJoined, or in a workgroup (All NO).
Step 2: The Clean Rejoin Workflow
A. Enable the Local Administrator (CRUCIAL SAFETY STEP)
Before you start, ensure you have a “backdoor” into the machine to prevent getting locked out. Run this in an elevated PowerShell prompt:
# Activate the built-in Administrator account
net user Administrator /active:yes
# Set a strong, temporary password
net user Administrator "YourStrongPassword123!"
# Log out and test that you can log in as '.\Administrator' BEFORE proceeding.B. Leave the Cloud and On-Prem Domains
If the machine is Hybrid Joined, leave Azure AD first.
# Leave Azure AD
dsregcmd /leave
# Leave On-Prem Domain (will prompt for credentials)
Remove-Computer -UnjoinDomain -Credential (Get-Credential) -RestartC. Bust the Ghosts (Cleanup Stale Records)
While the machine is rebooting, immediately go to your management servers and delete the old computer object from:
- Active Directory Users & Computers
- DNS Manager (A and PTR records)
- Azure AD / Entra ID Portal
D. Rename and Rejoin
Once the machine has restarted, log in as the local .\Administrator. Renaming the computer is the best way to avoid lingering cache issues.
# Rename the computer
Rename-Computer -NewName "Workstation-New" -RestartAdd-Computer -DomainName "mydomain.com" -Credential (Get-Credential) -RestartAfter it restarts, dsregcmd /status should now correctly show DomainJoined : YES. This clean workflow prevents the vast majority of identity conflicts.