[GUIDE] Hide users from Global Address List in AD Hybrid Joined Domains.


Recommended Posts

My company recently deployed a Hybrid Joined environment, and we came across an issue where the Entra and Admin portals were not allowing us to hide accounts from the global address list any longer. Here is the solution I came up with the resolve the issue.

1) on the Machine hosting the AD Connect tool. Open Synchronization Rules Editor.

2) Verify Direction is set to "Inbound" and then click "Add new Rule" On the right side.

image.png.c008691f482ef3031e2aa5789d71404d.png

3) Give it a name like "Hide user from GAL" or whatever makes sense to you. Connected System is your Local Domain, Connected System Object Type "User", Metaverse object type "Person", Link Type "Join", Precedence "50", then leave Tag, Enable Password Sync, and Disabled alone.

image.png.0232cdcdebf194a9ded046d2ac21bbb7.png

4) Hit Next, and Skip, "Scoping Filter, and Join Rules"

5) on Transformation rules, set Flow Type to "Expression", Target Attribute to "msExchHideFromAddressLists", then set Merge Type to "Update" Use the following script in the "Source" field.
 

IIF(IsPresent([msDS-cloudExtensionAttribute1]),IIF([msDS-cloudExtensionAttribute1]="HideFromGAL",True,False),NULL)

6) Thats the Hard part done. Now you need to manipulate each user account that you want to be hidden. You have 2 options here, you can use PowerShell, or just AD Users and Computers.

7) The PowerShell way.

8 ) Run PowerShell as a Domain Admin and simply run the command below.

Set-ADUser -Identity "FULL USERNAME" -Replace @{'msDS-cloudExtensionAttribute1'="HideFromGAL"}

9) The AD Users and Computers way

10) Open AD Users and Computers and click View to Verify "Advanced Features" is enabled.

11) Manually navigate to the user that needs hidden. unfortunately you cannot use the Search command here because when you search for a user Attrribute editor is not available.

12) on the user in question go to the Attribute Editor tab and then look for "msDS-cloudExtensionAttribute1", and set it to "HideFromGAL"

13) Once you have updated the user, either way for the AD to Azure Sync or force it to run. (You can do that from the machine running the Azure AD Connect by running PowerShell as an admin and running the following command.)

start-adsyncsynccycle -policytype delta

 

Can I assume you removed your last exchange box\management tools?

If Exchange wasn't present, extend the AD schema (using the Exchange setup) and install the Exchange management tools, you'll be able to hide the a user from a GAL in a supported\non hacky way.

https://learn.microsoft.com/en-us/Exchange/plan-and-deploy/prepare-ad-and-domains?view=exchserver-2019

In this circumstance we are not using self-hosted Exchange we are using M365 Exchange so there are no management tools other than the include Exchange admin center, Entra, and M365 Admin Center. All of which when you attempt to Hide a user from GAL you receive a Generic error message. The check boxes are there it just refuses to comply. I even tried using the Attribute editor to set " msExchHideFromAddressLists" attribute to True however, it did nothing.

image.png

I understand what you've got configured, the supported method of hiding from the GAL is to extend the AD schema with the Exchange attributes. Once you've done that you'll be able to install the Exchange management tools (Exchange shell specifically), and hide users from the GAL.

...I know because this is exactly what I've configured in many greenfield deployments in the past several years, on-prem AD becomes the source anchor when you turn on directory sync.

To be clear, you don't need a full Exchange Server configured.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Posts

    • Flip flop flip flop. This guy has no idea what he's doing.
    • Trump announces a 25% tariff on India, leaving smartphone manufacturers stunned by Hamid Ganji On Wednesday, President Trump announced that the US administration had decided to impose a 25 percent tariff on imported goods and products from India. The tariffs will take effect on Friday. In addition, India may face further penalties for engaging in trade with Russia, including the purchase of Russian oil. Trump said India is a friend to the United States, whose "tariffs are far too high, among the highest in the world." He also criticized India's weapons and oil deals with Russia, "when everyone wants Russia to STOP THE KILLING IN UKRAINE." India currently applies a 39 percent tariff on imported agricultural products and a 45 percent tax on vegetable oils. In response to the US's new tariffs, the Indian government said it's examining the implications of Trump's announcement while continuing the negotiations with Washington for a "fair, balanced and mutually beneficial bilateral trade agreement." The 25 percent tariff places India among the countries subject to the highest import duties when exporting to the US market. By comparison, imports from the European Union face a tariff of just 15 percent. After officially taking office, President Trump moved to further escalate the trade war with China by raising tariffs to their highest levels. As the world's leading manufacturer of smartphones for major brands such as Apple, Google, and Samsung, China's increased tariff burden was expected to drive up smartphone prices in the US market. The increase in tariffs on China has prompted an increasing number of tech companies to shift their manufacturing focus to India. For example, most iPhones sold in the US are now Indian-made, while the latest data by Canalys shows around 44 percent of all smartphones imported to the US are also made in India. While smartphone manufacturers initially hoped that shifting production to India would protect them from tariffs, the recent imposition of a 25 percent tariff has complicated the situation significantly. In April, the US government imposed a 27 percent tariff on imports from India, but later backed away from the plan. Now, however, it seems that the two sides have failed to find common ground in their trade negotiations.
    • OpenAI to build giant AI hub in Norway, tightening US grip on Europe's tech future by Paul Hill OpenAI has announced Stargate Norway, its first AI data center initiative in Europe under the OpenAI for Countries program. It has a planned 230MW capacity and is expected to host 100,000 Nvidia GPUs by the end of next year, with a significant future expansion hoped for. The site will be built by Nscale and Aker will help on the energy side of things, they will form a 50/50 joint venture, owning the site. The Stargate Norway announcement follows Stargate UAE and other partnerships, indicating that OpenAI is looking at a global strategy for its infrastructure needs. Stargate Norway will run entirely on renewable hydropower in Narvik, Norway. OpenAI cited low-cost energy, cool climate, and mature industrial base, explaining that these make it an ideal place for the project to take shape. The facility will run on 100% renewable energy and will use closed-loop, direct-to-chip liquid cooling to ensure maximum cooling efficiency. The excess heat from the GPU systems will be made available to help support low-carbon enterprises in the region. While renewable energy is often seen as an ethical choice, in the case of Stargate Norway, it is being chosen for entirely practical reasons. The data center will require loads of energy to power AI so using Norway’s hydropower makes a lot of sense. OpenAI said that the project aims to deliver on Norway’s sovereign AI goals and provide sovereign compute capacity in Europe. The announcement also stated that Aker and Nscale will provide priority access to Norway’s AI ecosystem and any surplus capacity will be available to the public and private sectors across the UK, Nordics, and Northern Europe. With the establishment of Stargate Norway, the country expects to see new jobs created, more economic activity, and AI research collaboration with local institutions. OpenAI called the deal “one of the most ambitious AI infrastructure investments in Europe to date.”
    • Because it's just a one liner fix. One person ( StartAllBack dev ) was able to fix it... in a cave!
    • I have a first draft of the setup script available here if anybody is curious.  It'll work well enough for me, but obviously adapt it to your own needs as necessary. Link: https://gitlab.com/-/snippets/4876568
  • Recent Achievements

    • Week One Done
      whiloh earned a badge
      Week One Done
    • Week One Done
      memnoch earned a badge
      Week One Done
    • First Post
      UAVXP earned a badge
      First Post
    • Dedicated
      Xinotema earned a badge
      Dedicated
    • Rookie
      MrNukes went up a rank
      Rookie
  • Popular Contributors

    1. 1
      +primortal
      661
    2. 2
      ATLien_0
      205
    3. 3
      Xenon
      133
    4. 4
      neufuse
      124
    5. 5
      Michael Scrip
      123
  • Tell a friend

    Love Neowin? Tell a friend!