none
Azure AD Connect OU Filtering - Moving users out of a synced OU

    Frage

  • Hi

    We are using Azure AD connect (AADConnect) to sync our active directory users to Office 365 as part of our project to migrate our email services to Microsoft.

    During initial setup of Azure AD connect we chose OU filtering.  All the users were in this OU.

    One of our admins moved a few of our AD uses out of that OU and it broke their access to office 365 portals.

    A. Can somebody tell me why?  Does removing users from Organization Units that are being synched cause the account to be deleted from Office 365?

    B. How can we rectify this?  Putting the users back in the OU didn't fix the problem for us.

    Please help.

    Mittwoch, 28. Februar 2018 17:43

Alle Antworten

  • Hi Kman2k 

    A. Can somebody tell me why?  Does removing users from Organization Units that are being synched cause the account to be deleted from Office 365? This by design any objects that are moved from a synced OU are automaticaly delete as they are presumed to be not needed anymore. 

    B. How can we rectify this?  Putting the users back in the OU didn't fix the problem for us. Adding back to the users to the OU will sync the users back to office 365 but you will need to restore the delete mailboxes and they should then match back to the account GUID as long as they still match and the account that where added back in havent been give new licences. 

    Here is a blog post on mailbox recovery scenarios 

    https://blogs.technet.microsoft.com/exchange/2015/12/04/common-mailbox-recovery-scenarios-for-hybrid-environments/


    If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful.



    Mittwoch, 28. Februar 2018 18:17
  • Some of the users were moved to an OU beneath the top OU.  That folder was part of the sync too.

    What is the deal with that?  Moving a user from a synced OU to another synced OU causes it to be deleted too????

    Mittwoch, 28. Februar 2018 19:19
  • No if the OU's are synced then moveing between OU should not remove any users. Unless the sub OU was filtered out for some reason. 

    If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful.

    Mittwoch, 28. Februar 2018 19:30
  • Hi,
     
    We are currently standing by for further update from you and would like to know how things are going. If you have any questions or concerns, please don't hesitate to let me know. And if the replies has helped you, please help to mark as answer since it could be helpful for others.
     
    Thanks for your time.

    Best Regards,
    Jason Chao


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Donnerstag, 8. März 2018 09:43
  • Hi

    1. So based on the answer given above; a user moved out of a synced OU to a non-synced OU will get deleted from Microsoft Office 365 portal.  Would you please double verify that it is correct?

    2. If so; is there a better guide on how to recover from this (Such as how to revive the account, how to re-attach the mailbox.. and the rest)

    Thanks

    Donnerstag, 8. März 2018 13:16
  • Thanks for your response. Please refer to the solution in following article:

    Move AD User to non dir-syned OU without Office 365 deleting mailbox & user

    Please note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information. And the changes made in the above blog is not supported officially by Microsoft.

    Hope it helps.


    Best Regards,
    Jason Chao


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Freitag, 16. März 2018 05:34
  • Wow

    Very useful.  Thank you Jason

    Freitag, 16. März 2018 14:23
  • Glad to hear it's useful for you and hope it can help you!

    Best Regards,
    Jason Chao


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Dienstag, 20. März 2018 09:18
  • Please forgive me but I still don't have a solid answer here.

    In my scenario the mail enabled objects were moved to a NON-Synchroized OU and original OU was deleted.  Then realizing the problem; the OU was created with the same name.

    How do I recover my mailboxes in such a case where a user was moved to a non-synching OU and then put back to a new synching OU?

    Freitag, 6. April 2018 19:18
  • Hi,

    If a user is moved from a synced Organizational Unit (OU) into a non-synced OU, next time the AADConnect will perform a delta sync, the Office365 user will be moved from Active Users into Deleted Users and as a consequence the associated mailbox will be moved to Soft-Deleted mailboxes and kept there for 30days, during this time the administrator can very easily recover the deleted mailbox by applying the below logic:

    Demo: For the purpose of this demo, I will use an AD account that has the following UserPrincipalName(UPN): PodByteSize1@scdtech.co

    1. Let’s reproduce the issue:
    • Log into the on-premises server that is hosting the Directory Synchronization engine (in my case AADConnect) and check what OUs are synced
      • For example, in my test environment I’m only synching one Organizational Unit (OU).
    • Move the user to a non-synced OU
    • Perform a sync:
      • Open a standard Windows Powershell window (on the server hosting the AADConnect) and run the below cmdlets:
        • Import-Module “C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync\ADSync.psd1”
        • Start-ADSyncSyncCycle -PolicyType Delta
    • Check the AADSync client to spot the changes: You will notice that the AADConnect engine will export to Office365 a Delete event for this user.
    • Verify that the user was removed from O365:
      • Get-MsolUser –UserPrincipalName PodByteSize1@scdtech.co
      • Get-MsolUser –UserPrincipalName PodByteSize1@scdtech.co –ReturnDeletedUsers
    • Verify the Mailbox status:
      • Get-Mailbox PodByteSize1 | FT Identity, WhenCreated, WhenChanged
      • Get-Mailbox PodByteSize1 -SoftDeletedMailbox | FT Identity, WhenCreated, WhenChanged
      • Get-Mailbox PodByteSize1 -InactiveMailbox | FT Identity, WhenCreated, WhenChanged

    Only the Get-Mailbox PodByteSize1 -SoftDeletedMailbox & Get-MsolUser –UserPrincipalName PodByteSize1@scdtech.co –ReturnDeletedUsers will return a result which is telling us that the mailbox and the user associated with it, are in a soft delete state.

    What if the two cmdlets return multiple entries, for example what if the Get-MsolUser –UserPrincipalName <UPN> –ReturnDeletedUsers return two or more entries, which user is associated to our mailbox?

    In this scenario, we do not really need to know the answer to the above question because the recovery is triggered by actions performed in the on-premises environment and the mailbox restauration is pretty straight forward and easy.

    All you need to do is move the user back into the OU the user originally resided. Assuming that the OU the user was previously in is still being synchronized, the next time Directory Synchronization complete, the user and all associated data will be restored. By default, directory synchronizations occur every thirty minutes and after you move the user back to the proper OU you must wait for the next sync cycle to take place. However, if you are like me and cannot wait, then you can force the synchronization by running this cmdlet into Powershell: Start-ADSyncSyncCycle -PolicyType Delta

     

    • Move the user back to a synced OU
      • Open a PowerShell window and run Perform a sync: Start-ADSyncSyncCycle -PolicyType Delta
    • Check that the mailbox is in an active state: Get-Mailbox scenario1 | FT Identity, WhenCreated, WhenChanged -> You will notice that the mailbox is now active and it will be accessible by using the credentials of the user from AD.
    Dienstag, 10. April 2018 10:25
  • Thank you so much Sudjoe

    1. Does moving the user back to the synced OU enough to re-attach the email and make everything work?

    2. What if OU was deleted too?  Does moving user to ANOTHER synced OU enough for it to re-attach the email and make things work again?

    Mittwoch, 11. April 2018 22:20