Excluding Security Groups from Synchronization with the Group Filter

Section 6. Updating the Groups to Ignore List in SQL

6.5 Excluding Security Groups from Synchronization with the Group Filter

Select the appropriate Profile and Source OU in the Directory Sync UI and double-click on Group Filter on the AD Source tab.

Replace (objectClass=Group) with (objectClass=Group)(!groupType:=-2147483646) and click Save.

Binary Tree recommends that you use the Active Directory Users and Computers management console to test your filters to prevent Directory Synchronization from failing due to an invalid filter.

Appendix A: Using the User and Group LDAP Filters

Active Directory provides a powerful way of retrieving data through the use LDAP filters. Directory Synchronization exposes two filters during the creation of a synchronization profile: User OU Filter and Group OU Filter whose defaults are:

 Users: (&(!(adminDescription=Created By

DirSync))(|(objectClass=Person)(objectClass=room))(!(objectClass=computer)))

 Groups: (&(!(adminDescription=Created By DirSync))(objectClass=Group))

These filters are per organizational unit and apply to sub-OUs when the Sync Sub-OUs option is selected.

Modifying these filters requires a basic understanding of the attributes, their value representations, and their data types. LDAP filters support any number of options including filtering by date ranges, wildcards, and the use of bitmasks as in the userAccountControl property.

The use of the objectClass and objectCategory properties can greatly reduce the number of records retrieved resulting in improved performance. You may use other attributes to further restrict your results.

The following are common examples of queries and their LDAP query syntax.

o Selecting users that are part of the ‘Accounting’ department:

o (&(objectClass=User)(objectCategory=Person)(department=Accounting)) o Selecting mailbox-enabled users:

o (&(objectClass=User)(objectCategory=Person)(homeMDB=*)) o Selecting mail-enabled users and contacts:

o (|(&(objectClass=User)(objectCategory=Person)(!homeMDB=*))(objectClass=Contact)) o Selecting users created after January 1, 2011:

o (&(objectClass=User)(objectCategory=Person)(whenCreated>=20110101000000.0Z)) o Selecting distribution lists:

o (&(objectClass=Group)(groupType=2))

Binary Tree recommends that you use the Active Directory Users and Computers management console to test your filters to prevent Directory Synchronization from failing due to an invalid filter.

Appendix B: Additional Configuration Options

Changing the attribute used for "Created by Dirsync" or "Updated by Dirsync"

By default, the adminDescription attribute (for Active Directory) or $BTAction (for Domino) is stamped on objects on the Target that are created or updated by SMART Directory Sync with "Created by Dirsync" or "Updated by Dirsync" to define which objects can be safely deleted from the Target. An app setting is available in the config file to allow you to define a different attribute/field for this purpose.

To use an attribute other than adminDescription or $BTAction, define a new DirSyncAttribute setting in the

<appSettings> section of the config file. For example, the below setting will use adminDisplayName instead of adminDescription:

Warning: This must be configured before the initial sync.

</appSettings>

Setting msExchRecipientDisplayType and msExchRecipientTypeDetails Exchange attributes

A configuration option to allow you to set msExchRecipientDisplayType and msExchRecipientTypeDetails Exchange attributes based on the value of a configurable attribute is available.

The configuration option must defined in the <appSettings> section of the config file, as shown below. “Value=” should be contain the attribute to be used. (proxyAddresses shown below). If the value of the attribute is null,

msExchRecipientDisplayType and msExchRecipientTypeDetails will be populated. See the list below for the values that will be populated.

</appSettings>

Mail Enabled Users in the source:

o msExchRecipientDisplayType = 6 o msExchRecipientTypeDetails = 128 Room Mailbox in the source:

o msExchRecipientDisplayType = 7 o msExchRecipientTypeDetails = 16 Resource Mailbox in the source:

o msExchRecipientDisplayType = 8 o msExchRecipientTypeDetails = 32

Shared Mailbox in the source:

o msExchRecipientDisplayType = 0 o msExchRecipientTypeDetails = 4

Allow objects with remote mailboxes to be treated as mailbox-enabled objects

A setting that allows objects with remote mailboxes to be treated as mailbox-enabled objects is available. To enable this feature, add the RemoteMailboxAsMailboxEnabled option to the <appSettings> section of the

BinaryTree.DirSync.Exchange.exe.config file as displayed below.

</appSettings>

If this setting is set to any value other than True or if omitted from the file, objects with remote mailboxes will be treated as non-mailbox-enabled. If set to True, objects with remote mailboxes will be treated as mailbox-enabled.

Disable the caching of group members

A configuration option can be used in the appSettings section of the config file to disable the caching of group members.

This setting should be added to the BinaryTree.DirSync.Exchange.exe.config file.

</appSettings>

Valid values are true and false. If this setting is omitted, or set to an invalid value, the value defaults to false. If set to false, group members will be cached during push and pull. If set to true, group members will not be cached during push and pull.

Disable the initialization of the sync report

A configuration option can be used in the appSettings section of the config file to disable the initialization of the sync report. If disabled, a sync report will still be recorded, but it will not be initialized between syncs. The result will be that an object will show data from the last time it was processed by SMART Directory Sync, rather than just the most recent time it was processed. In other words, if an object is inserted during a sync, it will show in the sync report as Inserted.

Assuming a second sync does not touch this object, then if the sync report is initialized, a second sync will show this object as No Change, but if the sync report is not initialized, the object will still show as Inserted.

This setting should be added to the BinaryTree.DirSync.Exchange.exe.config file.

</appSettings>

Valid values are true and false. If this setting is omitted, or set to an invalid value, the value defaults to false. If set to false, the sync report will be initialized. If set to true, the sync report will not be initialized.

Set the maximum number of users and groups synced simultaneously

During pull processing, SMART Directory Sync will sync multiple Active Directory user and group objects

simultaneously into the target AD. The maximum number of users and groups synced simultaneously can be changed using the ThreadCount setting in the config file. If this configuration option is not specified, the ThreadCount will be set to the same number of logical processor cores of the server on which SMART Directory Sync is running.

The configuration option is not included by default. To add, modify the BinaryTree.DirSync.Exchange.exe.config file located at C:\Program Files\Binary Tree\DirSync and add a new key to the <appSettings> section as follows:

</appSettings>

This option should never be set to a number greater than the number of processor cores on the server. However, you may need to specify a lower number if other applications also running on the server require a specific number of cores set aside for processing. Best practice is to leave the setting at the default value and lower it only if additional

processing power is needed for other applications on the server.

Appendix C: Default Mapping

Domino Source – AD Target Default Mapping

The below table displays the default values of the Domino Source to AD Target mapping table.

Source Field Internal Field Target Field Source

ListDescription Comment info group group conta

ListName DisplayName displayName group group conta

ListName PrimaryAlias mailNickname group group conta

ListName SAMAccountName sAMAccountName group group ListName must

be empty in

Source Field Internal Field Target Field Source

Comments Comment comment shared

Mail

Description Info info shared

Mail

FullName CommonName cn shared

Mail

FullName PrimaryAlias mailNickname shared

Mail

FullName DisplayName displayName shared

Mail

FullName ProxyAddresses proxyAddresses shared

Mail

Source Field Internal Field Target Field Source

FullName SAMAccountName sAMAccountName shared

Mail

shared Mail

TargetAddress targetAddress shared

Mail

Comments Comment comment resourc

Description Info info resourc

FullName CommonName cn resourc

FullName PrimaryAlias mailNickname resourc

Source Field Internal Field Target Field Source

FullName CommonName displayName resourc

FullName ProxyAddresses proxyAddresses resourc

FullName SAMAccountName sAMAccountName resourc

TargetAddress targetAddress resourc

Comments Comment comment room room conta

Source Field Internal Field Target Field Source

FullName CommonName cn room room conta

FullName PrimaryAlias mailNickname room room conta

FullName CommonName displayName room room conta

FullName ProxyAddresses proxyAddresses room room conta

TargetAddress targetAddress room room conta

Source Field Internal Field Target Field Source

CellPhoneNumber CellPhoneNumber user user conta

FullName CommonName cn user user conta

FullName DisplayName user user conta

FullName ProxyAddresses proxyAddresses user user conta

Source Field Internal Field Target Field Source

OfficePhoneNumber user user conta

OfficeStreetAddress user user conta

OfficeZip OfficeZip user user conta

Source Field Internal Field Target Field Source

ShortName PrimaryAlias mailNickname user user conta

ShortName ProxyAddresses proxyAddresses user user conta

TargetAddress targetAddress user user conta

Resource Type BTCustom032 resourc

BTCustom033 msExchRecipientDisplayT

ype

Source Field Internal Field Target Field Source

BTCustom034 msExchResourceSearchPr

operties

BTCustom034 msExchResourceDisplay resourc

BTCustom035 msExchResourceMetaDat

BTCustom033 msExchRecipientDisplayT

ype

room room conta ct

BTCustom034 msExchResourceSearchPr

operties

room room conta ct

BTCustom034 msExchResourceDisplay room room conta

BTCustom035 msExchResourceMetaDat

room room conta ct

AD Source – Domino Target Default Mapping

The below table displays the default values of the AD Source to Domino Target mapping table.

Source Field Internal Field Target Field Source

mailNickname PrimaryAlias ShortName contact user The

following

Source Field Internal Field Target Field Source

displayName DisplayName ListName group group

Source Field Internal Field Target Field Source

mailNickname PrimaryAlias ShortName group user The

following

Source Field Internal Field Target Field Source

sAMAccountName SAMAccountName ShortName group user The

following

Source Field Internal Field Target Field Source

mailNickname PrimaryAlias FullName resource user The

following

mailNickname ShortName ShortName resource user The

following

sAMAccountName SAMAccountName FullName resource user The

following

Source Field Internal Field Target Field Source

sAMAccountName SAMAccountName FullName room user The

following restricted

Source Field Internal Field Target Field Source

cn CommonName FullName sharedMa

user

displayName DisplayName FullName sharedMa

user

mailNickname PrimaryAlias FullName sharedMa

mailNickname ShortName ShortName sharedMa

user

proxyAddresses FullName FullName sharedMa

user

sAMAccountName SAMAccountName FullName sharedMa

Source Field Internal Field Target Field Source

sAMAccountName SAMAccountName ShortName user user The

following

Source Field Internal Field Target Field Source Type

Targe t Type

1 Targe t Type

2 Comment s

st OfficeState OfficeState user user

streetAddress OfficeStreetAddres s

OfficeStreetAddress user user

telephoneNumber OfficePhoneNumb er

OfficePhoneNumber user user

title JobTitle JobTitle user user

BTCustom001 FullName user user

Appendix D: Customizing Overrides

In SMART Directory Sync, an override is used to transform values in the target directory based upon a formula.

The formula language used is T-SQL, used in Microsoft’s SQL Server product line. A valid select statement in T-SQL would be Select (FirstName + LastName) from BT_Person. When adding an override you do not need to include a full SQL select statement as portions of the SQL statement are generated for you. Specifically, you are not required to use the select or from commands in the override. It is only required to enter the columns that should be selected. To continue the example above, a valid override would only need to contain the value of FirstName + LastName.

To add a View Override:

1. From the Mapping tab, click Overrides. The View Overrides window appears.

2. Click Add. The Override dialog appears.

3. Select a Person or Groups from the View drop-down list.

4. Enter a Field Name for the new override. This must be a valid internal field name in SQL.

5. Enter a Field Value for the new override. This must be a correctly formatted SQL statement.

6. Enter Comments for the new override.

7. Click Save.

8. Click Yes for the confirmation message.

When you save an override, SMART Directory Sync re-generates the Person or Groups view. It does this by dynamically generating a single SQL statement using the snippet of SQL code that is part of all overrides. The max size for this SQL statement is 8000 total characters. If many new overrides are added, this limit could be exceeded and an error when adding the overrides will occur. In addition to the default overrides, approximately 15-20 more Person and 20-25 Group overrides can be added before hitting the size limit.

To edit a mapping override:

1. From the Mapping tab, click Overrides. The View Overrides window appears.

2. Select an Override and click Edit. The Override dialog appears.

3. Edit the Field Value for the override. The View and Field Name cannot be edited.

4. Edit Comments for the override.

5. Click Save.

6. Click Yes for the confirmation message.

To delete a mapping override:

1. From the Mapping tab, click Overrides. The View Overrides window appears.

2. Select an Override and click Delete.

3. Click Yes for the confirmation message.

To export all mapping overrides:

1. From the Mapping tab, click Overrides. The View Overrides window appears.

2. Click Export All.

3. Select a location, enter a file name, and click Save.

Controlling actions with Overrides

SMART Directory Sync uses the TypeOfTransaction column from the BT_Person table, or the Operation column from the BT_Groups table to determine what action to perform on the target object. These may have overrides applied to them, to control what actions Directory Sync will take for an object. The below image shows an example of this kind of override.

Matching user accounts with Overrides

The values used for matching can have overrides applied to them. This is accomplished by setting up a new override using the field names MatchValue1, MatchValue2, MatchValue3 and MatchValue4. Each MatchValue1-4 corresponds the respective Source and Target pair on the matching tab.

These values are used for matching only. Values that get written to the target are based on the mappings, not the matching.

Example Overrides

Field Name Field Value Description

TargetAddres s

CASE EntryType WHEN 'user' THEN 'SMTP:' + P.Custom20 + '@domino.contoso.com' ELSE 'SMTP:' +

dbo.ReplaceDomain(InternetAddress,'domino.contoso.com') END

'SMTP:' + dbo.UpdateInternetAddress(InternetAddress,'domino.') This formula will set the TargetAddress value based on the InternetAddress and

This formula will set the TargetAddress value based on the InternetAddress and

CASE WHEN InternetAddress LIKE '%@kodak.com' THEN 'smtp:' + dbo.UpdateInternetAddress(P.InternetAddress, 'domino.') WHEN InternetAddress LIKE '%@knotes.contoso.com' THEN 'smtp:' + dbo.ReplaceDomain(P.InternetAddress, 'domino.contoso.com') ELSE

If the first domain is

found then the

TargetAddress will

be set to one value,

if the second domain

is found another

value will be used

and if neither

Field Name Field Value Description

CASE EntryType WHEN 'user' THEN 'do$$' + SourceDirectoryID WHEN 'sharedmail' THEN 'do$$' + SourceDirectoryID ELSE CommonName END

This formula will dynamically set the CommonName value based on the EntryType.

CommonNa me

CASE WHEN LEN(CommonName) > 64 THEN

LTRIM(RTRIM(LEFT(CommonName,64))) ELSE CommonName END

This formula will limit the

CommonName value to 64 characters if it exceeds that limit.

ProxyAddress es

CASE ProxyAddresses WHEN '' THEN 'smtp:' +

dbo.ReplaceDomain(InternetAddress,'@contoso.mail.onmicrosoft.c om;smtp:') + dbo.UpdateInternetAddress(InternetAddress,'domino.') ELSE ProxyAddresses + ';smtp:' +

dbo.ReplaceDomain(InternetAddress,'@contoso.mail.onmicrosoft.c om;smtp:') + dbo.UpdateInternetAddress(InternetAddress,'domino.') END

This formula will set or append to the list

Company LTRIM(RTRIM(LEFT(company, 50))) This formula will

Trim, then limit the string value by 50 characters.

Custom001 'this is a string' This formula will set

any string value to the any SQL field.

Custom001 REPLACE(InternetAddress,'@','.') This formula will

replace the '@'

symbol with a period

'.' to create a string

Field Name Field Value Description like so. (i.e.

first.last.contoso.co m)

Custom001 LEFT(InternetAddress,CHARINDEX('@',InternetAddress)-1) This formula will

extract the localpart

of InternetAddress.

Appendix E: Directory Sync Fields with Special Processing

AD Directory Sync Fields with Special Processing

The below tables include fields with some kind of special processing in Directory Sync. Fields can be have the following characteristics:

 Cannot be mapped

 Can be mapped and have an override

 May be explicitly ignored or changed by Directory Sync if object meets certain conditions, even if mapping and override exists

 Actual attribute may be set via config file

Additional notes are available below for field marked with a *.

Writing Users to AD

Attributes that may be set by SMART Directory Sync regardless of mapping:

Field Cannot be

Special processing if mapped:

Field Cannot be

Never set:

May be set with config file

Writing Groups to AD

Attributes that may be set by SMART Directory Sync regardless of mapping:

Field Cannot be

Special processing if mapped:

May be set with config file

Special processing by Internal Field Name:

If this internal field name is mapped and value is empty, actual

value comes from different internal field

1. TargetDN – this column contains the distinguishedName of the target object to be created or the existing distinguishedName of a matched target object. If the object is created, the following values are used:

a. Non-group objects from Domino sources use the following columns (or override values if specified) in order until a non-NULL value is found:

i. CommonName ii. DisplayName iii. PrimaryAlias iv. FullName

v. PrimaryFullName

b. Groups from Domino sources use the following columns (or override values if specified) in order until a non-NULL value is found:

i. DisplayName ii. Name

iii. CommonName iv. PrimaryAlias

c. Non-group objects from AD sources use the DN column (or override value if specified) to compute a target object DN. This preserves the sub-OU hierarchy the object may be in from the source.

d. Groups from AD sources, use the OU column (or override value if specified) to compute a target object DN. This preserves the sub-OU hierarchy the object may be in from the source.

2. LegacyExchangeDN – the legacyExchangeDN of the target object is computed by constructing a value relative to the target Exchange organization.

3. TargetAddress

a. Uses override value from the TargetAddress column if one is specified.

b. Otherwise uses the primary SMTP from the list of source proxy addresses.

c. Or the InternetAddress from the source object.

d. Or the UserPrincipalName from the source object.

4. ProxyAddresses

a. Includes all values from the ProxyAddress column (or override value if specified) for the source object.

b. Adds the InternetAddress from the source. Makes it the primary SMTP address. Makes all others secondary SMTP addresses.

c. Add an X500 address pointing to the legacyExchangeDN of the source object.

d. Add an X500 address pointing to the legacyExchangeDN of the target object.

e. Applies any Exchange email address policies from the target Exchange organization, if the Apply email policies option is enabled. All new addresses are added as secondary SMTP addresses regardless of the policy rules.

5. ShowInAddressBook – unless hiding from GAL is enabled. No override column is available for this field.

a. Rooms are added to the All Rooms address book, except for Exchange 2003 which doesn't have rooms or the All Rooms address book.

b. Users are added to the All Users address book.

c. Groups are added to the All Groups address book.

d. All objects are added to the All Global Address Lists (GAL) address book.

6. Manager – all objects except Groups

a. Uses the Manager column (or override value if specified) for the source object.

b. Locates the referenced Manager in the target.

c. If not found and a pending sync is available for the Manager, DirSync will immediately sync it to the

In document SMART Directory Sync 4.5. Comprehensive User Guide for Domino-Active Directory Synchronization (Page 59-97)