Wednesday, February 18, 2015

Office 365 Active Directory DirSync how to exclude or specify an OU

If you do directory sync from AD to Office 365 you may not want to replicate all users and groups in your full AD structure which is what is replicated by default. You can exclude or specify which OU’s to synchronize using the following instructions.

Caution: Seasoned Domain Admins Only

“you break it you bought it…”

Create the following shortcut to the desktop

C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell\miisclient.exe
clip_image001

Open and select Management Agents and The Active Directory Connection:

clip_image003

Right Click and Select Properties:

clip_image005

Select Configure Directory Partitions and Containers:

clip_image006

You will be prompted for credentials enter in your LOCAL ADSync Username and Password:

clip_image008

Browse and Include or Exclude the OU’s as necessary:
clip_image009

Select “OK” “OK”

You can now force the DirSync process.
Open up PowerShell as Administrator and Run the following command to initiate a sync:

Import-Module DirSync
Start-OnlineCoexistenceSync -fullsync

clip_image010

Select the Operations tab to view status:
clip_image012

Note the Deletions in the bottom left as I excluded a previously synchronized OU:
clip_image013

You can click on the Export Statics fields above for further information.

Note: I recommend forcing the DirSync process 2 to 3 times to make sure all settings synchronize

Log onto Office365 portal and confirm settings changes. In my example it moved the excluded OU Users to Deleted Users as shown below:

clip_image014

Note: if you make a mistake and exclude an OU you didn’t mean to or vice versa. Make the change ASAP and rerun through the sync process and the accounts should be re-enabled/disabled as necessary. If they appear as “In Cloud” that means it is not AD synced.

2 comments:

  1. Dumb question... but this utility has no write back abilities does it? ie. it won't change anything on the local AD?

    ReplyDelete
  2. That is correct DirSync is currently a one way street.

    ReplyDelete