question

ST-3307 avatar image
0 Votes"
ST-3307 asked ·

Changed from all OU to single OU and users outside of scope are not removed.

We have run the full sync options in the sync client as suggested in other places with no luck. The amount of deletions is under the default threshold. New users are syncronising so Azure AD Sync is working.

azure-active-directory
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ST-3307 avatar image
1 Vote"
ST-3307 answered ·

I managed to "fix" this.

Since the sync service wasn't showing any deletes in the queue I went back into the ADSync wizard and told it to sync the entire directory. Waited for it to complete, returned to the ADSync wizard and selected my single OU. sync service then said there were a good number of deletions, took a while but they applied online eventually.


I basically turned it off and on again... should have realised.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered ·

Hi @ST-3307,

In Azure AD Connect, prevent accidental deletes is enabled by default and configured to not allow an export with more than 500 deletes. If you have more than 500 users to be deleted, you need to disable it by using below cmdlets:

  1. To retrieve the current deletion threshold, run the PowerShell cmdlet Get-ADSyncExportDeletionThreshold. Provide an Azure AD Global Administrator account and password. The default value is 500.

  2. To temporarily disable this protection and let those deletes go through, run the PowerShell cmdlet: Disable-ADSyncExportDeletionThreshold. Provide an Azure AD Global Administrator account and password. Credentials

  3. With the Azure Active Directory Connector still selected, select the action Run and select Export.

  4. To re-enable the protection, run the PowerShell cmdlet: Enable-ADSyncExportDeletionThreshold -DeletionThreshold 500. Replace 500 with the value you noticed when retrieving the current deletion threshold. Provide an Azure AD Global Administrator account and password.


After Disable-ADSyncExportDeletionThreshold, run a full sync cycle.


Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.

· 5 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

The objects are below 500 (500 users or objects?) thus saying it was below the threshold.

I disabled it anyway and tried again with no luck.

0 Votes 0 ·

@ST-3307 If you search the on-prem connector space by using Synchronization Service management tool, do you still see the objects of non-sync OU? When an OU is not in sync scope, it's obects should be removed from the connector space after full sync. Maybe you can try running full Import only on the On-prem connector first and make sure non-sync OU objects are not staged in the on-prem connector space.

0 Votes 0 ·
ST-3307 avatar image ST-3307 amanpreetsingh-msft ·

I looked at that and it seems to have everying regardless of OU.

I ran the wizard again and made sure it was pointed to just the one OU, and it had remembered my last settings but I still committed it.

Checked the service management (full import) and it has only the single OU and a few odd accounts from other OUs (but certainly not all).

Did full sync and checked online but all the accounts are still there.

We just moved a few accounts out of the single OU, and the service management tool showed them as deletions. But they still exist online.

Edit: Sorry the users moved did get deleted (the search isn't clear if someone is in the delete items online). So it is removing users I have moved out of that OU, but not ones that aren't in that OU that aren't supposed to be there.


If it helps, most of these (but not all) were domain.local users converted to domain.onmicrosoft.com - but it says source Windows Server AD so cannot be deleted manually.

0 Votes 0 ·
Show more comments