question

shamikghosh84 avatar image
0 Votes"
shamikghosh84 asked ·

synched too many AD objects

We had a problem where the AD Sync connector was not synchronising any new AD objects past a certain date, and previously it was set up to only sync from a certain OU. I know little about Azure AD but was asked to troubleshoot, and guessed that the reason the connector wasn't working was because there were no domain partitions selected, nor were any of the run configurations filled with any steps, it appeared somehow this config was lost. So I have reselected the domain partition on the local adsync connector, and populated the run configurations with the necessary steps, and now it appears too many AD objects have synched to Azure AD. The issue I have is that the service account used for the adsync, we have lost the password for it, so will need to reset it first in order to filter by OU, but if we do that, will the excessive objects in Azure AD automatically get removed or will they remain? If they remain, how can they be removed from Azure AD (because we want only objects from one OU being synched to the cloud) but left to remain on our on prem AD?

azure-active-directoryazure-ad-connect
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

michev avatar image
0 Votes"
michev answered ·

If you apply any sort of filter, either by OU/domain or by using rules, the corresponding objects will be removed from Azure AD.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JankeSkanke avatar image
0 Votes"
JankeSkanke answered ·

Hi, first of, you do not need the password for the sync account in Azure AD to change your sync scope. The only thing you need is to re-run the wizard and change your scope settings again in the wizard. That is the easiest way to change this. If you go in through the sync enginge, you can actually use any account with permissions in AD to change the settings, it will not replace the service account actually being used for sync. In fact if you allowed AAD Connect to create the service account on your behalf, you would never know the password of this account at all.

Secondly, you must be aware that there is a fail-safe implemented in AAD Connect (prevent accidential delete) . So if the scope change deletes more than 500 items, it will halt and you need to go into powershell to temporariliy disable the failsafe using the cmdlet Enable-ADSyncExportDeletionThreshold

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-feature-prevent-accidental-deletes

Hope this helps.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.