cosborne Respected Contributor.
Respected Contributor.
1077 views

Hide User from GAL issues

Hi All,

So trying to hide users from GAL at Termination, our term process is not that mature yet. I have been able to set the msExchHideFromAddressLists to TRUE via AD filter to a custom eDir attr, this works and sets value at term in eDir, which AD driver detects and sets to TRUE. But this is not actually hiding the user from the GAL. I believe since we are doing it from DC and just setting the attribute value and not doing it from Exchange server with exchange powershell cmdlet.

I have read that you also must remove/clear the entries from the showInAddressBook attribute in AD. I have created an attr in eDir for this mapped it and set in filter in AD driver, I can see that the driver is seeing the AddressBook values and attempting to process them but I get this error in driver and they are then removed from the operation. Can anyone please advise how I can resolve this error? Thanks!

[08/14/18 07:22:31.004]:slhnaz PT:Applying schema mapping policies to input.
[08/14/18 07:22:31.005]:slhnaz PT:Applying policy: %+C%14CNOVLADDCFG-smp%-C.
[08/14/18 07:22:31.006]:slhnaz PT: Mapping class-name 'user' to 'User'.
[08/14/18 07:22:31.007]:slhnaz PT: Mapping attr-name 'accountExpires' to 'Login Expiration Time'.
[08/14/18 07:22:31.009]:slhnaz PT: Mapping attr-name 'company' to 'company'.
[08/14/18 07:22:31.010]:slhnaz PT: Mapping attr-name 'department' to 'OU'.
[08/14/18 07:22:31.011]:slhnaz PT: Mapping attr-name 'description' to 'Description'.
[08/14/18 07:22:31.012]:slhnaz PT: Mapping attr-name 'dirxml-uACAccountDisable' to 'Login Disabled'.
[08/14/18 07:22:31.014]:slhnaz PT: Mapping attr-name 'displayName' to 'Full Name'.
[08/14/18 07:22:31.015]:slhnaz PT: Mapping attr-name 'employeeID' to 'workforceID'.
[08/14/18 07:22:31.016]:slhnaz PT: Mapping attr-name 'givenName' to 'Given Name'.
[08/14/18 07:22:31.017]:slhnaz PT: Mapping attr-name 'initials' to 'Initials'.
[08/14/18 07:22:31.018]:slhnaz PT: Mapping attr-name 'mail' to 'Internet EMail Address'.
[08/14/18 07:22:31.019]:slhnaz PT: Mapping attr-name 'objectGUID' to 'hhADGUID'.
[08/14/18 07:22:31.020]:slhnaz PT: Mapping attr-name 'physicalDeliveryOfficeName' to 'L'.
[08/14/18 07:22:31.021]:slhnaz PT: Mapping attr-name 'pwdLastSet' to 'pwdLastSet'.
[08/14/18 07:22:31.022]:slhnaz PT: Mapping attr-name 'sAMAccountName' to 'CN'.
[08/14/18 07:22:31.022]:slhnaz PT: Mapping attr-name 'showInAddressBook' to 'hhShowInAddressBook'.
[08/14/18 07:22:31.022]:slhnaz PT: Mapping attr-name 'sn' to 'Surname'.
[08/14/18 07:22:31.023]:slhnaz PT: Mapping attr-name 'title' to 'Title'.
[08/14/18 07:22:31.023]:slhnaz PT:Applying policy: %+C%14CNOVLADENTEX-smp%-C.
[08/14/18 07:22:31.023]:slhnaz PT: No mapping for class-name 'User'.
[08/14/18 07:22:31.024]:slhnaz PT:Resolving association references.
[08/14/18 07:22:31.050]:slhnaz PT:
DirXML Log Event -------------------
Driver: \HONORHEALTH-TEST\system\Driver Set\AD-SLHNAZ
Channel: Publisher
Status: Warning
Message: Code(-8003) Unable to synchronize reference to CN=Mailboxes(VLV),CN=All System Address Lists,CN=Address Lists Container,CN=TSTSLHNAZ,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=tstslhnaz,DC=org from attribute hhShowInAddressBook.
howInAddressBook.
[08/14/18 07:22:31.469]:slhnaz PT:
DirXML Log Event -------------------
Driver: \HONORHEALTH-TEST\system\Driver Set\AD-SLHNAZ
Channel: Publisher
Status: Warning
Message: Code(-8003) Unable to synchronize reference to CN=All Mailboxes(VLV),CN=All System Address Lists,CN=Address Lists Container,CN=TSTSLHNAZ,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=tstslhnaz,DC=org from attribute hhShowInAddressBook.
Labels (1)
0 Likes
8 Replies
Knowledge Partner
Knowledge Partner

Re: Hide User from GAL issues

I have a number of drivers, that "manage" contacts in GAL.

It created a long time ago and I will put here names of attributes (and part of the policy), that I use for GAL:
msExchAddressBookFlags
msExchRecipientDisplayType
showInAddressBook



<do-add-dest-attr-value name="msExchAddressBookFlags">
<arg-value type="string">
<token-text xml:space="preserve">1</token-text>
</arg-value>
</do-add-dest-attr-value>

<do-add-dest-attr-value name="msExchRecipientDisplayType">
<arg-value type="string">
<token-text xml:space="preserve">6</token-text>
</arg-value>
</do-add-dest-attr-value>

<do-if>
<arg-conditions>
<and>
<if-global-variable mode="nocase" name="gcvAddContactRecord2GAL" op="equal">true</if-global-variable>
</and>
</arg-conditions>
<arg-actions>
<do-for-each>
<arg-node-set>
<token-global-variable name="gcvListOfGALs"/>
</arg-node-set>
<arg-actions>
<do-add-dest-attr-value name="showInAddressBook">
<arg-value type="string">
<token-local-variable name="current-node"/>
</arg-value>
</do-add-dest-attr-value>
</arg-actions>
</do-for-each>
</arg-actions>
<arg-actions/>
</do-if>
0 Likes
cosborne Respected Contributor.
Respected Contributor.

Re: Hide User from GAL issues

Awesome thank you. Do you put this in the AD driver or a null driver for business logic?
0 Likes
Knowledge Partner
Knowledge Partner

Re: Hide User from GAL issues

cosborne;2485731 wrote:
Awesome thank you. Do you put this in the AD driver or a null driver for business logic?


I use highly customized AD driver to inject specific information to AD/Exchange.
Main business logic spread between HR driver and number of specialized null drivers.
0 Likes
cosborne Respected Contributor.
Respected Contributor.

Re: Hide User from GAL issues

This one line of code did it on a policy in the SUB-CTP on the AD driver:

<do-clear-dest-attr-value name="showInAddressBook"/>

🙂
0 Likes
Knowledge Partner
Knowledge Partner

Re: Hide User from GAL issues

cosborne;2485757 wrote:
This one line of code did it on a policy in the SUB-CTP on the AD driver:

<do-clear-dest-attr-value name="showInAddressBook"/>

🙂


Great!

I provided you peace of code, that responsible to register specific user/contact in the GAL.
You found exactly what you need for your business case! 🙂
0 Likes
Knowledge Partner
Knowledge Partner

Re: Hide User from GAL issues

showInAddressBook - This attribute is used to indicate in which MAPI address books an object will appear. It is usually maintained by the Exchange Recipient Update Service.
https://docs.microsoft.com/en-us/windows/desktop/adschema/a-showinaddressbook
0 Likes
cosborne Respected Contributor.
Respected Contributor.

Re: Hide User from GAL issues

Yes, thank you sir! I think we will be able to manipulate a lot more things in AD now that I better understand the concept of being able to write to any attribute on the Destination side as long as you know what the attribute is named, what values it holds, and exactly what it does.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Hide User from GAL issues

cosborne;2485791 wrote:
Yes, thank you sir! I think we will be able to manipulate a lot more things in AD now that I better understand the concept of being able to write to any attribute on the Destination side as long as you know what the attribute is named, what values it holds, and exactly what it does.


AD driver allows you to manipulate with any AD attributes for any AD object (like thru ADUC console or LDAP).
These attributes can be (or not) in your schema mapping or filter of your driver.
You AD driver service account (if it has enouph rights for this specific attributes) can modify any AD attributes (if they are not read-only or constructed) visible in AD driver application schema.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.