Office 365 \ DirSync – Hide User from Address Book – What To Do When ADSI Edit Isn’t Enough

 

As a sysadmin, what is more frustrating than when something seemingly simple ends up taking much longer than you think it should?  Hopefully these steps will save you some of the aggravation I experienced working my way through this.

Scenario:

  • you are in an Office 365 \ DirSync environment
  • you need to hide a user from the address book
  • you’ve tried some or all of the following steps to no avail:
  1. Hiding it via the Office 365 Exchange Admin Center and received an error:
    • The operation on mailbox “Mr Yuk” failed because it’s out of the current user’s write scope. The action ‘Set-Mailbox’, ‘HiddenFromAddressListsEnabled’, can’t be performed on the object ‘Mr Yuk’ because the object is being synchronized from your on-premises organization. This action should be performed on the object in your on-premises organization
  2. Trying the same via PowerShell connected to Office 365 and received an error:
    • The action ‘Set-Mailbox’ failed because the object is being synchronized from your on-premises organization.
  3. Used ADSI Edit to change the user’s msExchHideFromAddressLists attribute to True and waited for DirSync to der, sync.
  4. Googled it.
  5. Wrote your unsuccessful Google search terms on a filthy piece of cardboard and stood at a busy intersection, hoping that a kindly fellow admin would drive by with the answer and take pity on your poor soul.

Step 3 is typically all you need (or, step 4 and / or 5 to find out about step 3).  However, I found myself beating my head against a wall because, in my case, it just was not working.  Below are the steps that got this to work in our environment (I’m including the ADSI stuff to boot):

  1. On your domain controller, open ADSI Edit
    1. Find the user in question and right-click> properties
    2. Change the value for attribute msExchHideFromAddressLists to TRUEadsi.jpg
  2. on your DirSync server, open Synchronization Rules Editor AS AN ADMIN (right-click > Run as Administrator).  I originally did not open it as admin and spent fifteen minutes clicking hither and yon with nary a result.
    1. Select the rule named “In from AD – User Common” and click Edit
    2. Click YES to create an editable copy of the rulesyncrulesedit.jpg
    3. change Precedence to 500, leave all other settings alone, and click Next
    4. Make no changes to “Add scoping filters” and click Next
    5. Do the same for “Add join rules”
    6. Click “Add transformation.”  It will look like nothing happened.  That is because the new field was added to the bottom of the list.  Scroll all the way down and configure the new transformation as follows:
      • FlowType = Direct
      • Target Attribute = msExchHideFromAddressLists
      • Source = msExchHideFromAddressLists
      • Apply Once = NO (leave unchecked)
      • Merge Type = Update
    7. Click Save (I received an Expression Warning while saving and clicked Yes to continue).syncrulesedit2
  3. On the same server, open Synchronization Service Manager and go to Actions> Run > Full Synchronization
  4. Once the sync is complete, sign back into the Office 365 admin portal
    1. go to Exchange Admin Center> recipients> mailboxes and find the user in question
    2. view their properties and PRESTO CHANGE-O, your user is hidden!Office365hide.jpg
  5. Test it with OWA as well.  Compose a new message and click To: to view your company’s address book.  Do a search for this user; they should no longer show up.
    • if you test with an Outlook client instead, remember to manually update your address book if you are using cached mode!  Otherwise you might feel the urge to scream rising back up again before you realize you’ve overlooked something pretty basic (I am speaking from experience!).

If this helps or if I’ve missed something, please comment.

Thanks!