If you have read MessageOps Directory Sync in Depth Whitepaper, you’ve seen a couple of the ways to exlude users from Directory Sync. A client of ours was recently given another method by Microsoft Online Support which we thought was pretty interesting.  We’ve posted the article below.  It contains a couple of the same methods mentioned our the MessageOps Whitepaper, but also describes a method which uses an XML file.

How to exclude user objects from synchronizing to Business Productivity Online Standard Suite

Symptoms

When a Microsoft Business Productivity Online Standard Suite (BPOS-S) user sends a message to a distribution list or selects a recipient from the BPOS-S company GAL that has not yet been assigned a license that includes a mailbox, the BPOS-S user may receive a non-delivery report (NDR). The NDR  states that “Delivery has failed to these recipients or distribution lists”.

Cause

The distribution list may contain a recipient that was synchronized to BPOS-S via the Directory Synchronization Tool that does not have a mailbox, or is not a mail-enabled user that forwards messages to a target mailbox outside of the on-premise Exchange organization. Consequently, there is not a target mailbox available for delivery of the message.

Resolution

It may be possible to remove the on-premise user object that is not mailbox-enabled or mail-enabled from the on-premise mail-enabled distribution group or mail-enabled security group. Alternatively, to prevent an on-premise user object that is not mailbox-enabled or mail-enabled from synchronizing to BPOS-S via the Directory Synchronization Tool, modify the “mailNickName” attribute of the on-premise user object to include one of the following combinations:

mailNickName attribute begins with “SystemMailbox{”
-or-
mailNickName attribute begins with “CAS_” and contains a “{” somewhere after the beginning characters

Another approach to exclude an on-premise object from synchronizing to BPOS via the Directory Synchronization tool is to use the Directory Synchronization filter file as follows:

  • In the on-premise Active Directory, obtain the value of the objectGUID attribute, in GUID format (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx), of the object that you want to exclude. To do this, you can use tools such as ldp.exe or run an LDAP query such as the following:
    $user = [adsi]”LDAP://CN=Joe Smith,OU=Users,DC=contoso,DC=com”
    $user.psbase.guid.ToString()
    In the above query, replace CN=Joe Smith,OU=Users,DC=contoso,DC=com with the actual Distinguished Name for object being excluded.
  • Open the folder where the the Directory Synchronization tool is installed. The Directory Synchronization installation path is saved in the registry in the following value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSOLCoExistence\InstallPath. By default, it is installed in %Program Files%\Microsoft Online Directory Sync.
  • Create an XML file called DirSyncFilters.xml in the folder where the Directory Synchronization is installed. You can use notepad to create a text file and then save it as an XML file.
  • Open the file in notepad and add the following lines to it. Replace xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx in the <ExcludedDN> entry below with the value of the objectGUID of the object being excluded.
    <?xml version=”1.0″ encoding=”utf-8″?>
    <DirectorySyncFilters>
    <ExcludedDN>CN={xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}</ExcludedDN>
    </DirectorySyncFilters>
  • For each object you want to exclude, add a separate <ExcludedDN> entry that encloses the objectGUID for that object.

    Example:
    <?xml version=”1.0″ encoding=”utf-8″?>
    <DirectorySyncFilters>
    <ExcludedDN>CN={c385a502-c41d-42e0-9f05-93e8cfba3dd7}</ExcludedDN>
    <ExcludedDN>CN={a486b50d-5c4d-74f1-0e46-83a8dbbf2008}</ExcludedDN>
    </DirectorySyncFilters>

  • Save the file.

More Information

An on-premise mail-enabled security group is synchronized to BPOS-S as a mail-enabled distribution group, and an on-premise user object that is not mailbox-enabled or mail-enabled is synchronized to BPOS-S as a mail-enabled user.

Was this article helpful?
YesNo