How to Configure Directory Sync to Synchronize specific users

Our goal is to synchronize a specific OU to O365 subscription instead of all Active Directory users in the domain. We have gone through the Directory sync wizard again and again but we were not able to locate any option that can limit the data synchronization. Hence, we are looking for a way to synchronize only required users based on any filter or if we can limit the directory sync tool to synchronize a single or couple of selected OUs only.



There are specific OUs in Active Directory that needs to be synched to O365 instead of all the users. It needs to be filtered to synch only the required users.



Use directory synchronization tool called “Synchronization Service Manager”.



Office 365 Account

Windows Azure Active Directory

Microsoft Directory Synchronization tool



To limit the synchronization directories from Local Active Directory to Windows Azure Active Directory, directory synchronization tool provides you a separate tool called “Synchronization Service Manager”.


  1. You must have installed Microsoft Directory Synchronization tool, if you haven’t already login to your O365 portal (, and select Office 365 from Admin drop down menu:



  1. Now if you have already activated Active Directory you will be redirected to below screen, select “Manage”:



  1. Download the Directory Synchronization tool:


4. Once the installation is complete, browse to following location:

X:\ Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell

Locate and run “miisclient.exe”:



  1. You will be presented with the first interface of tool:



6. Click on “Management Agents” and double click on “Active Directory Connecter” to open the properties of this connector:



  1. On properties window move to “Configure Directory Partitions” node, click on “Containers” Button:



  1. Provide your local Active Directory Administrative credentials here:



  1. After clicking “OK” above, you will be prompted with “Containers” list from your Local Active Directory. Uncheck all of the unwanted OUs and select the ones that are required to be synced with O365. Click OK.


10 . Now that you have configured the tool to sync only filtered / conditional users/OUs you can push the directory sync to synchronize immediately or can wait for the next sync to occur.

Here is the initial screen before the synchronization took place:


And here is the one after the Configuration and synchronization:



11. As can be seen above, only the users that are in “O365 Test” OU are synched, here is the picture on users that were not synched:


Removing Unlicensed Office 365 Users in Bulk

We have synchronized 1,000+ Active Directory Users into our Office 365 subscription, without realizing that it is the default behavior of Directory Sync to synchronize all users on cloud if not configured otherwise. Our goal was to synchronize only the required users from Active Directory. Now we need to delete them all at once to clean up the mess and then re-sync as per our later needs.

There are too many unlicensed user objects in Office 365. These are sync by default from on-premise Active Directory.

Use Azure Active Directory Module for Windows PowerShell to query users and remove them.

Synced Active Directory users in Office 365 subscription.

.Net 4.0 or later
Azure Active Directory Module for Windows PowerShell

As prerequisite for this procedure, be sure to check guides on how to Manage Azure AD using Windows PowerShell. Below is a screenshot showing active users synced with Active Directory.




1. Make sure to have .Net 4.0 or later and Azure Active Directory Module for Windows PowerShell installed. Once done, launch PowerShell with administrative privileges.

2. Import the Microsoft Online Services Module by running the following command in PowerShell:

Import-Module MsOnline


3. Now that we have imported the Module, we now need to connect to Microsoft Online Services by running this command in same PowerShell session:


4. The below cmdlet will prompt you to enter your credentials, provide credentials in following format and make sure these are administrative:

User name: OR
Password: whateveryourpasswordis


5. To see what option you have run the following command:


You will get a pretty long list of commands that are available to manipulate objects online as see on the screen capture below. Our target is to delete all the users that were synchronized from Active Directory that haven’t been assigned with an Office 365 license.


6. Before proceeding further, let’s see how many objects are currently on Office 365 by issuing the below command:

Get-Msoluser –all | Measure


7. To remove users in bulk, use this command:

Get-MsolUser –All | Where-Object {$_.IsLicensed –ne “true”} | Remove-MsolUser –Force

Here the “-ne” is an operator which denotes the “not equal” operator. This command can be modified as needed.

8. This command will take few moments to get completed depending on the number of users it is processing. To check the status, open another PowerShell session and follow same steps to connect to Microsoft Online Service and run this command:

Get-Msoluser –all | Measure


As seen above, the count is now 1010 compared to 1100 count from step 6 prior to removing the users. After 5 more minutes is now at 930:

Lync address book not working after using absconfig.exe

Warning: Absconfig.exe that is shipped with RTM version on Lync Server 2010 is out of date. Meaning that this version of absconfig.exe is actually designed for OCS, not Lync. Using this version of the tool will corrupt your RTC.dbo.abattribute database table and break your Lync clients. Updated version of the tool can be found here:

If you already ran the tool, keep reading this article as i will provide instructions to fix the corrupt database.

First, how do you know if your RTC.dbo.abattribute database table is corrupt ?

1. Logon to your Lync SQL server, open SQL management studio
2. Expand RTC database, right click on the dbo.abattribute and choose “return top 1000 rows”

If your Lync RTC dbo.abattribute table looks like the OCS server, you need to keep reading. Below steps should help you rebuild the dbo.abattribute table


1. On the server which holds the RTC database, install the Microsoft  SQL Server 2008 Management Studio and connect to the RTC database.

2. Click on “New Query” and paste the following SQL into the query window and click the execute button. The execute button is the small green “play” icon.

use rtc
 exec dbo.RtcDeleteAbAttributes
 exec dbo.RtcAddAbAttribute 1, N'givenName', 0x01400000
 exec dbo.RtcAddAbAttribute 2, N'sn', 0x02400000
 exec dbo.RtcAddAbAttribute 3, N'displayName', 0x03420000
 exec dbo.RtcAddAbAttribute 4, N'title', 0x04000000
 exec dbo.RtcAddAbAttribute 5, N'mailNickname', 0x05400000
 exec dbo.RtcAddAbAttribute 6, N'company', 0x06000000
 exec dbo.RtcAddAbAttribute 7, N'physicalDeliveryOfficeName', 0x07000000
 exec dbo.RtcAddAbAttribute 8, N'msRTCSIP-PrimaryUserAddress', 0x08520C00
 exec dbo.RtcAddAbAttribute 9, N'telephoneNumber', 0x09622800
 exec dbo.RtcAddAbAttribute 10, N'homePhone', 0x0A302800
 exec dbo.RtcAddAbAttribute 11, N'mobile', 0x0B622800
 exec dbo.RtcAddAbAttribute 12, N'otherTelephone', 0x0C302000
 exec dbo.RtcAddAbAttribute 13, N'ipPhone', 0x0D302000
 exec dbo.RtcAddAbAttribute 14, N'mail', 0x0E500000
 exec dbo.RtcAddAbAttribute 15, N'groupType', 0x0F010800
 exec dbo.RtcAddAbAttribute 16, N'Department', 0x10000000
 exec dbo.RtcAddAbAttribute 17, N'Description', 0x11000100
 exec dbo.RtcAddAbAttribute 18, N'manager', 0x12040001
 exec dbo.RtcAddAbAttribute 19, N'proxyAddresses', 0x00500105
 exec dbo.RtcAddAbAttribute 20, N'msExchHideFromAddressLists', 0xFF000003

3. From the Lync Management Shell run the following command: Update-CsUserDatabase

4. Open up the servers event viewer and wait until you can see Lync events 30024, 30027 & 30028 before proceeding with the next step.

5. From the Lync Management Shell run the following command: Update-CsAddressBook and wait around ten minutes before proceeding with the next step.

6. Open a Lync 2010 client and wait for the address book to download, this should have now resolved all address book issues.


Franky’s Web — to go place for Microsoft Exchange and Active Directory updates

A little bit about Frank Zoechiling Microsoft Exchange and Active Directory blog:

I work as a system administrator and system administrator at a house mittelständischem system. However, my professional career had some other stations, but the one here and now!

To my professional duties include the administration of the network, where the support for customers / colleagues and, if a little time is left, the implementation of various projects for clients.

Anyone who believes that authorization and access structures are complicated enough in networks has not yet identify appropriate equivalents close learns in my private life. There is the overall structure of family, which consists of the domains wife and children. The permissions on both domains are sometimes undurchsichtlich. Sometimes one is Enterprise Admin, sometimes you can be lucky if you have guest privileges (where also the account is disabled now and then). But only at the margins, the overall structure is very close to my heart!

Back to this page: As I stumble from time to time on interesting problems, I decided to create this blog. This site should therefore offer major practical content, I put here so clearly less emphasis on explaining the technical issues than on describing the approach. I’ve imagined the whole thing like this:

Problem -> Problem solved -> article on problem and solution J

Maybe I can spare the A or else search the net and here present solutions or approaches. If time permits, there is sometimes a HOWTO. But all depends on how I would like:-)

Removing old Exchange meetings for departed users

As nature of the business, employees come and go. This turnover rate is often higher in large demographic areas such as New York. Once user leaves the company, IT team performs the usual termination process. This article will discuss what happen to Exchange / Outlook meetings that were owned by a user when she leaves the company. When a meeting organizer leaves the company, her Exchange mailbox is either archived or deleted. This means her meetings were never canceled. As a result, company resources such as conference rooms are tied up with these stale reoccurring meetings. It is almost impossible to ask end-users to cancel these meetings. There are ways to handle this:

Manually cancel meetings
Inefficient but simply method is to login to departed user mailbox and manually cancel all reoccurring meetings. This ensures that conference room resources are no longer tied by the user.

Use Z-Term to cancel user meetings
You can use Z-Term to cancel meetings on behalf of the user with a simple click. This tool simply goes through user mailbox and cancels all future meetings. There are two options when using this tool, you can choose to cancel meetings behalf of the user as noted above or go through conference room mailboxes and remove user’s bookings.


Provision AD, Exchange and Lync Users from Excel spreadsheet

At one time or another as IT administrators, our organization will have to go through mergers and acquisition process. Mergers and acquisition usually requires organizations to integrate two systems together. From IT administrator perspective this means creating user accounts from Excel spreadsheet that’s provided by HR. Especially if two organizations are running heterogeneous systems. Creating user accounts from Excel file is fairly a simple process. I will talk you through how this can be done in mere minutes. First step is to generate an excel file with employee names and second step is to create a script to process the excel file.

The most important part of the process is taking the Excel spread sheet from HR department with list of users and generating unique username for these users. This list contains employee’s information such as Firstname, Lastname, Employee number, etc. We need to add additional column named “username” to the spreadsheet. This will be unique SamAccountName of the new users. Since SamAccountName needs to be unique, we need to find a way to detect duplicate accounts in your current Active Directory environment. Best way to accomplish this is to export current Active Directory user information, paste it in new Excel worksheet and perform vlookup function against it.

Let dive into this deeper in more details. To create the username column, use an excel function to put together the firstname and lastname column. In below screenshot, I am using the firstinitial lastname format so “LEFT(“ Excel function is used.

excel1Export list of samaccountnames from your current Active Directory environment and paste it into the “CurrentADexport” worksheet. It should look like something below.

excel2Next step is to perform vlookup against the “CurrentADexport” worksheet to detect duplicate samaccountname. Create a new column “DuplicateLookup” and configure vlookup function as seen in below screenshot. Make sure you use the “$”—dollar signs in the formula. This will compare data from username column to all data from “CurrentADexport” worksheet. Once duplicate names are solved, move on to next step below.

excel3Now, save the “NewUserListFromHR” worksheet to proper format our script can understand.



# Script to process Excel spread
# and create user accounts in Active Directory, Exchange and Lync

$data=Import-Csv -Path .\UsersExport.csv
foreach ($user in $data)
New-ADuser -SamAccountName $user.username -Firstname $user.firstname -Lastname $user.lastname

#Add Exchange
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010
#region ExchangeCHECK
$exchangeusercheck = $false
do {
#code block
$ADExchangecheck = get-user $user.username
if ($ADExchangecheck -ne $null) {$exchangeusercheck = $true}
if ($ADExchangecheck -eq $null) {
Write-Host "Sleep for 20 secs"
sleep 20
while ($exchangeusercheck -eq $false)
#endregion #ExchangeCheck
Enable-Mailbox $user.username
sleep 10
#Add Lync
Import-Module Lync
#Region LyncStuff
sleep 90
Enable-csuser $user.username -registrarpool "" -SipAddressType emailaddress -SipDomain

Lync User Creation Script

One of the main responsibilities of a Lync administrator is to create Lync account for new users. This can be very time consuming and tedious. This article will describe how you can streamline this task and how powershell script below can be used for this process. In fact, this article will cover Active Directory, Lync and Exchange. In most organizations, most Lync users uses the same settings and this can be scripted. Below PowerShell script will start off by asking basic user information such as Fristname, Lastname, Displayname, SamAccountName and password. It creates AD account using this information. Duplicate username check is run before proceeding. This ensures that username entered is allowed and prevent future errors. If duplicate user already exists in Active Directory, PowerShell script will automatically exit to avoid errors. Once script ensures that there are no duplicates, it will proceed to creating a new Active Directory user. Line #32 in the script is where this occurs and can be modified to fit your needs. For example, you may want to place the user in different OU, set other attributes such as….


Next part of the script from line 38 ensures that Exchange server can see the Active Directory user prior to creating the mailbox. This is very important because script will error and halt if we attempt to create a Mailbox before Active Directory replication occur. This block of code from line 38 to line 50 checks to make sure Exchange server can see the Active Directory user before proceeding. If it doesn’t see the user, it will simply sleep for 20 seconds and checks again. Line 51 runs the enable mailbox command that creates the mailbox. There are a lot of customizations that can be performed here. See below of list of switches you can use….


Line 57 in the script finally create the Lync user account. This is simply running the powershell command and specifying the registrarpool. A lot of customizations can be done here also..such as…


Line 59 adds the lync user to lync polices. There are the list of polices you can choose from.

#Script Starts here
Write-Host "Enter user's Firstname"
Write-Host "-----------------------------"
Write-Host "Enter user's Lastname"
Write-Host "-----------------------------"
Write-Host "Enter user's DisplayName"
$displayname = Read-Host
Write-Host "-----------------------------"
Write-Host "Enter user's username"
Write-Host "-----------------------------"
Write-Host "Enter user's password"
Write-Host "-----------------------------"
$username = $username.Replace(" ","")
Write-Host "---See Below for User Info---"
#region Create_individual_AD
$cnname = $first + " " + $last
$upnname = $username + ""
#username check
$namecheck = Get-qaduser $username
if ($namecheck -ne $null) {
Write-Host "Duplicate username exist" -ForegroundColor red
New-QADUser -name $cnname -FirstName $first -LastName $last -SamAccountName $username -ParentContainer "" -UserPassword $password -UserPrincipalName $upnname -DisplayName $displayname
sleep 10
#endregion # Create_Individual_AD
sleep 60
#Add Exchange
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010
#region ExchangeCHECK
$exchangeusercheck = $false
do {
#code block
$ADExchangecheck = get-user $username
if ($ADExchangecheck -ne $null) {$exchangeusercheck = $true}
if ($ADExchangecheck -eq $null) {
Write-Host "Sleep for 20 secs"
sleep 20
while ($exchangeusercheck -eq $false)
#endregion #ExchangeCheck
Enable-Mailbox $username
sleep 60
#Add Lync
Import-Module Lync
#Region LyncStuff
sleep 120
Enable-csuser $username -registrarpool "" -SipAddressType emailaddress -SipDomain
sleep 60
Grant-csConferencingpolicy $username -policyname "ConfPolicy"
Grant-CSExternalAccessPolicy $username -policyname "ExternalAccessPolicy"
#endregion # LyncStuff

How to Restore Active Directory User Objects on Windows Server 2012

Windows Server 2012 Active Directory recycle bin allow administrators to restore active directory user objects natively. Previously this can only be done by 3rd party products. Note that Windows Server 2012 recycle bin only allow restores for objects in the domain partitions. This means Configuration objects such as Exchange servers are not allowed for restore. Luckily, AD user objects are allow for restore. Another down side to this recycle, it only restore single objects and sub level objects. For example, if you restore an organizational unit, it will not restore the Active Directory users under the organizational unit. Before we enable Widows Server 2012 Active Directory recycle bin, the forest must be in “Windows server 2008 R2” functional level.

How to configure Active Directory Recycle Bin in Windows Server 2012 (step by step)

1. Open Active Directory Administrator from Server Manager, Click on “Enable Recycle Bin” on the right pane. (Note that you can also run the Enable-ADoptionalFeature command from the commandline)
ConfigureActiveDirectoryRecycleBinConfigureActiveDirectoryRecycleBinii2. Once replication is completed, you will see “Deleted Objects” container.







Bulk Import Active Directory Users

Follow below simple to steps for bulk Active Directory user creation

  1. Create a CSV file (using Excel) with below columns
  2. Logon to Server 2008 R2 domain controller with Active Directory Powershell Module installed. Launch PowerShell and run below script.

    #################### SCRIPT STARTS HERE ###########################
    #Input CSV Excel spreadsheet must have below columns
    ########### START CONFIG ##########################
    $NewUsersOU = “OU=NewUsers,DC=testdomain,DC=com”
    $CSVpath = “.\ad_users_list.csv”
    $log = “.\log.log”
    ########### END CONFIG ############################

    Import-Module ActiveDirectory

    $i = 0
    Import-CSV $CSVpath | ForEach-Object {
    $SamAccountName = $_.SamAccountName

    Try   { $exists = Get-ADUser -LDAPFilter “(sAMAccountName=$SamAccountName)” }
    Catch { }
    $pwdinClearText = ConvertTo-SecureString -AsPlainText $_.Password -force
    New-ADUser $SamAccountName -GivenName $_.FirstName -Initials $_.Initials -Surname $_.Lastname -DisplayName $_.DisplayName -Office $_.OfficeName -Description $_.Description -EmailAddress $_.Mail -StreetAddress $_.StreetAddress -City $_.L -PostalCode $_.PostalCode -Country $_.CO -UserPrincipalName $_.UPN -Company $_.Company -Department $_.Department -EmployeeID $_.ID -Title $_.Title -OfficePhone $_.Phone -AccountPassword $pwdinClearText
    Move-ADObject -Identity $SamAccountName -TargetPath $NewUsersOU
    “User exist in AD: ” + $SamAccountName | Out-File $log -append

    ###################### SCRIPT ENDS HERE ###########################

Exchange 2013 Message Transport Pipeline

Here are three services that make up the Transport pipeline in Exchange 2013.


Mailbox Transport service Mailbox server role is responsible for this service and made up of two components—Transport Submission and Transport Delivery. Hub service uses RPC protocol to deliver the message to mailboxes using Transport Delivery component. Transport submission is responsible for other way around – messages from Mailboxes to Hub service via SMTP.
Hub Transport service Since Exchange 2013 doesn’t include a Hub role, This service runs on the Mailbox server. This service is a broker between Mailbox Transport service and FrontEnd services.
FrontEnd Transport service As the name implies this service handles all transport from clients so it runs on the CAS server. All the SMTP transactions are proxy through CAS server and then to the FrontEnd Transport service which delivers it to Hub Transport service

Exchange 2013 Transport Pipline

Exchange 2013 DLP Feature and Transport pipeline

DLP is a big topic in messaging security arena and a lot of vendors such as Symantec have solutions that can help prevent data loss. Now, Exchange 2013 has included a lot basic DLP functionality to Exchange and no longer requires 3rd party products. Exchange 2013 leverage existing Transport engine to apply DLP polices. In a nutshell, DLP polices are preconfigured Transport rules that is made up of actions and conditions using regular expressions. This feature allows admins to monitor the mailbox transport pipeline for known data leakage patterns such SSN formats or credit card numbers. TransportAgents in Exchange 2013 also allows 3rd party vendors to write software for Exchange that access messages during transit.  You can use one of the existing templates from Exchange Administration Center. To do this Go to Procection => Data Loss Prevention.

Also, below PowerShell commands can be used to configure the TransportAgents.












IT Account Lifecycle Automation