synched too many AD objects

asked 2020-03-17T16:29:58.227+00:00
Shamik Ghosh 1 Reputation point

We had a problem where the AD Sync connector was not synchronising any new AD objects past a certain date, and previously it was set up to only sync from a certain OU. I know little about Azure AD but was asked to troubleshoot, and guessed that the reason the connector wasn't working was because there were no domain partitions selected, nor were any of the run configurations filled with any steps, it appeared somehow this config was lost. So I have reselected the domain partition on the local adsync connector, and populated the run configurations with the necessary steps, and now it appears too many AD objects have synched to Azure AD. The issue I have is that the service account used for the adsync, we have lost the password for it, so will need to reset it first in order to filter by OU, but if we do that, will the excessive objects in Azure AD automatically get removed or will they remain? If they remain, how can they be removed from Azure AD (because we want only objects from one OU being synched to the cloud) but left to remain on our on prem AD?

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,572 questions
No comments
{count} votes

2 answers

Sort by: Most helpful
  1. answered 2020-03-17T17:08:02.11+00:00
    Vasil Michev 61,451 Reputation points Microsoft MVP

    If you apply any sort of filter, either by OU/domain or by using rules, the corresponding objects will be removed from Azure AD.

    No comments

  2. answered 2020-03-17T19:14:03.31+00:00
    Jan Ketil Skanke 91 Reputation points Microsoft MVP

    Hi, first of, you do not need the password for the sync account in Azure AD to change your sync scope. The only thing you need is to re-run the wizard and change your scope settings again in the wizard. That is the easiest way to change this. If you go in through the sync enginge, you can actually use any account with permissions in AD to change the settings, it will not replace the service account actually being used for sync. In fact if you allowed AAD Connect to create the service account on your behalf, you would never know the password of this account at all.

    Secondly, you must be aware that there is a fail-safe implemented in AAD Connect (prevent accidential delete) . So if the scope change deletes more than 500 items, it will halt and you need to go into powershell to temporariliy disable the failsafe using the cmdlet Enable-ADSyncExportDeletionThreshold

    https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-feature-prevent-accidental-deletes

    Hope this helps.

    No comments