Windows Azure AD ScriptBox Item

This script verifies the displayName property for mail-enabled groups. This script allows you to export mail-enabled groups that have empty display name or questionable characters. After you correct the displayName of these groups, you can use this script to import them to the AD.

 

Problem 1

When you use the Microsoft Online Services Directory Synchronization tool to sync your on-premises Active Directory Domain Services (AD DS) environment to Microsoft Office 365, you notice that mail-enabled groups that have an email address aren't synced to Office 365.
This issue occurs if a display name isn't specified for the on-premises mail-enabled group.

Problem 2

If OnRAMP autocheck finds that mail-enabled groups with empty display name exist in your on-premises Active Directory, you will get a table-separated values file that contains these objects.
Here is an example of this file:

Solution

This script verifies displayName attribute for mail-enabled groups.
This script enables you to export mail-enabled groups that have empty display name.
After correcting the display name of these groups, you can use this script to import them to your on-premises Active Directory.

The following procedure describes how to edit a display name by using this script.

  1. After downloading the script package, you need to extract all the files to a folder on a domain joined computer.
    For example, c:\script.
  2. Run Import-Module cmdlet to import this module file.
    001
    Import-Module filepath\FixEmptyDisplayName.psm1
  3. (Optional) Run the following command if you want to read the help of this function.
    001
    Get-Help Export-OSCADGroupDisplayName -Full
  4. Run the following command to export mail-enabled groups that have empty display name to a comma-separated value (CSV) file.
    001
    Export-OSCADGroupDisplayName -Path .\outputs.csv
  5. Refer to “How to Edit the Input File” later in this article for the steps to edit the input file.
  6. Run the following command to import new display names.
    001
    Import-OSCADGroupDisplayName -Path .\inputs.csv
 Note
Running the scripts should be possible from any domain joined PC running Win7, Server 2008, or above.
The .NET Framework including PowerShell is the desired interface.
We suggest you run these scripts logged on as a user that is a member of Enterprise administrators group or with sufficient permission to modify objects in all domains in the forest.

The output file contains an objectGUID column.
The objectGUID attribute value of an Active Directory object is converted to a Base64 string in this column.
It can help you to determine the account(s) that did not sync.
Match the objectGUID from the Directory Synchronization Error Report mail with the object returned in outputs.csv.

 

 

 Important
When you run script, you might see the following error message:
Import-Module: File path\scriptname.psm1 cannot be loaded because running scripts is disabled on this system. For more information, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170.

If you receive this error message, please change the execution policy to Unrestricted by running this command:
 
001
Set-ExecutionPolicy Unrestricted

  

 

How to Edit the Input File

After running Export-OSCADGroupDisplayName, you can make a copy of the output file and rename it with a new name, for example, inputs.csv/em>.
Then you can open the input file with Notepad.
It is because that the DistinguishedName column may contain a long text, you need to turn off word wrap.

Here is an example of the input file:



In this example, you need to add display names for the mail-enabled groups that have an empty value in the DisplayName column.

 

 Note
Please make sure that the display name is enclosed by double quotation marks (").

 

Here is the input file after adding display names:



Script Code

 

001
002
003
004
005
006
007
008
if ($Credential -ne $null) { 
    $networkCred = $Credential.GetNetworkCredential() 
    $ldapDirectoryIdentifier = New-Object System.DirectoryServices.Protocols.LdapDirectoryIdentifier($targetDomainFqdn, 3268) 
    $ldapConnection = New-Object System.DirectoryServices.Protocols.LdapConnection($ldapDirectoryIdentifier,$networkCred) 
} else { 
    $ldapDirectoryIdentifier = New-Object System.DirectoryServices.Protocols.LdapDirectoryIdentifier($targetDomainFqdn, 3268) 
    $ldapConnection = New-Object System.DirectoryServices.Protocols.LdapConnection($ldapDirectoryIdentifier) 
}

 

 

See Also

 

 

note Note
To provide feedback about this article, create a post on the Windows Azure AD TechNet Forum.
For more FIM related Windows PowerShell scripts, see the Windows Azure AD ScriptBox