Pro-Exchange,Lync & Office 365
Belgian Microsoft Unified Communications Professionals
Microsoft Exchange Server, Microsoft Lync Server & Office 365
Modify DirSync to not sync all users to Office 365 (part 2)

Introduction

in our previous blog-post, I showed you how you could configure DirSync to not include all user accounts during the syncronization process, by adding a filter to one of the default management agents. Unfortunately, Microsoft doesn't allow you to make any changes.

Therefore, today I will show you how you can achieve (almost) the same result, without having to worry about Microsoft's support.

Connector Filters

If we open up the Connetor Filter properties of the SourceAD management agent in the MIIS client, you will see some rules already exist:

The screenshot show a particularly interesting pre-defined filter. It filters out any user object that has a mailNickname-attribute (shown as Alias in EMC) value that starts with either "CAS_" or a brace ("{").

In short, this would mean that if we'd manually add a leading brace to the mailNickname-attribute of a user-account, that object would be filtered out. 

Configuring User Objects

1. Using ADSI Edit

Please be aware that the output from the screenshots might be a little different from what you might see. If you are unsure about how to proceed, please use one of the other methods below.

Open up ADSI Edit, and connect to the default naming context:

Navigate to the user's location:

Open up the properties, look for the mailNickname attribute and add a value (screenshot) or add a leading brace to it's existing value (if applicable):

Confirm, and you're done.

There is, however, a major drawback to this approach: each user-object that has a value set for the mailNickname attribute is recognized as a mail-enabled user. Therefore it will show up in the Exchange Management Console under Mail Contacts.

If your user object was not mail-enabled before, you will not be able to manage the object properly, because it is missing some needed attributes (we did not configure those)

Although ADSI Edit can be a possible way to configure an object's attributes, it is - certainly not in this case - NOT the preferred way to do so.

* be carefull when editing with ADSI Edit, it is a low-level AD attribute editor. Editing something wrong could have a huge impact!

 

2. Mail-enabling a user-object

You can easily mail-enable an existing user object through EMC:

First, launch the "New Mail User"-wizard from the Exchange Management Shell:

Select an existing user. This can be any existing (service) account that has not been mail-enabled before:

Click Next, enter an Alias (mailNickname), but don't forget the leading brace. Also provide a (real or fictive) email address:

Confirm.

Because these service accounts are now configured as mail contacts, the will also show up in the Global Address List (GAL).
You would probably want to avoid that: check the "Hide from Exchange Address lists" option in the user's accounts properties:

3. Using the Exchange Management Shell:

If we want to automate this task, we need to achieve the following:

  1. query for an existing user object
  2. mail enable the user object that is returned from the query

To do this, run the following cmdlet from the EMS:

Get-User <username> | Enable-MailUser -ExternalEmailAddres <address> - Alias <alias>

The first cmdlet (Get-User) will query for an existing user. In this example, I've explicitely searched for a specific user account. Alternatively, you could run the command to search for all user objects that start with svc_:

The second cmdlet (Enable-Mailuser) will mail-enable the previously returned user-object and turn it into a mail contact.

Because this new contact would show up in the GAL, you might want to use the EMS to hide them from the GAL as well:

Get-MailUser <user> | Set-MailUser -HiddenFromAddressListsEnabled $true

Conclusion

As you can see, there are different options available to modify or "mislead" DirSync so that it does not sync all your user accounts into Office 365.

In the first part of this article, I showed you that you can easily modify the existing management agent to filter out unwanted accounts. Personally preferring that method, you should be aware that Microsoft doesn't really want you to do that. Alternatively, you can use one of the methods above. Even though they might not be as elegant as the from the first part of this article, they are certainly as effective.

See you soon!

Michael


Posted 08-01-2011 5:32 by Michael Van Horenbeeck