Windows Azure AD ScriptBox Item

This script can fix duplicate email addresses for mail-enabled objects. This script allows you to export mail-enabled objects that duplicate email addresses. After you correct the email addresses for these groups, you can use this script to import them to the Active Directory.

 

Problem 1

In Microsoft Office 365, an administrator receives the following email message warning when directory synchronization finishes:

From: MSOnlineServicesTeam@MicrosoftOnline.com
Subject: Directory Synchronization Error Report

 The error report in the email message may contain one or more of the following error messages:

  • A synchronized object with the same proxy address already exists in your Microsoft Online Services directory.
  • Unable to update this object because the user ID is not found.
  • Unable to update this object in Microsoft Online Services because the following attributes associated with this object have values that may already be associated with another object in your local directory.

This issue may occur if mail-enabled objects in the on-premises Active Directory Domain Services (AD DS) have duplicate or invalid values, and these user objects are not synchronized from the AD DS to Office 365 correctly during directory synchronization.

Problem 2

If OnRAMP autocheck finds that duplicate values exist in your on-premises Active Directory, you will get a table-separated value file that contains these objects. Here is an example of this file.

Solution

This script enables you to export mail-enabled objects with duplicated email addresses. After correcting the attributes for these groups, you can use this script to import them to your on-premises Active Directory.

The following procedure describes how to remove duplicate email addresses by using this script.

  1. After downloading the script package, you need to extract all the files to a folder on a domain joined computer. For example: c:\script.
  2. Run the Import-Module cmdlet to import this module file:
    001
    Import-Module filepath\FixDuplicateMailAddresses.psm1
  3. (Optional) Run the following command if you want to read the help of this function:
    001
    Get-Help Export-OSCADObjectEmailAddress -Full
  4. Run one of the following commands to export mail-enabled groups that have a duplicate email address to a comma-separated value (CSV) file.
    • If you get a duplicate email address from Directory Synchronization Error Report, please run this command.
      If you don’t know how to get a duplicate email address from Directory Synchronization Error Report, please refer to “How to get Duplicate Email Address from Directory Synchronization Error Report” later in this article:
      001
      Export-OSCADObjectEmailAddress -EmailAddress "jdoe@corp.contoso.com" -Path .\outputs.csv
    • If you have an OnRamp autocheck results file, please run this command:
      001
      Import-Csv .\OnRamp_Duplicates.txt -Delimiter `t | ?{$_.AttributeName -match "mail|proxyaddresses|targetaddress"} | Select-Object -ExpandProperty Value -Unique | Export-OSCADObjectEmailAddress -Path .\outputs.csv
  5. When you get the output file, make a copy of this file and rename it with a new name, for example, inputs.csv. Then set the original output file as read-only. You can use the original output file to restore the old values of object attributes in case something goes wrong.
  6. Refer to “How to Edit the Input File” later in this article for the steps to edit the input file.
  7. Run the following command to import new object email address:
    001
    Import-OSCADObjectEmailAddress -Path .\inputs.csv

The following procedure describes how to roll back the changes by using this script.

  1. Run the Import-Module cmdlet to import this module file:
    001
    Import-Module filepath\FixDuplicateMailAddresses.psm1
  2. Run the following command to import the original values of attributes:
    001
    Import-OSCADObjectEmailAddress -Path .\outputs.csv

 

 Note
Running the scripts should be possible from any domain-joined PC running Win7, Server 2008, or above. The .NET Framework including PowerShell is the desired interface. We suggest you run these scripts logged on as a user that is a member of Enterprise administrators group or with sufficient permission to modify objects in all domains in the forest.

The output file contains an objectGUID column. The objectGUID attribute value of an Active Directory object is converted to a Base64 string in this column. It can help you to determine the account(s) that did not sync. Match the objectGUID from the Directory Synchronization Error Report mail with the object returned in outputs.csv.

 

 Important
When you run the script, you might see the following error message:
Import-Module: File path\scriptname.psm1 cannot be loaded because running scripts is disabled on this system. For more information, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170.

If you receive this error message, please change the execution policy to Unrestricted by running this command:
001
Set-ExecutionPolicy Unrestricted

  

How to Get A Duplicate Email Address from Directory Synchronization Error Report

Office 365 Administrators may receive a Directory Synchronization Error Report that contains the following table. In the error description, you can find the attributes with a duplicate email address in this format: “AttributtName ProtocolName:Email Address”. In this example, ProxyAddresses is the attribute name. SMTP is the protocol name.
jdoe@contoso.onmicrosoft.com is the duplicate email address that is required by Export-OSCADObjectEmailAddress.

The following errors occurred during synchronization:

Identity John Doe
Error Description Unable to update this object because the following attributes associated with this object have values that may already be associated with another object in your local directory services: ProxyAddresses SMTP:jdoe@contoso.onmicrosoft.com;.
Correct or remove the duplicate values in your local directory.
Please refer to http://support.microsoft.com/kb/2647098 for more information on identifying objects with duplicate attribute values.
On-premises object ID AIQwHQkEh0CPbndzfrBSNQ==

 

How to Edit the Input File

After running Export-OSCADObjectEmailAddress, you can make a copy of the output file and rename it with a new name, for example, inputs.csv. Then you can open the input file with Notepad. It is because that the DistinguishedName column may contain a long text, you need to turn off word wrap.

Here is an example of the input file.


In this example, you need to remove the duplicate email address “smtp:jdoe@corp.contoso.com” from ProxyAddresses column. Please pay attention that proxyAddresses is a multi-valued attribute. So each email address is enclosed by a single quotation mark (') and separated by a space. You should carefully remove the duplicated email address. Otherwise, an error will occur when importing this file by using Import-OSCADObjectEmailAddress.

Here is the input file after removing the duplicate email address.


Script Code

001
002
003
004
005
006
007
008
if ($Credential -ne $null) { 
    $networkCred = $Credential.GetNetworkCredential() 
    $ldapDirectoryIdentifier = New-Object System.DirectoryServices.Protocols.LdapDirectoryIdentifier($targetDomainFqdn, 3268) 
    $ldapConnection = New-Object System.DirectoryServices.Protocols.LdapConnection($ldapDirectoryIdentifier,$networkCred) 
} else { 
    $ldapDirectoryIdentifier = New-Object System.DirectoryServices.Protocols.LdapDirectoryIdentifier($targetDomainFqdn, 3268) 
    $ldapConnection = New-Object System.DirectoryServices.Protocols.LdapConnection($ldapDirectoryIdentifier) 
}

 

See Also

note Note
To provide feedback about this article, create a post on the Windows Azure AD TechNet Forum.
For more FIM related Windows PowerShell scripts, see the Windows Azure AD ScriptBox