question

TripodGG-3715 avatar image
0 Votes"
TripodGG-3715 asked EmilBabayev-2837 answered

msExchHideFromAddressList in AWS Managed AD

I have a somewhat interesting situation that I cannot seem to solve. In short, I have an intern that left the company in 2020, had his "Show in Address List" removed prior to us syncing with ADConnect, and has returned in 2021 (after we started syncing with ADConnect). I cannot update his user object to show in the GAL.

Now for the longer version.

I recently migrated our org to AWS with Managed AD. In the past, we were not utilizing ADConnect (it was ADSync back when we first looked at it and that was terrible), but given the improvements from ADSync to ADConnect, I opted to move forward. This is where the problem started. Amazon does not grant anyone Global Admin to their AWS Managed AD. Rather, they give you delegated administrative access via AWS administrative groups. The unfortunate part of this is you are not a proper admin over your domain, which includes the Schema Admin group. So mounting an Exchange iso and running Setup.exe /IAcceptExchangeServerLicenseTerms /PrepareSchema is not possible.

I have followed all necessary steps from Amazon to add the msExchHideFromAddressList attribute to the schema (AWS requires an LDIF to do schema updates), however the attribute is not available in the Attribute Editor on the user objects. I have verified I can see the attribute in ADSI, so I know it was properly added. I just cant update the value through AD.

Given this, I tried creating ADConnect Sync rules to map the msDS-cloudExtensionAttribute1 to msExchHideFromAddressList with the following settings:
FlowType: Expression
Target Attribute: msDS-cloudExtensionAttribute1
Source: IIF(IsPresent([msDS-cloudExtensionAttribute1]),IIF([msDS-cloudExtensionAttribute1]="ShowInGAL",True,False),NULL)

...but that doesnt seem to work. Ive jumped through every possible search I can think of, but Ive exhausted all the options that the Google box has provided. AWS has made many things much easier for me, but the few things I cant do are causing me major headaches.

At this point, it doesnt really matter to me how this gets solved, just so that it does. Please help, friends.

office-exchange-online-itprooffice-exchange-server-itpro
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@TripodGG-3715

Where your Exchange installed? If you install Exchange on the local AD, msExchHideFromAddressList attribute will exist on local AD account by default. Adding this attribute in other ways may not be useful.
Based on your description, I think this question more related with AD sync. I would suggest you add the related tag on this thread.

0 Votes 0 ·

My apologies for taking forever to reply to this thread - one fire after another to put out. I also never received notification to your response. Ill need to verify my settings.

So, I think there may be some confusion here. We are using Office 365 exclusively. We utilize Exchange Online hosted by Microsoft - there is no in house Exchange server. Additionally, I mentioned that Amazon does not give you Global Admin over the AWS Managed AD. This means I dont have access to the DC. I can make changes to AD via the AD Tools, but I dont have direct access to the DC because I am not a Domain Admin. I am an AWS Delegate Admin (which is annoying in its own right).

I dont understand why the attribute is showing in ADSI but not in the attribute editor of an object. I would like to just set the attribute to true or false, but Ill work with an ADConnect rule if at the end of the day it works.

Thoughts?

0 Votes 0 ·

1 Answer

EmilBabayev-2837 avatar image
0 Votes"
EmilBabayev-2837 answered

I also took up this challenge. After you added the attribute to the schema you should update current elements. It helped me. Good luck)

 # ==================================================================
 #  Updating present elements
 # ==================================================================
    
 # Update element: user
 dn: cn=User,cn=Schema,cn=Configuration,dc=example,dc=com
 changetype: modify
 add: mayContain
 # mayContain: ms-Exch-Hide-From-Address-Lists
 mayContain:
  1.2.840.113556.1.4.7000.102.73
 -
    
 dn:
 changetype: modify
 add: schemaUpdateNow
 schemaUpdateNow: 1
 -
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.