Active Directory provides a powerful way of retrieving data through the use LDAP filters. Directory Synchronization exposes three filters during the creation of a synchronization profile: User OU Filter, Group OU Filter, and Device OU Filter whose defaults are:
- Users: (&(!(adminDescription=Created By DirSync))(|(objectClass=Person)(objectClass=room))(!(objectClass=computer)))
- Groups: (&(!(adminDescription=Created By DirSync))(objectClass=Group))
- Devices: (&(!(adminDescription=Created By DirSync))(objectClass=computer)(!(primaryGroupID=516)))
These filters are per organizational unit and apply to sub-OUs when the Sync Sub-OUs option is selected.
Modifying these filters requires a basic understanding of the attributes, their value representations, and their data types. LDAP filters support any number of options including filtering by date ranges, wildcards, and the use of bitmasks as in the userAccountControl property.
The use of the objectClass and objectCategory properties can greatly reduce the number of records retrieved resulting in improved performance. You may use other attributes to further restrict your results.
The following are common examples of queries and their LDAP query syntax.
- Selecting users that are part of the ‘Accounting’ department:
- (&(objectClass=User)(objectCategory=Person)(department=Accounting))
- Selecting mailbox-enabled users:
- (&(objectClass=User)(objectCategory=Person)(homeMDB=*))
- Selecting mail-enabled users and contacts:
- (|(&(objectClass=User)(objectCategory=Person)(!homeMDB=*))(objectClass=Contact))
- Selecting users created after January 1, 2011:
- (&(objectClass=User)(objectCategory=Person)(whenCreated>=20110101000000.0Z))
- Selecting distribution lists:
- (&(objectClass=Group)(groupType=2))
Binary Tree recommends that you use the Active Directory Users and Computers management console to test your filters to prevent Directory Synchronization from failing due to an invalid filter.
Active Directory provides a powerful way of retrieving data through the use LDAP filters. Directory Synchronization exposes two filters during the creation of a synchronization profile: User OU Filter and Group OU Filter whose defaults are:
- Users: (&(!(adminDescription=Created By DirSync))(|(objectClass=Person)(objectClass=room))(!(objectClass=computer)))
- Groups: (&(!(adminDescription=Created By DirSync))(objectClass=Group))
These filters are per organizational unit and apply to sub-OUs when the Sync Sub-OUs option is selected.
Modifying these filters requires a basic understanding of the attributes, their value representations, and their data types. LDAP filters support any number of options including filtering by date ranges, wildcards, and the use of bitmasks as in the userAccountControl property.
The use of the objectClass and objectCategory properties can greatly reduce the number of records retrieved resulting in improved performance. You may use other attributes to further restrict your results.
- Selecting users that are part of the ‘Accounting’ department:
- (&(objectClass=User)(objectCategory=Person)(department=Accounting))
- Selecting mailbox-enabled users:
- (&(objectClass=User)(objectCategory=Person)(homeMDB=*))
- Selecting mail-enabled users and contacts:
- (|(&(objectClass=User)(objectCategory=Person)(!homeMDB=*))(objectClass=Contact))
- Selecting users created after January 1, 2011:
- (&(objectClass=User)(objectCategory=Person)(whenCreated>=20110101000000.0Z))
- Selecting distribution lists:
- (&(objectClass=Group)(groupType=2))
The following are common examples of queries and their LDAP query syntax.
Binary Tree recommends that you use the Active Directory Users and Computers management console to test your filters to prevent Directory Synchronization from failing due to an invalid filter.
The below table displays the default values of the AD Source to AD Target mapping table.
Source Field | Internal Field | Target Field | Source Type | Target Type 1 | Target Type 2 | Comments |
---|---|---|---|---|---|---|
accountExpires | AccountExpires | accountExpires | any | any | ||
altRecipient | ForwardingAddress | altRecipient | any | any | ||
assistant | Assistant | any | any | |||
authOrig | AuthOrig | authOrig | any | any | ||
C | CountryAbbreviation | C | any | any | ||
cn | CommonName | cn | any | any | ||
Co | CountryName | Co | any | any | ||
codePage | CodePage | codePage | any | any | ||
Comment | Comment | Comment | any | any | ||
company | Company | company | any | any | ||
countryCode | CountryCode | countryCode | any | any | ||
deletedItemFlags | DeletedItemFlags | deletedItemFlags | any | any | ||
delivContLength | DelivContLength | delivContLength | any | any | ||
department | Department | department | any | any | ||
departmentNumber | DepartmentNumber | departmentNumber | any | any | ||
description | Description | description | any | any | ||
displayName | DisplayName | displayName | any | any | ||
division | Division | division | any | any | ||
dLMemSubmitPerms | DLMemSubmitPerms | dLMemSubmitPerms | any | any | ||
dLMemRejectPerms | DLMemRejectPerms | dLMemRejectPerms | any | any | ||
employeeID | EmployeeID | employeeID | any | any | ||
employeeNumber | EmployeeNumber | employeeNumber | any | any | ||
employeeType | EmployeeType | employeeType | any | any | ||
expirationTime | ExpirationTime | expirationTime | any | any | ||
extensionAttribute1 | Extension1 | extensionAttribute1 | any | any | These are Exchange defined custom attributes. | |
extensionAttribute10 | Extension10 | extensionAttribute10 | any | any | These are Exchange defined custom attributes. | |
extensionAttribute11 | Extension11 | extensionAttribute11 | any | any | These are Exchange defined custom attributes. | |
extensionAttribute12 | Extension12 | extensionAttribute12 | any | any | These are Exchange defined custom attributes. | |
extensionAttribute13 | Extension13 | extensionAttribute13 | any | any | These are Exchange defined custom attributes. | |
extensionAttribute14 | Extension14 | extensionAttribute14 | any | any | These are Exchange defined custom attributes. | |
extensionAttribute15 | Extension15 | extensionAttribute15 | any | any | These are Exchange defined custom attributes. | |
extensionAttribute2 | Extension2 | extensionAttribute2 | any | any | These are Exchange defined custom attributes. | |
extensionAttribute3 | Extension3 | extensionAttribute3 | any | any | These are Exchange defined custom attributes. | |
extensionAttribute4 | Extension4 | extensionAttribute4 | any | any | These are Exchange defined custom attributes. | |
extensionAttribute5 | Extension5 | extensionAttribute5 | any | any | These are Exchange defined custom attributes. | |
extensionAttribute6 | Extension6 | extensionAttribute6 | any | any | These are Exchange defined custom attributes. | |
extensionAttribute7 | Extension7 | extensionAttribute7 | any | any | These are Exchange defined custom attributes. | |
extensionAttribute8 | Extension8 | extensionAttribute8 | any | any | These are Exchange defined custom attributes. | |
extensionAttribute9 | Extension9 | extensionAttribute9 | any | any | These are Exchange defined custom attributes. | |
facsimileTelephoneNumber |
OfficeFAXNumber |
facsimileTelephoneNumber |
any |
any |
|
|
generationQualifier |
Suffix |
generationQualifier |
any |
any |
|
|
givenName |
FirstName |
givenName |
any |
any |
|
|
homePhone |
HomePhoneNumber |
homePhone |
any |
any |
|
|
HomePostalAddress |
HomePostalAddress |
HomePostalAddress |
any |
any |
|
|
Info |
Info |
Info |
any |
any |
|
|
initials |
Initials |
initials |
any |
any |
|
|
internationalISDNNumber |
InternationalISDNNumber |
internationalISDNNumber |
any |
any |
|
|
internetEncoding |
internetEncoding |
internetEncoding |
any |
any |
|
|
ipPhone |
IPPhone |
ipPhone |
any |
any |
|
|
jpegPhoto |
JPEGPhoto |
jpegPhoto |
any |
any |
|
|
l |
OfficeCity |
l |
any |
any |
|
|
language |
Language |
language |
any |
any |
|
|
legacyExchangeDN |
LegacyExchangeDN |
legacyExchangeDN |
any |
any |
|
Created using the source object's GUID as the CN. |
localeID |
LocaleID |
localeID |
any |
any |
|
|
|
InternetAddress |
|
any |
any |
|
|
mailNickname |
PrimaryAlias |
mailNickname |
any |
any |
|
|
manager |
Manager |
|
any |
any |
|
|
mAPIRecipient |
MAPIRecipient |
mAPIRecipient |
any |
any |
|
|
middleName |
MiddleName |
middleName |
any |
any |
|
|
mobile |
CellPhoneNumber |
mobile |
any |
any |
|
|
msDS-PhoneticCompanyName |
msDSPhoneticCompanyName |
msDS-PhoneticCompanyName |
any |
any |
|
|
msDS-PhoneticDepartment |
msDSPhoneticDepartment |
msDS-PhoneticDepartment |
any |
any |
|
|
msDS-PhoneticDisplayName |
msDSPhoneticDisplayName |
msDS-PhoneticDisplayName |
any |
any |
|
|
msDS-PhoneticFirstName |
msDSPhoneticFirstName |
msDS-PhoneticFirstName |
any |
any |
|
|
msDS-PhoneticLastName |
msDSPhoneticLastName |
msDS-PhoneticLastName |
any |
any |
|
|
msExchAddressBookFlags |
msExchAddressBookFlags |
msExchAddressBookFlags |
any |
any |
|
|
msExchALObjectVersion |
msExchALObjectVersion |
msExchALObjectVersion |
any |
any |
|
|
msExchArchiveGuid |
msExchArchiveGuid |
msExchArchiveGuid |
any |
any |
|
|
msExchArchivename |
msExchArchivename |
msExchArchivename |
any |
any |
|
|
msExchAssistantName |
msExchAssistantName |
msExchAssistantName |
any |
any |
|
|
msExchBlockedSendersHash |
msExchBlockedSendersHash |
msExchBlockedSendersHash |
any |
any |
|
|
msExchBypassAudit |
msExchBypassAudit |
msExchBypassAudit |
any |
any |
|
|
msExchELCExpirySuspensionEnd |
msExchELCExpirySuspensionEnd |
msExchELCExpirySuspensionEnd |
any |
any |
|
|
msExchELCExpirySuspensionStart |
msExchELCExpirySuspensionStart |
msExchELCExpirySuspensionStart |
any |
any |
|
|
msExchELCMailboxFlags |
msExchELCMailboxFlags |
msExchELCMailboxFlags |
any |
any |
|
|
msExchExternalOOFOptions |
msExchExternalOOFOptions |
msExchExternalOOFOptions |
any |
any |
|
|
msExchHideFromAddressLists |
msExchHideFromAddressLists |
msExchHideFromAddressLists |
any |
any |
|
|
msExchMailboxAuditEnable |
msExchMailboxAuditEnable |
msExchMailboxAuditEnable |
any |
any |
|
|
msExchMailboxAuditLogAgeLimit |
msExchMailboxAuditLogAgeLimit |
msExchMailboxAuditLogAgeLimit |
any |
any |
|
|
msExchMailboxGuid |
msExchMailboxGUID |
msExchMailboxGuid |
any |
any |
|
|
msExchMDBRulesQuota |
msExchMDBRulesQuota |
msExchMDBRulesQuota |
any |
any |
|
|
msExchMessageHygieneFlags |
msExchMessageHygieneFlags |
msExchMessageHygieneFlags |
any |
any |
|
|
msExchMessageHygieneSCLDeleteThreshold |
msExchMessageHygieneSCLDeleteThreshold |
msExchMessageHygieneSCLDeleteThreshold |
any |
any |
|
|
msExchMessageHygieneSCLJunkThreshold |
msExchMessageHygieneSCLJunkThreshold |
msExchMessageHygieneSCLJunkThreshold |
any |
any |
|
|
msExchMessageHygieneSCLQuarantineThreshold |
msExchMessageHygieneSCLQuarantineThreshold |
msExchMessageHygieneSCLQuarantineThreshold |
any |
any |
|
|
msExchMessageHygieneSCLRejectThreshold |
msExchMessageHygieneSCLRejectThreshold |
msExchMessageHygieneSCLRejectThreshold |
any |
any |
|
|
msExchModerationFlags |
msExchModerationFlags |
msExchModerationFlags |
any |
any |
|
|
msExchPoliciesExcluded |
msExchPoliciesExcluded |
msExchPoliciesExcluded |
any |
any |
|
|
msExchPoliciesIncluded |
msExchPoliciesIncluded |
msExchPoliciesIncluded |
any |
any |
|
|
msExchProvisioningFlags |
msExchProvisioningFlags |
msExchProvisioningFlags |
any |
any |
|
|
msExchRecipientDisplayType |
msExchRecipientDisplayType |
msExchRecipientDisplayType |
any |
any |
|
This mapping is ignored and msExchRecipientDisplayType is set to 6 when the profile is set to sync users as Mail-Enabled Users or Disabled Mail-Enabled Users, or the profile is set to sync users “As-Is” and the object in the source is Mailbox-Enabled. |
msExchRecipientTypeDetails |
msExchRecipientTypeDetails |
msExchRecipientTypeDetails |
any |
any |
|
This mapping is ignored and msExchRecipientTypeDetails is set to 128 when the profile is set to sync users as Mail-Enabled Users or Disabled Mail-Enabled Users, or the profile is set to sync users “As-Is” and the object in the source is Mailbox-Enabled. |
msExchRequireAuthToSendTo |
msExchRequireAuthToSendTo |
msExchRequireAuthToSendTo |
any |
any |
|
|
msExchResourceCapacity |
msExchResourceCapacity |
msExchResourceCapacity |
any |
any |
|
|
msExchResourceDisplay |
msExchResourceDisplay |
msExchResourceDisplay |
any |
any |
|
|
msExchResourceMetaData |
msExchResourceMetaData |
msExchResourceMetaData |
any |
any |
|
|
msExchResourceSearchProperties |
msExchResourceSearchProperties |
msExchResourceSearchProperties |
any |
any |
|
|
msExchSafeRecipientsHash |
msExchSafeRecipientsHash |
msExchSafeRecipientsHash |
any |
any |
|
|
msExchSafeSendersHash |
msExchSafeSendersHash |
msExchSafeSendersHash |
any |
any |
|
|
msExchTransportRecipientSettingsFlags |
msExchTransportRecipientSettingsFlags |
msExchTransportRecipientSettingsFlags |
any |
any |
|
|
msExchUMDtmfMap |
msExchUMDtmfMap |
msExchUMDtmfMap |
any |
any |
|
|
msExchUMSpokenName |
msExchUMSpokenName |
msExchUMSpokenName |
any |
any |
|
|
msExchUserCulture |
msExchUserCulture |
msExchUserCulture |
any |
any |
|
|
msExchVersion |
msExchVersion |
msExchVersion |
any |
any |
|
|
name |
Name |
name |
any |
any |
|
|
O |
O |
O |
any |
any |
|
|
objectGUID | AdminDisplayName | adminDisplayName | any | any | ||
otherFacsimileTelephoneNumber |
OtherFacsimileTelephoneNumber |
otherFacsimileTelephoneNumber |
any |
any |
|
|
otherHomePhone |
OtherHomePhone |
otherHomePhone |
any |
any |
|
|
otherIpPhone |
OtherIpPhone |
otherIpPhone |
any |
any |
|
|
otherMobile |
OtherMobile |
otherMobile |
any |
any |
|
|
otherPager |
OtherPager |
otherPager |
any |
any |
|
|
otherTelephone |
OtherTelephone |
otherTelephone |
any |
any |
|
|
pager |
PagerNumber |
pager |
any |
any |
|
|
personalPager |
PersonalPager |
personalPager |
any |
any |
|
|
personalTitle |
PersonalTitle |
personalTitle |
any |
any |
|
|
Photo |
Photo |
Photo |
any |
any |
|
|
physicalDeliveryOfficeName |
Location |
physicalDeliveryOfficeName |
any |
any |
|
Important, particularly for printers. |
pOPCharacterSet |
POPCharacterSet |
pOPCharacterSet |
any |
any |
|
|
pOPContentFormat |
POPContentFormat |
pOPContentFormat |
any |
any |
|
|
postalAddress |
PostalAddress |
postalAddress |
any |
any |
|
|
postalCode |
OfficeZip |
postalCode |
any |
any |
|
|
postOfficeBox |
PostOfficeBox |
postOfficeBox |
any |
any |
|
|
preferredDeliveryMethod |
PreferredDeliveryMethod |
preferredDeliveryMethod |
any |
any |
|
|
primaryInternationalISDNNumber |
PrimaryInternationalISDNNumber |
primaryInternationalISDNNumber |
any |
any |
|
|
primaryTelexNumber |
PrimaryTelexNumber |
primaryTelexNumber |
any |
any |
|
|
proxyAddresses |
ProxyAddresses |
|
any |
any |
|
ProxyAddresses contains the InternetAddress as the primary SMTP, the legacyExchangeDN of both the source and target as X500 addresses, and any email policies from the target (if enabled). |
pwdLastSet | PwdLastSet | |||||
roomNumber |
RoomNumber |
roomNumber |
any |
any |
|
|
sAMAccountName |
SAMAccountName |
sAMAccountName |
any |
any |
|
The following restricted chars will be replaced with underscores: , + " < > ; = / [ ] : | * ? \ |
showInAdvancedViewOnly |
ShowInAdvancedViewOnly |
showInAdvancedViewOnly |
any |
any |
|
|
sn |
LastName |
sn |
any |
any |
|
Sometimes used as surname. |
st |
OfficeState |
st |
any |
any |
|
|
street |
Street |
street |
any |
any |
|
|
streetAddress |
OfficeStreetAddress |
streetAddress |
any |
any |
|
|
TargetAddress | targetAddress | any | any | |||
telephoneAssistant |
TelephoneAssistant |
telephoneAssistant |
any |
any |
|
|
telephoneNumber |
OfficePhoneNumber |
telephoneNumber |
any |
any |
|
|
terminalServer |
TerminalServer |
terminalServer |
any |
any |
|
|
textEncodedORAddress |
TextEncodedORAddress |
textEncodedORAddress |
any |
any |
|
|
thumbnailLogo |
ThumbnailLogo |
thumbnailLogo |
any |
any |
|
|
thumbnailPhoto * |
ThumbnailPhoto * |
thumbnailPhoto * |
any |
any |
|
|
title |
JobTitle |
title |
any |
any |
|
|
unauthOrig | UnauthOrig | unauthOrig | any | any | ||
url |
WebSite |
url |
any |
any |
|
|
userCert |
UserCert |
userCert |
any |
any |
|
|
userCertificate |
UserCertificate |
userCertificate |
any |
any |
|
|
userPrincipalName |
UserPrincipalName |
userPrincipalName |
any |
any |
|
|
userSMIMECertificate |
UserSMIMECertificate |
userSMIMECertificate |
any |
any |
|
|
wWWHomePage |
WWWHomePage |
wWWHomePage |
any |
any |
|
|
managedBy |
ManagedBy |
|
group |
group |
contact |
|
groupType |
GroupType |
groupType |
group |
group |
|
|
* thumbnailPhoto values are synced directly from the Source to the Target.
In Directory Sync Pro for Active Directory, an override is used to transform values in the target directory based upon a formula.
The formula language used is T-SQL, used in Microsoft’s SQL Server product line. A valid select statement in T-SQL would be Select (FirstName + LastName) from BT_Person. When adding an override you do not need to include a full SQL select statement as portions of the SQL statement are generated for you. Specifically, you are not required to use the select or from commands in the override. It is only required to enter the columns that should be selected. To continue the example above, a valid override would only need to contain the value of FirstName + LastName.
To add an Override:
When you save an override, Directory Sync Pro for Active Directory re-generates the Person or Groups view. It does this by dynamically generating a single SQL statement using the snippet of SQL code that is part of all overrides. The max size for this SQL statement is 8000 total characters. If many new overrides are added, this limit could be exceeded and an error when adding the overrides will occur. In addition to the default overrides, approximately 15-20 more Person and 20-25 Group overrides can be added before hitting the size limit.
To edit an override:
To delete an override:
To export overrides:
You can reset all overrides to the “factory defaults” by clicking the Reset Overrides button. Caution: This will remove any custom overrides or any edits to existing overrides. If you have made changes, you may want to export those changed overrides before a reset. You can import them later if you wish.
Directory Sync Pro for Active Directory uses the TypeOfTransaction column from the BT_Person table, or the Operation column from the BT_Groups table to determine what action to perform on the target object. These may have overrides applied to them, to control what actions Directory Sync Pro for Active Directory will take for an object. The below image shows an example of this kind of override.
Matching user accounts with Overrides
The values used for matching can have overrides applied to them. This is accomplished by setting up a new override using the field names MatchValue1, MatchValue2, MatchValue3 and MatchValue4. Each MatchValue1-4 corresponds the respective Source and Target pair on the matching tab.
These values are used for matching only. Values that get written to the target are based on the mappings, not the matching.
When updating an existing object, the attributes UserPrincipalName and SAMAccountName will only be written in response to a change after the initial sync. To always update these attributes, change the Internal Field mapping to an unused CustomXXX field.
Internal field must be entirely blank/NULL or source written to a different Custom value.
Make your override for Custom001 and map Custom001 to UserPrincipalName…then un-map userPrincipalName.
Make your override for Custom002 and map Custom002 to sAMAccountName…then un-map sAMAccountName
Field Name | Field Value | Description |
---|---|---|
TargetAddress | CASE EntryType WHEN 'user' THEN 'SMTP:' + P.Custom20 + '@exchange.contoso.com' ELSE 'SMTP:' + dbo.ReplaceDomain(InternetAddress,'exchange.contoso.com') END | This formula will dynamically set the targetaddress value based on the EntryType. |
TargetAddress | 'SMTP:' + dbo.UpdateInternetAddress(InternetAddress,'exchange.') | This formula will set the TargetAddress value based on the InternetAddress and prefix the domain with the value specified, in this case "exchange.". |
TargetAddress | ' 'SMTP:' + dbo.ReplaceDomain(InternetAddress,'exchange.contoso.com') | This formula will set the TargetAddress value based on the InternetAddress and replace the domain with the value specified, in this case "exchange.contoso.com". |
TargetAddress | CASE WHEN InternetAddress LIKE '%@example.com' THEN 'smtp:' + dbo.UpdateInternetAddress(P.InternetAddress, 'exchange.') WHEN InternetAddress LIKE '%@knotes.contoso.com' THEN 'smtp:' + dbo.ReplaceDomain(P.InternetAddress, 'exchange.contoso.com') ELSE P.InternetAddress END | This formula will dynamically set the targetaddress value based on the existing InternetAddress domain name value. If the first domain is found then the TargetAddress will be set to one value, if the second domain is found another value will be used and if neither domain is found then the TargetAddress will be set the same as the current InternetAddress value. |
CommonName | CASE EntryType WHEN 'user' THEN 'do$$' + SourceDirectoryID WHEN 'sharedmail' THEN 'do$$' + SourceDirectoryID ELSE CommonName END | This formula will dynamically set the CommonName value based on the EntryType. |
CommonName | CASE WHEN LEN(CommonName) > 64 THEN LTRIM(RTRIM(LEFT(CommonName,64))) ELSE CommonName END | This formula will limit the CommonName value to 64 characters if it exceeds that limit. |
ProxyAddresses | CASE ProxyAddresses WHEN '' THEN 'smtp:' + dbo.ReplaceDomain(InternetAddress,'@contoso.mail.onmicrosoft.com;smtp:') + dbo.UpdateInternetAddress(InternetAddress,'exchange.') ELSE ProxyAddresses + ';smtp:' + dbo.ReplaceDomain(InternetAddress,'@contoso.mail.onmicrosoft.com;smtp:') + dbo.UpdateInternetAddress(InternetAddress,'exchange.') END | This formula will set or append to the list of ProxyAddresses values the coexistence routing addresses. This example specifically is designed for Office 365. |
Company | LTRIM(RTRIM(LEFT(company, 50))) | This formula will Trim, then limit the string value by 50 characters. |
Custom001 | 'this is a string' | This formula will set any string value to the any SQL field. |
Custom001 | REPLACE(InternetAddress,'@','.') | This formula will replace the '@' symbol with a period '.' to create a string like so. (i.e. first.last.contoso.com) |
Custom001 | LEFT(InternetAddress,CHARINDEX('@',InternetAddress)-1) | This formula will extract the localpart of InternetAddress. |
© ALL RIGHTS RESERVED. Feedback Conditions d’utilisation Confidentialité Cookie Preference Center