How to Hide User or Shared Mailbox from GAL in Hybrid Environment when user is disabled on Active Directory

Jesús Valencia 0 Reputation points

Our company has an hybrid environment server that runs Active Directory on a Windows server, and also is currently syncing and running with Exchange and Azure AD. Both are syncing in a way that if one user's password is reset in one, the other will be updated in a few minutes.

I've been trying to create a powershell or command prompt code that allows me to find any users that are disabled in AD, either a single user or an array of users, and every single user or users disabled will have their Global Address List turned off, or hidden from said list. We want to make this the default option for other companies and clients who has the same hybrid system.

I tried to run the commands or use the set up to run a command on Powershell and CMD but my problem ends up being that whenever I am trying to find the Active Directory Atribute or Property msExchHideFromAddressLists and I keep getting an error that the property is invalid, or that it doesn't exist, and yet it shows if I run a command like this:

$groupname = "Domain Users"

$users = Get-ADGroupMember -Identity $groupname | Where-Object {$_.objectclass -eq "user"}

foreach ($activeusers in $users) {

Get-ADUser -Identity $activeusers | Where-Object {$_.enabled -eq $false} | Select-Object Name, SamAccountName, UserPrincipalName, Enabled, msExchHideFromAddressLists


Where the property shows {} but nothing else, is there something I am missing or do I need to activate something here in order to make it work?


Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,358 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,481 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Noah Ma-MSFT 2,340 Reputation points Microsoft Vendor

    Hi @Jesús Valencia,

    Thank you for posting to Microsoft Community.

    Based on your description, I understand there are some concerns about msExchHideFromAddressLists attribute.

    However, I have the following about the attribute to share with you.

    If these objects were on-premises and then migrated to Exchange Online, then the change should occur on-premises. And if you are using Azure AD Connect, you should modify the msExchHideFromAddressLists attribute on your internal Active Directory. You need to use on-premises Exchange server to extend your AD schema. To manage the mail related attributes from on-premises AD with directory synchronization without an on-premises Exchange is not officially supported.

    Sometimes the msExchangeHideFromAddressLists attribute on the on-premises AD won't sync to the AAD account unless you have the mailNickname attribute set as well. Please set mailNickname to match the username portion of their email address. You could refer to Changes to msExchangeHiddenFromAddressList not updated - Exchange | Microsoft Learn for more information.

    Also, please try Get-ADObject to get the msExchangeHideFromAddressLists attribute as below. Get-ADObject is a bit more specific in what you give it as an identity, so pipe the results of Get-ADUser into Get-ADObject to check what attributes are showing.

    Get-ADUser username | Get-ADObject -properties *

    Hope it helps, if there is anything else you need help with, please let me know.

  2. Andy David - MVP 144.8K Reputation points MVP

    You should be using the Exchange mgmt tools to set this

    Find the disabled users and then set with Exchange powershell

    I dont think msExchHideFromAddressLists is populated in AD unless its set to $true already


    Set-Mailbox -Identity <user> -HiddenFromAddressListsEnabled:$true

    0 comments No comments