[GUIDE] Hide users from Global Address List in AD Hybrid Joined Domains.


Recommended Posts

My company recently deployed a Hybrid Joined environment, and we came across an issue where the Entra and Admin portals were not allowing us to hide accounts from the global address list any longer. Here is the solution I came up with the resolve the issue.

1) on the Machine hosting the AD Connect tool. Open Synchronization Rules Editor.

2) Verify Direction is set to "Inbound" and then click "Add new Rule" On the right side.

image.png.c008691f482ef3031e2aa5789d71404d.png

3) Give it a name like "Hide user from GAL" or whatever makes sense to you. Connected System is your Local Domain, Connected System Object Type "User", Metaverse object type "Person", Link Type "Join", Precedence "50", then leave Tag, Enable Password Sync, and Disabled alone.

image.png.0232cdcdebf194a9ded046d2ac21bbb7.png

4) Hit Next, and Skip, "Scoping Filter, and Join Rules"

5) on Transformation rules, set Flow Type to "Expression", Target Attribute to "msExchHideFromAddressLists", then set Merge Type to "Update" Use the following script in the "Source" field.
 

IIF(IsPresent([msDS-cloudExtensionAttribute1]),IIF([msDS-cloudExtensionAttribute1]="HideFromGAL",True,False),NULL)

6) Thats the Hard part done. Now you need to manipulate each user account that you want to be hidden. You have 2 options here, you can use PowerShell, or just AD Users and Computers.

7) The PowerShell way.

8 ) Run PowerShell as a Domain Admin and simply run the command below.

Set-ADUser -Identity "FULL USERNAME" -Replace @{'msDS-cloudExtensionAttribute1'="HideFromGAL"}

9) The AD Users and Computers way

10) Open AD Users and Computers and click View to Verify "Advanced Features" is enabled.

11) Manually navigate to the user that needs hidden. unfortunately you cannot use the Search command here because when you search for a user Attrribute editor is not available.

12) on the user in question go to the Attribute Editor tab and then look for "msDS-cloudExtensionAttribute1", and set it to "HideFromGAL"

13) Once you have updated the user, either way for the AD to Azure Sync or force it to run. (You can do that from the machine running the Azure AD Connect by running PowerShell as an admin and running the following command.)

start-adsyncsynccycle -policytype delta

 

Can I assume you removed your last exchange box\management tools?

If Exchange wasn't present, extend the AD schema (using the Exchange setup) and install the Exchange management tools, you'll be able to hide the a user from a GAL in a supported\non hacky way.

https://learn.microsoft.com/en-us/Exchange/plan-and-deploy/prepare-ad-and-domains?view=exchserver-2019

In this circumstance we are not using self-hosted Exchange we are using M365 Exchange so there are no management tools other than the include Exchange admin center, Entra, and M365 Admin Center. All of which when you attempt to Hide a user from GAL you receive a Generic error message. The check boxes are there it just refuses to comply. I even tried using the Attribute editor to set " msExchHideFromAddressLists" attribute to True however, it did nothing.

image.png

I understand what you've got configured, the supported method of hiding from the GAL is to extend the AD schema with the Exchange attributes. Once you've done that you'll be able to install the Exchange management tools (Exchange shell specifically), and hide users from the GAL.

...I know because this is exactly what I've configured in many greenfield deployments in the past several years, on-prem AD becomes the source anchor when you turn on directory sync.

To be clear, you don't need a full Exchange Server configured.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Posts

    • Wrong again. Electric vehicles are more reliable than gasoline vehicles because they have fewer points of failure. On average, they last 50% longer. Its your right to be incorrect and my right to correct you.
    • Hello, I am using a Hitron CODA56 cable modem with Comcast Xfinity's 1200 Mbps service.  No issues noted.  I had looked at the Motorola and Netgear options for a cable modem, but neither was available for purchase at the time I upgraded my cable connection. There are multiple models in the Netgear Nighthawk X10 line-up.  I am guessing you have either the the Netgear Nighthawk X10 AD7000 model (R8900) or the Netgear Nighthawk X10 AD7200 model (R9000) model, is that correct?  Both of these only have one gigabit WAN (internet) ports for connection to the modem, all of the remaining ports for the LAN side of things are gigabit Ethernet ports.  The 10GbE port on the devices is meant for connection to local NAS storage.  I suppose you could connect the desktop computer directly to it, although it would still be limited by the gigabit connection between the cable modem and the Netgear residential gateway broadband router. I would suggest looking for a residential gateway broadband router from a company like Asus, Netgear, TP-Link or maybe even Ubiquiti, depending upon budget, that has 2.5Gbps (or faster) WAN and LAN ports.  That would allow you to make full use of the 1.2Gbps connection from your ISP as well as have some room for future growth, speed-wise. Regards, Aryeh Goretsky      
    • Firefox 140.0.1 by Razvan Serea Firefox is a fast, full-featured Web browser. It offers great security, privacy, and protection against viruses, spyware, malware, and it can also easily block pop-up windows. The key features that have made Firefox so popular are the simple and effective UI, browser speed and strong security capabilities. Firefox has complete features for browsing the Internet. It is very reliable and flexible due to its implemented security features, along with customization options. Firefox includes pop-up blocking, tab-browsing, integrated Google search, simplified privacy controls, a streamlined browser window that shows you more of the page than any other browser and a number of additional features that work with you to help you get the most out of your time online. Firefox 140.0.1 fixes: Fixed text contrast issues in the sidebar with some dark themes. (Bug 1971487) Fixed a startup crash experienced by some users caused by DLL injection. (Bug 1973947) Download: Firefox 64-bit | Firefox 32-bit | ARM64 | ~60.0 MB (Freeware) Download: Firefox 140.0.1 for Linux | 64-bit | ~90.0 MB Download: Firefox for MacOS | 127.0 MB View: Firefox Home Page | Release Notes Get alerted to all of our Software updates on Twitter at @NeowinSoftware
  • Recent Achievements

    • Week One Done
      Marites earned a badge
      Week One Done
    • One Year In
      runge100 earned a badge
      One Year In
    • One Month Later
      runge100 earned a badge
      One Month Later
    • One Month Later
      jfam earned a badge
      One Month Later
    • First Post
      TheRingmaster earned a badge
      First Post
  • Popular Contributors

    1. 1
      +primortal
      575
    2. 2
      ATLien_0
      184
    3. 3
      +FloatingFatMan
      178
    4. 4
      Michael Scrip
      136
    5. 5
      Xenon
      119
  • Tell a friend

    Love Neowin? Tell a friend!