My blogspot: /CQman/
How to automate the process of hiding disabled users from the address list in local AD?
Demand information:
The user's local AD users are synchronized to O365 through ADConnect, and the user wants to realize that after disabling a certain user in the local OU that has been synchronized, it can automatically realize that the user is hidden from the address list.
The user's ADConnect synchronization tool is mounted on the domain control server.
Solution:
Idea Overview: Enable a scheduled task locally that triggers the running of a powershell script on a specific event, detects the values of the enabled and msExchHideFromAddressLists attributes of a disabled user in the local AD via the powershell command, and changes the values of the msExchHideFromAddressLists and mailnickname attribute values, and then triggers synchronization using the Start-ADSyncSyncCycle -PolicyType Delta command.
Operational Steps:
- Make a copy of the powershell command, change OU=G10,DC=ttt,DC=com to your Active Directory path and save it as a Powershell script file.
Set-Executionpolicy -executionPolicy Unrestricted -force
Get-ADUser -Filter {(enabled -eq "false") -and (msExchHideFromAddressLists -notlike "*")} -SearchBase "OU=G10,DC=ttt,DC=com" -Properties msExchHideFromAddressLists `
| % { Set-ADUser -Identity $_.samaccountname -Replace @{msExchHideFromAddressLists=$true} ;Set-ADUser -Identity $_.samaccountname -Replace @{mailnickname="$($_.samaccountname)"} }
Start-ADSyncSyncCycle -PolicyType Delta
- Create a scheduled task on a domain control server with the ADConnect synchronization tool.
Graphical interface approach:
- Enter the "msc" command to open the "Task Scheduler" control panel.
- Open "Task Planner" and click "Create Basic Task" on the right side.
- Fill in the name and description information
- When an AD user is disabled, an event log is triggered on the local domain controller
- Select Trigger Type
- Fill in Log, Source, EventID.
Log: Security
Source: Microsoft Windows security auditing
Event ID : 4725
- Selecting the type of operation
- "Program or Script" here to fill in the path of the Powershell program, such as the address in the figure; in the "Add parameters", here you need to write: C:\automatically_hide_address_ list.ps1 list.ps1 Fill in the path of the folder where the script is located in the start item.
- Check the Location option in the figure and click Next.
- Use Administrator privilege for the user, this is the highest privilege, and it is not easy to get the error: insufficient privilege. Check "Run regardless of whether the user is logged in" and "Run with maximum privileges".
- Enter administrator password
- Once created you can see the plan in the Scheduled Tasks panel.
Note: Normally we have feedback values after the execution of our task plan:
-
- Code 0 or 0x0: Operation completed successfully.
- Code 1 or 0x1: Incorrect function called or unknown function called.
- Code 10 or 0xa: Incorrect environment.
- Code 0x8009000f: regular access denied
13. Verification of effectiveness
pre-deactivation
disabled
Disabling T23 users triggers system security event logs
Scheduled tasks are also automatically triggered and successfully executed.
Check that the user's mailnickname and msExchHideFromAddressLists attribute values have both changed.
Users in cloud O365 have been Blocked
Viewing the Hide address list in Exchange users