Hiding Leavers from the Address list GAL – Exchange Hybrid ( Mail / Mail nickname )

by dakseven, posted in Active Directory, Exchange Online, Hybrid Exchange, Office365

I have recently encountered an issue in our tenancy. Whereas, leavers were still showing in the address list after being converted to shared mailboxes.

The Case study with Leavers

  • Several companies still save their leavers using A Shared mailbox procedure
  • Converting to shared mailbox does not hide the mailboxes from the Address list unless instructed in AD
  • Consider deleting the users and using retention & PowerShell to restore the users if required to avoid this issue
  • Consider following this guide to clean up immutable ID after performing this fix : https://sevenitblog.com/2023/05/03/deletingcloudonlyobjectnotallowed-how-to-resolve-dirsync/

Requirements for the Fix

MS Exchange Hide From address list attribute must sync to Azure AD from your on premise Active Directory

In order to accomplish this, you must ensure this attribute is synchronized

  • The attribute sync editor in your Dirsync Server should have MsExchHidefrom address lists configured
  • If the mail and mail nick name attribute is not filled, you must run a script on the leavers in order to hide the leavers
  • The script requires understanding on PowerShell and takes into consideration you have the expertise and level to run it
  • We recommend testing the script before running it in a test environment

Script to Fill the Mail & Mail Nick name Attributes 

#This is a sample script . You must replace the OU with your OU to resolve the mail & Mail nick name attributes 
#You have to change the OU towards your own OU Code 


#Replacing the Mail attribute with your UPN  Line code 

Get-ADUser -Filter * -SearchScope Subtree -SearchBase "OU=Disabled Accounts,OU=ADDOMAIN Users,OU=_ADDOMAIN,DC=ADDOMAIN,DC=local" |  Foreach-Object {Set-ADUser -Identity $_ -Email "$($_.samaccountname)@ADDOMAIN.org.uk" }

#Replacing the Mail nickname attribute with the Sam Account name  line code 
 
Get-ADUser -Filter * -SeaADDOMAINrchScope Subtree -SearchBase "OU=Disabled Accounts,OU=ADDOMAIN Users,OU=_ADDOMAIN,DC=ADDOMAIN,DC=local" |  ForEach-Object {Set-ADUser -Identity $_ -Replace @{mailNickname=$_.samaccountname}}


#removes from addresslist Addressbook line code 

get-aduser -Filter * -SearchScope OneLevel -SearchBase  'OU=Disabled Accounts,OU=ADDOMAIN Users,OU=_ADDOMAIN,DC=ADDOMAIN,DC=local'| Set-ADUser -Clear showInAddressBook
get-aduser -Filter * -SearchScope OneLevel -SearchBase  'OU=Disabled Accounts,OU=ADDOMAIN Users,OU=_ADDOMAIN,DC=ADDOMAIN,DC=local'| Set-ADUser -Replace @{msExchHideFromAddressLists=$TRUE}
#Remove-ADPrincipalGroupMembership
Advertisement

Published by dakseven

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.