[GUIDE] Hide users from Global Address List in AD Hybrid Joined Domains.

By LittleNeutrino
in Essential Guides

 Share

Recommended Posts

Grand Master

LittleNeutrino Veteran

Posted
  • Veteran
Posted

My company recently deployed a Hybrid Joined environment, and we came across an issue where the Entra and Admin portals were not allowing us to hide accounts from the global address list any longer. Here is the solution I came up with the resolve the issue.

1) on the Machine hosting the AD Connect tool. Open Synchronization Rules Editor.

2) Verify Direction is set to "Inbound" and then click "Add new Rule" On the right side.

image.png.c008691f482ef3031e2aa5789d71404d.png

3) Give it a name like "Hide user from GAL" or whatever makes sense to you. Connected System is your Local Domain, Connected System Object Type "User", Metaverse object type "Person", Link Type "Join", Precedence "50", then leave Tag, Enable Password Sync, and Disabled alone.

image.png.0232cdcdebf194a9ded046d2ac21bbb7.png

4) Hit Next, and Skip, "Scoping Filter, and Join Rules"

5) on Transformation rules, set Flow Type to "Expression", Target Attribute to "msExchHideFromAddressLists", then set Merge Type to "Update" Use the following script in the "Source" field.
  

IIF(IsPresent([msDS-cloudExtensionAttribute1]),IIF([msDS-cloudExtensionAttribute1]="HideFromGAL",True,False),NULL)

6) Thats the Hard part done. Now you need to manipulate each user account that you want to be hidden. You have 2 options here, you can use PowerShell, or just AD Users and Computers.

7) The PowerShell way.

8 ) Run PowerShell as a Domain Admin and simply run the command below. 

Set-ADUser -Identity "FULL USERNAME" -Replace @{'msDS-cloudExtensionAttribute1'="HideFromGAL"}

9) The AD Users and Computers way

10) Open AD Users and Computers and click View to Verify "Advanced Features" is enabled.

11) Manually navigate to the user that needs hidden. unfortunately you cannot use the Search command here because when you search for a user Attrribute editor is not available.

12) on the user in question go to the Attribute Editor tab and then look for "msDS-cloudExtensionAttribute1", and set it to "HideFromGAL"

13) Once you have updated the user, either way for the AD to Azure Sync or force it to run. (You can do that from the machine running the Azure AD Connect by running PowerShell as an admin and running the following command.) 

start-adsyncsynccycle -policytype delta

 

Grand Master

binaryzero

Posted
Posted

Can I assume you removed your last exchange box\management tools?

If Exchange wasn't present, extend the AD schema (using the Exchange setup) and install the Exchange management tools, you'll be able to hide the a user from a GAL in a supported\non hacky way.

https://learn.microsoft.com/en-us/Exchange/plan-and-deploy/prepare-ad-and-domains?view=exchserver-2019

Grand Master

LittleNeutrino Veteran

Posted
  • Author
  • Veteran
Posted

In this circumstance we are not using self-hosted Exchange we are using M365 Exchange so there are no management tools other than the include Exchange admin center, Entra, and M365 Admin Center. All of which when you attempt to Hide a user from GAL you receive a Generic error message. The check boxes are there it just refuses to comply. I even tried using the Attribute editor to set " msExchHideFromAddressLists" attribute to True however, it did nothing.

image.png

Grand Master

binaryzero

Posted
Posted (edited)

I understand what you've got configured, the supported method of hiding from the GAL is to extend the AD schema with the Exchange attributes. Once you've done that you'll be able to install the Exchange management tools (Exchange shell specifically), and hide users from the GAL.

...I know because this is exactly what I've configured in many greenfield deployments in the past several years, on-prem AD becomes the source anchor when you turn on directory sync.

To be clear, you don't need a full Exchange Server configured.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Posts

    • Elon Musk once again claims Tesla robotaxis are coming soon

      By AnalystDan · Posted

      Totally different vehicles. Uber has partnered with Waymo for level 5 autonomous vehicles. Waymo has completed 10 million trips and to date, there have been 696 accidents in 4 years and of those 16 of them appear to have been due to an error by the car. In total airbags have only been deployed 38 times. The technology should always be under review and continued to be improved on, but this is a totally different animal to Tesla FSD PS. no I don't work for them etc. I am an analyst for a market intelligence firm and we have a lot of interest from clients looking at the connected car space for advertising etc. so I have studied them
    • Elon Musk once again claims Tesla robotaxis are coming soon

      By AnalystDan · Posted

      But it's not full self driving it's level 2 autonomy. Audi, BMW and Mercedes all have level 3 and make far less noise about it
    • Edge for Business gets secure password deployment for organizations

      By zikalify · Posted

      Edge for Business gets secure password deployment for organizations by Paul Hill Microsoft Edge for Business now offers organizations secure password deployments as a generally available feature, the Redmond giant said. Instead of users sharing passwords on sticky notes or via email to access certain websites or tools, admins can deploy encrypted shared passwords to specific users within their organization. When a user receives a password, it is stored in their Edge password manager and can be used to log into websites seamlessly using autofill. Microsoft has made this enterprise-grade solution available to customers at no additional cost. How it works and the user experience Administrators have to manage the feature via the Microsoft Edge management service within the Microsoft 365 admin center. From there, they can add, update, and revoke credentials for specific user groups through configuration policies. Once an admin has set it up and shared passwords with users, the users will see the passwords in their Edge password manager and can be used with autofill on corresponding websites. The passwords are tied to work profiles in Edge on managed Windows devices to limit their misuse. Further boosting security, the shared passwords cannot actually be viewed, edited, or deleted (unless the website allows), or exported from the password manager. This is a good addition for security because if an unauthorized user gains physical access to the computer, they cannot learn what the password is. Administrators reading this do need to be aware of an important caveat related to developer tools. A motivated user who wants to reveal the passwords can do so by digging into the developer tools, for this reason, you should consider restricting access to the developer tools by configuring the DeveloperToolsAvailability policy. The underlying security and encryption Microsoft’s new secure passwords feature has been built using the Information Protection SDK. The passwords are encrypted and the encryption is tied to Entra identities which lets organizations enforce them without manual key management. The decryption of the passwords takes place at runtime using the same SDK, validating the user’s identity. Availability and getting started Secure password deployment is available through the Edge management service in the Microsoft 365 admin center. Once in the admin center, you should choose an existing configuration policy or create a new one. Inside the policy, go to the Customization Settings tab and then to the Secure password deployment page. To use this feature you must have a Microsoft 365 Business Premium, E3, or E5 subscription. The feature also requires the Edge admin or Global admin role. Source: Microsoft
    • Am I asking too much? (Gaming PC for sale) no takers?

      By +FloatingFatMan · Posted

      Is it though?  I built a new rig a few months ago and it was literally impossible to get one without RGB, but within 10 minutes of setting it up, I turned all that crap off.  It was REALLY distracting, and who needs additional heat INSIDE a PC? It's popular on YouTube for sure, it's neat looking and whatnot, but it's about as practical as a coffee cup with a hole in it. As for the price, a non-enthusiast would just see something priced way above what they can get from a retailer brand new...
    • RollBack Rx Pro 12.9 Build 2710971022

      By Copernic · Posted

      RollBack Rx Pro 12.9 Build 2710971022 by Razvan Serea RollBack Rx is a robust system restore utility that enables home users and IT professionals to easily restore a PC to a time before certain events occurred. In essence, it turns your PC into a Instant Time Machine. Regardless of what happens to your PC your can quickly and easily restore your PC to a previous time. Making it easy to rescue you from any PC disaster - saving time, money and PC trouble. Windows System Restore only restores Windows system files and some program files. In addition, if Windows crashes to a point were Windows itself can not boot up (ie. BSOD*) you would not be able to access your Windows System Restore points. In contrast, the RollBack Rx technology works at the sector level of the hard drive and restores everything! - right down to the last byte of data. It sits below Windows. So even if Windows crashes, there’s a sub-console (mini OS) that boots prior to windows. This allows you to access Rollback Rx and go back to a point in time when your system was working trouble-free. Key Features Go back to any previous point in time within seconds. Go back minutes, hours, days, weeks, or even months to any previous snapshot. Does not affect computer performance, uses minimal system resources. Supports unlimited snapshots. Creates a complete system snapshot without having to restart the system. Reverse any system crash within seconds (even if Windows cannot startup). Back out of any failed program, OS updates, and botched updates. Recover from any malware or virus attack within seconds. Works with VMWare and Virtual Machines, both as a host or within the virtual machine as a client. Supports Multi-boot, Multi OS workstations. Lock snapshots to prevent deletion. Intuitive GUI based snapshot manager. Explore, browse, and retrieve files and folders from any snapshot. Drag and drop them into your active system. Roll backwards as well as forwards to any available system snapshot. Allows users to safely test any software. Fast, 100% complete uninstaller. Retrieve files from a crashed PC, even if Windows cannot boot. Access control – manage levels of multiple user and administrative privileges. Automatically schedule snapshots to be taken on a fixed schedule or upon execution of specific files (ie. setup.exe) as well as manually. 256 bit AES snapshot encryption. Prevent unauthorized data theft in case of a stolen laptop. Group Management and Enterprise Network Administration Control (FREE utility). Comes with Stealth Mode where you can hide the RollBack Rx tray icon and splash screen (seen during bootup) Change the startup hotkey for sub-console access (default is HOME). Built-in snapshot defragmenter which will optimize system resources and recover free space. Option to keep files and folders unchanged when you roll-back. Advanced setup configuration wizard for system administrators which will set deployment options and predefined RollBack Rx settings. Offers detailed program operation logging. Supports all industry-standard deployment options including silent installations and pre-installation configuration. Explore RollBack Rx Pro with a 14-day trial, fully functional on Windows 11, 10, 8, and Windows 7 SP1** (32 and 64-bit). RollBack Rx Pro 12.9 Build 2710971022 changelog: General Add PnpLockdown in shieldm.inf Fix registry exclusion problem in Windows 11 24H2 release Add detailed logging for file filter driver Add detailed logging for Windows update Add time stamp to kernel drivers Change kernel driver and Win32 IRP structure Other small bug fixes / typos reported through tech support Endpoint Manager Add client report dashboard Add sound effect when receiving a EPM message. Keep EPM message history Fix bug that oversized Windows symbol files cannot be downloaded Download: RollBack Rx Pro 12.9 | 61.0 MB (Shareware) View: RollBack Rx Home Page Get alerted to all of our Software updates on Twitter at @NeowinSoftware

  • Recent Achievements

    • Week One Done
      somar86 earned a badge
      Week One Done
    • One Month Later
      somar86 earned a badge
      One Month Later
    • Apprentice
      Adrian Williams went up a rank
      Apprentice
    • Reacting Well
      BashOrgRu earned a badge
      Reacting Well
    • Collaborator
      CHUNWEI earned a badge
      Collaborator

  • Popular Contributors

    1. 1
      +primortal
      505
    2. 2
      ATLien_0
      260
    3. 3
      +Edouard
      188
    4. 4
      +FloatingFatMan
      175
    5. 5
      snowy owl
      132
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!