Active Directory provides a powerful way of retrieving data through the use LDAP filters. Directory Synchronization exposes two filters during the creation of a synchronization profile: User OU Filter and Group OU Filter whose defaults are:
- Users: (&(!(adminDescription=Created By DirSync))(|(objectClass=Person)(objectClass=room))(!(objectClass=computer)))
- Groups: (&(!(adminDescription=Created By DirSync))(objectClass=Group))
These filters are per organizational unit and apply to sub-OUs when the Sync Sub-OUs option is selected.
Modifying these filters requires a basic understanding of the attributes, their value representations, and their data types. LDAP filters support any number of options including filtering by date ranges, wildcards, and the use of bitmasks as in the userAccountControl property.
The use of the objectClass and objectCategory properties can greatly reduce the number of records retrieved resulting in improved performance. You may use other attributes to further restrict your results.
- Selecting users that are part of the ‘Accounting’ department:
- (&(objectClass=User)(objectCategory=Person)(department=Accounting))
- Selecting mailbox-enabled users:
- (&(objectClass=User)(objectCategory=Person)(homeMDB=*))
- Selecting mail-enabled users and contacts:
- (|(&(objectClass=User)(objectCategory=Person)(!homeMDB=*))(objectClass=Contact))
- Selecting users created after January 1, 2011:
- (&(objectClass=User)(objectCategory=Person)(whenCreated>=20110101000000.0Z))
- Selecting distribution lists:
- (&(objectClass=Group)(groupType=2))
The following are common examples of queries and their LDAP query syntax.
Quest recommends that you use the Active Directory Users and Computers management console to test your filters to prevent Directory Synchronization from failing due to an invalid filter.
AD Source – AD Target Default Mapping
The below table displays the default values of the AD Source to AD Target mapping table.
|
accountExpires |
AccountExpires |
accountExpires |
any |
any |
|
|
|
altRecipient |
ForwardingAddress |
altRecipient |
any |
any |
|
|
|
assistant |
Assistant |
|
any |
any |
|
|
|
authOrig |
AuthOrig |
authOrig |
any |
any |
|
|
|
C |
CountryAbbreviation |
C |
any |
any |
|
|
|
cn |
CommonName |
cn |
any |
any |
|
|
|
Co |
CountryName |
Co |
any |
any |
|
|
|
codePage |
CodePage |
codePage |
any |
any |
|
|
|
Comment |
Comment |
Comment |
any |
any |
|
|
|
company |
Company |
company |
any |
any |
|
|
|
countryCode |
CountryCode |
countryCode |
any |
any |
|
|
|
deletedItemFlags |
DeletedItemFlags |
deletedItemFlags |
any |
any |
|
|
|
delivContLength |
DelivContLength |
delivContLength |
any |
any |
|
|
|
department |
Department |
department |
any |
any |
|
|
|
departmentNumber |
DepartmentNumber |
departmentNumber |
any |
any |
|
|
|
description |
Description |
description |
any |
any |
|
|
|
displayName |
DisplayName |
displayName |
any |
any |
|
|
|
division |
Division |
division |
any |
any |
|
|
|
dLMemSubmitPerms |
DLMemSubmitPerms |
dLMemSubmitPerms |
any |
any |
|
|
|
dLMemRejectPerms |
DLMemRejectPerms |
dLMemRejectPerms |
any |
any |
|
|
|
employeeID |
EmployeeID |
employeeID |
any |
any |
|
|
|
employeeNumber |
EmployeeNumber |
employeeNumber |
any |
any |
|
|
|
employeeType |
EmployeeType |
employeeType |
any |
any |
|
|
|
expirationTime |
ExpirationTime |
expirationTime |
any |
any |
|
|
|
extensionAttribute1 |
Extension1 |
extensionAttribute1 |
any |
any |
|
These are Exchange defined custom attributes. |
|
extensionAttribute10 |
Extension10 |
extensionAttribute10 |
any |
any |
|
These are Exchange defined custom attributes. |
|
extensionAttribute11 |
Extension11 |
extensionAttribute11 |
any |
any |
|
These are Exchange defined custom attributes. |
|
extensionAttribute12 |
Extension12 |
extensionAttribute12 |
any |
any |
|
These are Exchange defined custom attributes. |
|
extensionAttribute13 |
Extension13 |
extensionAttribute13 |
any |
any |
|
These are Exchange defined custom attributes. |
|
extensionAttribute14 |
Extension14 |
extensionAttribute14 |
any |
any |
|
These are Exchange defined custom attributes. |
|
extensionAttribute15 |
Extension15 |
extensionAttribute15 |
any |
any |
|
These are Exchange defined custom attributes. |
|
extensionAttribute2 |
Extension2 |
extensionAttribute2 |
any |
any |
|
These are Exchange defined custom attributes. |
|
extensionAttribute3 |
Extension3 |
extensionAttribute3 |
any |
any |
|
These are Exchange defined custom attributes. |
|
extensionAttribute4 |
Extension4 |
extensionAttribute4 |
any |
any |
|
These are Exchange defined custom attributes. |
|
extensionAttribute5 |
Extension5 |
extensionAttribute5 |
any |
any |
|
These are Exchange defined custom attributes. |
|
extensionAttribute6 |
Extension6 |
extensionAttribute6 |
any |
any |
|
These are Exchange defined custom attributes. |
|
extensionAttribute7 |
Extension7 |
extensionAttribute7 |
any |
any |
|
These are Exchange defined custom attributes. |
|
extensionAttribute8 |
Extension8 |
extensionAttribute8 |
any |
any |
|
These are Exchange defined custom attributes. |
|
extensionAttribute9 |
Extension9 |
extensionAttribute9 |
any |
any |
|
These are Exchange defined custom attributes. |
|
facsimileTelephoneNumber |
OfficeFAXNumber |
facsimileTelephoneNumber |
any |
any |
|
|
|
generationQualifier |
Suffix |
generationQualifier |
any |
any |
|
|
|
givenName |
FirstName |
givenName |
any |
any |
|
|
|
homePhone |
HomePhoneNumber |
homePhone |
any |
any |
|
|
|
HomePostalAddress |
HomePostalAddress |
HomePostalAddress |
any |
any |
|
|
|
Info |
Info |
Info |
any |
any |
|
|
|
initials |
Initials |
initials |
any |
any |
|
|
|
internationalISDNNumber |
InternationalISDNNumber |
internationalISDNNumber |
any |
any |
|
|
|
internetEncoding |
internetEncoding |
internetEncoding |
any |
any |
|
|
|
ipPhone |
IPPhone |
ipPhone |
any |
any |
|
|
|
jpegPhoto |
JPEGPhoto |
jpegPhoto |
any |
any |
|
|
|
l |
OfficeCity |
l |
any |
any |
|
|
|
language |
Language |
language |
any |
any |
|
|
|
legacyExchangeDN |
LegacyExchangeDN |
legacyExchangeDN |
any |
any |
|
Created using the source object's GUID as the CN. |
|
localeID |
LocaleID |
localeID |
any |
any |
|
|
|
mail |
InternetAddress |
mail |
any |
any |
|
|
|
mailNickname |
PrimaryAlias |
mailNickname |
any |
any |
|
|
|
manager |
Manager |
|
any |
any |
|
|
|
mAPIRecipient |
MAPIRecipient |
mAPIRecipient |
any |
any |
|
|
|
middleName |
MiddleName |
middleName |
any |
any |
|
|
|
mobile |
CellPhoneNumber |
mobile |
any |
any |
|
|
|
msDS-PhoneticCompanyName |
msDSPhoneticCompanyName |
msDS-PhoneticCompanyName |
any |
any |
|
|
|
msDS-PhoneticDepartment |
msDSPhoneticDepartment |
msDS-PhoneticDepartment |
any |
any |
|
|
|
msDS-PhoneticDisplayName |
msDSPhoneticDisplayName |
msDS-PhoneticDisplayName |
any |
any |
|
|
|
msDS-PhoneticFirstName |
msDSPhoneticFirstName |
msDS-PhoneticFirstName |
any |
any |
|
|
|
msDS-PhoneticLastName |
msDSPhoneticLastName |
msDS-PhoneticLastName |
any |
any |
|
|
|
msExchAddressBookFlags |
msExchAddressBookFlags |
msExchAddressBookFlags |
any |
any |
|
|
|
msExchALObjectVersion |
msExchALObjectVersion |
msExchALObjectVersion |
any |
any |
|
|
|
msExchArchiveGuid |
msExchArchiveGuid |
msExchArchiveGuid |
any |
any |
|
|
|
msExchArchivename |
msExchArchivename |
msExchArchivename |
any |
any |
|
|
|
msExchAssistantName |
msExchAssistantName |
msExchAssistantName |
any |
any |
|
|
|
msExchBlockedSendersHash |
msExchBlockedSendersHash |
msExchBlockedSendersHash |
any |
any |
|
|
|
msExchBypassAudit |
msExchBypassAudit |
msExchBypassAudit |
any |
any |
|
|
|
msExchELCExpirySuspensionEnd |
msExchELCExpirySuspensionEnd |
msExchELCExpirySuspensionEnd |
any |
any |
|
|
|
msExchELCExpirySuspensionStart |
msExchELCExpirySuspensionStart |
msExchELCExpirySuspensionStart |
any |
any |
|
|
|
msExchELCMailboxFlags |
msExchELCMailboxFlags |
msExchELCMailboxFlags |
any |
any |
|
|
|
msExchExternalOOFOptions |
msExchExternalOOFOptions |
msExchExternalOOFOptions |
any |
any |
|
|
|
msExchHideFromAddressLists |
msExchHideFromAddressLists |
msExchHideFromAddressLists |
any |
any |
|
|
|
msExchMailboxAuditEnable |
msExchMailboxAuditEnable |
msExchMailboxAuditEnable |
any |
any |
|
|
|
msExchMailboxAuditLogAgeLimit |
msExchMailboxAuditLogAgeLimit |
msExchMailboxAuditLogAgeLimit |
any |
any |
|
|
|
msExchMailboxGuid |
msExchMailboxGUID |
msExchMailboxGuid |
any |
any |
|
|
|
msExchMDBRulesQuota |
msExchMDBRulesQuota |
msExchMDBRulesQuota |
any |
any |
|
|
|
msExchMessageHygieneFlags |
msExchMessageHygieneFlags |
msExchMessageHygieneFlags |
any |
any |
|
|
|
msExchMessageHygieneSCLDeleteThreshold |
msExchMessageHygieneSCLDeleteThreshold |
msExchMessageHygieneSCLDeleteThreshold |
any |
any |
|
|
|
msExchMessageHygieneSCLJunkThreshold |
msExchMessageHygieneSCLJunkThreshold |
msExchMessageHygieneSCLJunkThreshold |
any |
any |
|
|
|
msExchMessageHygieneSCLQuarantineThreshold |
msExchMessageHygieneSCLQuarantineThreshold |
msExchMessageHygieneSCLQuarantineThreshold |
any |
any |
|
|
|
msExchMessageHygieneSCLRejectThreshold |
msExchMessageHygieneSCLRejectThreshold |
msExchMessageHygieneSCLRejectThreshold |
any |
any |
|
|
|
msExchModerationFlags |
msExchModerationFlags |
msExchModerationFlags |
any |
any |
|
|
|
msExchPoliciesExcluded |
msExchPoliciesExcluded |
msExchPoliciesExcluded |
any |
any |
|
|
|
msExchPoliciesIncluded |
msExchPoliciesIncluded |
msExchPoliciesIncluded |
any |
any |
|
|
|
msExchProvisioningFlags |
msExchProvisioningFlags |
msExchProvisioningFlags |
any |
any |
|
|
|
msExchRecipientDisplayType |
msExchRecipientDisplayType |
msExchRecipientDisplayType |
any |
any |
|
This mapping is ignored and msExchRecipientDisplayType is set to 6 when the profile is set to sync users as Mail-Enabled Users or Disabled Mail-Enabled Users, or the profile is set to sync users “As-Is” and the object in the source is Mailbox-Enabled. |
|
msExchRecipientTypeDetails |
msExchRecipientTypeDetails |
msExchRecipientTypeDetails |
any |
any |
|
This mapping is ignored and msExchRecipientTypeDetails is set to 128 when the profile is set to sync users as Mail-Enabled Users or Disabled Mail-Enabled Users, or the profile is set to sync users “As-Is” and the object in the source is Mailbox-Enabled. |
|
msExchRequireAuthToSendTo |
msExchRequireAuthToSendTo |
msExchRequireAuthToSendTo |
any |
any |
|
|
|
msExchResourceCapacity |
msExchResourceCapacity |
msExchResourceCapacity |
any |
any |
|
|
|
msExchResourceDisplay |
msExchResourceDisplay |
msExchResourceDisplay |
any |
any |
|
|
|
msExchResourceMetaData |
msExchResourceMetaData |
msExchResourceMetaData |
any |
any |
|
|
|
msExchResourceSearchProperties |
msExchResourceSearchProperties |
msExchResourceSearchProperties |
any |
any |
|
|
|
msExchSafeRecipientsHash |
msExchSafeRecipientsHash |
msExchSafeRecipientsHash |
any |
any |
|
|
|
msExchSafeSendersHash |
msExchSafeSendersHash |
msExchSafeSendersHash |
any |
any |
|
|
|
msExchTransportRecipientSettingsFlags |
msExchTransportRecipientSettingsFlags |
msExchTransportRecipientSettingsFlags |
any |
any |
|
|
|
msExchUMDtmfMap |
msExchUMDtmfMap |
msExchUMDtmfMap |
any |
any |
|
|
|
msExchUMSpokenName |
msExchUMSpokenName |
msExchUMSpokenName |
any |
any |
|
|
|
msExchUserCulture |
msExchUserCulture |
msExchUserCulture |
any |
any |
|
|
|
msExchVersion |
msExchVersion |
msExchVersion |
any |
any |
|
|
|
name |
Name |
name |
any |
any |
|
|
|
O |
O |
O |
any |
any |
|
|
|
objectGUID |
AdminDisplayName |
adminDisplayName |
any |
any |
|
|
|
otherFacsimileTelephoneNumber |
OtherFacsimileTelephoneNumber |
otherFacsimileTelephoneNumber |
any |
any |
|
|
|
otherHomePhone |
OtherHomePhone |
otherHomePhone |
any |
any |
|
|
|
otherIpPhone |
OtherIpPhone |
otherIpPhone |
any |
any |
|
|
|
otherMobile |
OtherMobile |
otherMobile |
any |
any |
|
|
|
otherPager |
OtherPager |
otherPager |
any |
any |
|
|
|
otherTelephone |
OtherTelephone |
otherTelephone |
any |
any |
|
|
|
pager |
PagerNumber |
pager |
any |
any |
|
|
|
personalPager |
PersonalPager |
personalPager |
any |
any |
|
|
|
personalTitle |
PersonalTitle |
personalTitle |
any |
any |
|
|
|
Photo |
Photo |
Photo |
any |
any |
|
|
|
physicalDeliveryOfficeName |
Location |
physicalDeliveryOfficeName |
any |
any |
|
Important, particularly for printers. |
|
pOPCharacterSet |
POPCharacterSet |
pOPCharacterSet |
any |
any |
|
|
|
pOPContentFormat |
POPContentFormat |
pOPContentFormat |
any |
any |
|
|
|
postalAddress |
PostalAddress |
postalAddress |
any |
any |
|
|
|
postalCode |
OfficeZip |
postalCode |
any |
any |
|
|
|
postOfficeBox |
PostOfficeBox |
postOfficeBox |
any |
any |
|
|
|
preferredDeliveryMethod |
PreferredDeliveryMethod |
preferredDeliveryMethod |
any |
any |
|
|
|
primaryInternationalISDNNumber |
PrimaryInternationalISDNNumber |
primaryInternationalISDNNumber |
any |
any |
|
|
|
primaryTelexNumber |
PrimaryTelexNumber |
primaryTelexNumber |
any |
any |
|
|
|
proxyAddresses |
ProxyAddresses |
|
any |
any |
|
ProxyAddresses contains the InternetAddress as the primary SMTP, the legacyExchangeDN of both the source and target as X500 addresses, and any email policies from the target (if enabled). |
|
pwdLastSet |
PwdLastSet |
|
|
|
|
|
|
roomNumber |
RoomNumber |
roomNumber |
any |
any |
|
|
|
sAMAccountName |
SAMAccountName |
sAMAccountName |
any |
any |
|
The following restricted chars will be replaced with underscores:
, + " < > ; = / [ ] : | * ? \ |
|
showInAdvancedViewOnly |
ShowInAdvancedViewOnly |
showInAdvancedViewOnly |
any |
any |
|
|
|
sn |
LastName |
sn |
any |
any |
|
Sometimes used as surname. |
|
st |
OfficeState |
st |
any |
any |
|
|
|
street |
Street |
street |
any |
any |
|
|
|
streetAddress |
OfficeStreetAddress |
streetAddress |
any |
any |
|
|
|
|
TargetAddress |
targetAddress |
any |
any |
|
|
|
telephoneAssistant |
TelephoneAssistant |
telephoneAssistant |
any |
any |
|
|
|
telephoneNumber |
OfficePhoneNumber |
telephoneNumber |
any |
any |
|
|
|
terminalServer |
TerminalServer |
terminalServer |
any |
any |
|
|
|
textEncodedORAddress |
TextEncodedORAddress |
textEncodedORAddress |
any |
any |
|
|
|
thumbnailLogo |
ThumbnailLogo |
thumbnailLogo |
any |
any |
|
|
|
thumbnailPhoto * |
ThumbnailPhoto * |
thumbnailPhoto * |
any |
any |
|
|
|
title |
JobTitle |
title |
any |
any |
|
|
|
unauthOrig |
UnauthOrig |
unauthOrig |
any |
any |
|
|
|
url |
WebSite |
url |
any |
any |
|
|
|
userCert |
UserCert |
userCert |
any |
any |
|
|
|
userCertificate |
UserCertificate |
userCertificate |
any |
any |
|
|
|
userPrincipalName |
UserPrincipalName |
userPrincipalName |
any |
any |
|
|
|
userSMIMECertificate |
UserSMIMECertificate |
userSMIMECertificate |
any |
any |
|
|
|
wWWHomePage |
WWWHomePage |
wWWHomePage |
any |
any |
|
|
|
managedBy |
ManagedBy |
|
group |
group |
contact |
|
|
groupType |
GroupType |
groupType |
group |
group |
|
|
* thumbnailPhoto values are synced directly from the Source to the Target.
In Directory Sync Pro for Active Directory, an override is used to transform values in the target directory based upon a formula.
The formula language used is T-SQL, used in Microsoft’s SQL Server product line. A valid select statement in T-SQL would be Select (FirstName + LastName) from BT_Person. When adding an override you do not need to include a full SQL select statement as portions of the SQL statement are generated for you. Specifically, you are not required to use the select or from commands in the override. It is only required to enter the columns that should be selected. To continue the example above, a valid override would only need to contain the value of FirstName + LastName.
To add an Override:
- From the project overview, select your profile and choose Manage.
- From the summary page, choose Settings, then Advanced, then Overrides.
- Click Add Override. The Override dialog appears.
- Select a Person or Groups from the View drop-down list.
- Enter a Field Name for the new override. This must be a valid internal field name in SQL.
- Enter a Field Value for the new override. This must be a correctly formatted SQL statement.
- Enter optional Comments for the new override.
- Click Save.
When you save an override, Directory Sync Pro for Active Directory re-generates the Person or Groups view. It does this by dynamically generating a single SQL statement using the snippet of SQL code that is part of all overrides. The max size for this SQL statement is 8000 total characters. If many new overrides are added, this limit could be exceeded and an error when adding the overrides will occur. In addition to the default overrides, approximately 15-20 more Person and 20-25 Group overrides can be added before hitting the size limit.
To edit an override:
- From the project overview, select your profile and choose Manage.
- From the summary page, choose Settings, then Advanced, then Overrides.
- Select the desired override and double-click on it.
- The dialog box for the selected override opens.
- Make any desired edits to the Field Value and or Comments. (The View type and Field Name cannot be modified.)
- Click Save.
To delete an override:
- From the project overview, select your profile and choose Manage.
- From the summary page, choose Settings, then Advanced, then Overrides.
- Select one or more overrides and click Remove Override(s).
- Choose Yes in the confirmation box.
To export overrides:
- From the project overview, select your profile and choose Manage.
- From the summary page, choose Settings, then Advanced, then Overrides.
- Select one or more overrides using Ctrl-click.
- Choose Export.
- In the export dialog box, choose a file format, and enter a file location.
- Click Export.
You can reset all overrides to the “factory defaults” by clicking the Reset Overrides button. Caution: This will remove any custom overrides or any edits to existing overrides. If you have made changes, you may want to export those changed overrides before a reset. You can import them later if you wish.
Controlling actions with Overrides
Directory Sync Pro for Active Directory uses the TypeOfTransaction column from the BT_Person table, or the Operation column from the BT_Groups table to determine what action to perform on the target object. These may have overrides applied to them, to control what actions Directory Sync Pro for Active Directory will take for an object. The below image shows an example of this kind of override.
Matching user accounts with Overrides
The values used for matching can have overrides applied to them. This is accomplished by setting up a new override using the field names MatchValue1, MatchValue2, MatchValue3 and MatchValue4. Each MatchValue1-4 corresponds the respective Source and Target pair on the matching tab.
These values are used for matching only. Values that get written to the target are based on the mappings, not the matching.
When updating an existing object, the attributes UserPrincipalName and SAMAccountName will only be written in response to a change after the initial sync. To always update these attributes, change the Internal Field mapping to an unused CustomXXX field.
Internal field must be entirely blank/NULL or source written to a different Custom value.
Make your override for Custom001 and map Custom001 to UserPrincipalName…then un-map userPrincipalName.
Make your override for Custom002 and map Custom002 to sAMAccountName…then un-map sAMAccountName
Example Overrides - For informational purposes only. Please create and test overrides for each project.
| TargetAddress |
CASE EntryType WHEN 'user' THEN 'SMTP:' + P.Custom20 + '@exchange.contoso.com' ELSE 'SMTP:' + dbo.ReplaceDomain(InternetAddress,'exchange.contoso.com') END |
This formula will dynamically set the targetaddress value based on the EntryType. |
| TargetAddress |
'SMTP:' + dbo.UpdateInternetAddress(InternetAddress,'exchange.') |
This formula will set the TargetAddress value based on the InternetAddress and prefix the domain with the value specified, in this case "exchange.". |
| TargetAddress |
' 'SMTP:' + dbo.ReplaceDomain(InternetAddress,'exchange.contoso.com') |
This formula will set the TargetAddress value based on the InternetAddress and replace the domain with the value specified, in this case "exchange.contoso.com". |
| TargetAddress |
CASE WHEN InternetAddress LIKE '%@example.com' THEN 'smtp:' + dbo.UpdateInternetAddress(P.InternetAddress, 'exchange.') WHEN InternetAddress LIKE '%@knotes.contoso.com' THEN 'smtp:' + dbo.ReplaceDomain(P.InternetAddress, 'exchange.contoso.com') ELSE P.InternetAddress END |
This formula will dynamically set the targetaddress value based on the existing InternetAddress domain name value. If the first domain is found then the TargetAddress will be set to one value, if the second domain is found another value will be used and if neither domain is found then the TargetAddress will be set the same as the current InternetAddress value. |
| CommonName |
CASE EntryType WHEN 'user' THEN 'do$$' + SourceDirectoryID WHEN 'sharedmail' THEN 'do$$' + SourceDirectoryID ELSE CommonName END |
This formula will dynamically set the CommonName value based on the EntryType. |
| CommonName |
CASE WHEN LEN(CommonName) > 64 THEN LTRIM(RTRIM(LEFT(CommonName,64))) ELSE CommonName END |
This formula will limit the CommonName value to 64 characters if it exceeds that limit. |
| ProxyAddresses |
CASE ProxyAddresses WHEN '' THEN 'smtp:' + dbo.ReplaceDomain(InternetAddress,'@contoso.mail.onmicrosoft.com;smtp:') + dbo.UpdateInternetAddress(InternetAddress,'exchange.') ELSE ProxyAddresses + ';smtp:' + dbo.ReplaceDomain(InternetAddress,'@contoso.mail.onmicrosoft.com;smtp:') + dbo.UpdateInternetAddress(InternetAddress,'exchange.') END |
This formula will set or append to the list of ProxyAddresses values the coexistence routing addresses. This example specifically is designed for Office 365. |
| Company |
LTRIM(RTRIM(LEFT(company, 50))) |
This formula will Trim, then limit the string value by 50 characters. |
| Custom001 |
'this is a string' |
This formula will set any string value to the any SQL field. |
| Custom001 |
REPLACE(InternetAddress,'@','.') |
This formula will replace the '@' symbol with a period '.' to create a string like so. (i.e. first.last.contoso.com) |
| Custom001 |
LEFT(InternetAddress,CHARINDEX('@',InternetAddress)-1) |
This formula will extract the localpart of InternetAddress. |
AD Directory Sync Pro for Active Directory Fields with Special Processing
The below tables include AD fields with some kind of special processing in Directory Sync Pro for Active Directory. Fields can have the following characteristics:
- Cannot be mapped
- Can be mapped and have an override
- May be explicitly ignored or changed by Directory Sync Pro for Active Directory if object meets certain conditions, even if mapping and override exists
- Actual attribute may be set via config file
Additional notes are available below for field marked with a *.
Writing Users to AD
Attributes that may be set by Directory Sync Pro for Active Directory regardless of mapping:
| distinguishedName |
• |
|
|
|
| objectClass |
• |
|
|
|
| userPassword |
|
• |
|
|
| unicodePwd |
|
• |
|
|
| userAccountControl |
|
• |
|
|
| msExchRecipientDisplayType |
|
• |
• |
|
| msExchRecipientTypeDetails |
|
• |
• |
|
| msExchResourceDisplay |
|
• |
|
|
| msExchResourceSearchProperties |
|
• |
|
|
| msExchResourceMetaData |
|
• |
|
|
| showInAddressBook* |
• |
|
• |
|
| msExchMasterAccountSid |
|
• |
• |
|
| msExchPoliciesExcluded |
• |
|
• |
|
| msExchPoliciesIncluded |
|
• |
• |
|
| userAccountControl |
• |
|
• |
|
| pwdLastSet |
• |
|
|
|
| adminDescription |
• |
|
|
• |
Special processing if mapped:
| mail |
|
• |
• |
|
| assistant* |
|
• |
|
|
| manager* |
|
• |
|
|
| managedBy* |
|
• |
|
|
| altRecipient* |
|
• |
|
|
| authoring |
|
• |
|
|
| unauthOrig |
|
• |
|
|
| dLMemSubmitPerms |
|
• |
|
|
| dLMemRejectPerms |
|
• |
|
|
| sAMAccountName* |
|
• |
• |
|
| legacyExchangeDN* |
|
• |
• |
|
| mailNickname |
|
• |
• |
|
Never set:
| objectGUID |
• |
|
|
|
| objectSid |
• |
|
|
|
| whenCreated |
• |
|
|
|
| whenChanged |
• |
|
|
|
| uSNChanged |
• |
|
|
|
| name |
• |
|
|
|
| cn |
• |
|
|
|
Writing Groups to AD
Attributes that may be set by Directory Sync Pro for Active Directory regardless of mapping:
| objectClass |
• |
|
|
|
| msExchRecipientDisplayType |
|
• |
• |
|
| msExchVersion |
|
• |
|
|
| showInAddressBook* |
• |
|
• |
|
| msExchPoliciesExcluded |
• |
|
• |
|
| msExchPoliciesIncluded |
|
|
• |
|
| adminDescription |
• |
|
|
• |
Special processing if mapped:
| mail |
|
• |
• |
|
| assistant* |
|
• |
|
|
| manager* |
|
• |
|
|
| managedBy* |
|
• |
|
|
| altRecipient* |
|
• |
|
|
| authOring |
|
• |
|
|
| unauthOrig |
|
• |
|
|
| dLMemSubmitPerms |
|
• |
|
|
| dLMemRejectPerms |
|
• |
|
|
| sAMAccountName* |
|
• |
• |
|
| legacyExchangeDN* |
|
• |
|
|
| groupType |
|
• |
• |
|
| mailNickname |
|
• |
• |
|
Never set:
| objectGUID |
• |
|
|
|
| objectSid |
• |
|
|
|
| whenCreated |
• |
|
|
|
| whenChanged |
• |
|
|
|
| uSNChanged |
• |
|
|
|
| name |
• |
|
|
|
| cn |
• |
|
|
|
Special processing by Internal Field Name:
| DisplayName |
|
• |
|
|
• |
| PrimaryAlias |
|
• |
|
|
• |
| SAMAccountName* |
|
• |
|
|
• |
| InternetAddress |
|
• |
|
|
• |
| Name |
|
• |
|
|
• |
| CommonName |
|
• |
|
|
• |
Additional Notes
- TargetDN – this column contains the distinguishedName of the target object to be created or the existing distinguishedName of a matched target object. If the object is created, the following values are used:
- Non-group objects from AD sources use the DN column (or override value if specified) to compute a target object DN. This preserves the sub-OU hierarchy the object may be in from the source.
- Groups from AD sources, use the OU column (or override value if specified) to compute a target object DN. This preserves the sub-OU hierarchy the object may be in from the source.
- LegacyExchangeDN – the legacyExchangeDN of the target object is computed by constructing a value relative to the target Exchange organization.
- ShowInAddressBook – unless hiding from GAL is enabled. No override column is available for this field. To prevent overwriting object values in the target, GAL visibility for the ShowInAddressBook attribute should be set to Hidden.
- Rooms are added to the All Rooms address book, except for Exchange 2003 which doesn't have rooms or the All Rooms address book.
- Users are added to the All Users address book.
- Groups are added to the All Groups address book.
- All objects are added to the All Global Address Lists (GAL) address book.
- Manager – all objects except Groups
- Uses the Manager column (or override value if specified) for the source object.
- Locates the referenced Manager in the target.
- If the referenced Manager is a reference to itself, the Manager on the target object will be set on the next sync.
- ManagedBy – group objects only
- Uses the ManagedBy column (or override value if specified) for the source object.
- Follows the same process as Manager above.
- Assistant – all objects
- Uses the Assistant column (or override value if specified) for the source object.
- Follows the same process as Manager above.
-
AltRecipient – all objects
-
Uses the AltRecipient column (or override value if specified) for the source object.
-
Follows the same process as Manager above.
-
sAMAccountName – The sAMAccountName may be calculated under special circumstances, such as when a collision occurs. For this reason, during a sync following a reset, repush, or repushpull, the existing sAMAccountName in the target will be assumed to be current and therefore will be used in any mappings involving the sAMAccountName internal field.
