Unable to change initial Pilot/Test Group Azure AD Connect
Recently, while installing and configuring the new Azure AD Connect Tool for a customer, we configured group filtering for an initial Pilot Group of users. After initial testing, the decision was made to expand this to another, more permanent group of users. While it appeared we could re-run the setup wizard, which gave us the option to change the pilot group, it would never actually update the database to reflect the changes.
Thankfully, with the assistance of a colleague we were able to track down the table/field within the LocalDB and change the entry for the group.
NOTE: Please proceed with this at your own risk – I’m quite certain this wouldn’t be a supported method from Microsoft, however it worked for us until this bug is resolved in the Azure AD Connect tool.
First disable the Schedule Task and Azure AD Sync Service.
Using SQL Management Studio, connect to the LocalDB Instance with a logged on user/run-as user who is a member of the local ADSyncAdmins group.
The database instance information can be found here:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server Local DB\Shared Instances\ADSync
From there, right click on the Table “dbo.mms_management_agent” and select “Edit Top 200 Rows”. The data is stored under the second row column “private_configuration_xml”.
Expand out the field to find the parameter <parameter name=”Connector.GroupFilteringGroupDn” type=”string” use=”global” dataType=”String”>CN=MSONLINEUSERS,OU=YOURGROUPOU,DC=YOURDOMAIN,DC=YOURDOMAINEXTENSION</parameter>
From here, I’d recommend taking a copy of that entire field/XML first in case you need to reference it pre-changes.
Simply replace MSONLINEUSERS with your group name and the remaining AD path for your specific group.
Restart the Azure AD Connect Service and re-enable/re-run the sync to have the new group sync. You may need to run a full sync for all of the changes to appear. This can be done by running the following command: C:\Program Files\Microsoft Azure AD Sync\Bin\DirectorySyncClientCmd.exe initial
Hope it helps!
Recent Posts
Latest Twitter Updates
- @Qantas Flight to Melbourne, delayed & barely functioning entertainment. Return flight from Melbourne, delayed and… https://t.co/FzY9SY0ZJN 2 years ago
- https://t.co/dCZeg2828h 5 years ago
- Fantastic answer to wireless issues facing small business. Enterprise technology available at a great price point a… https://t.co/6pi2UPRJyn 5 years ago
- Great stuff! At Synergy Tech our #1 value is "People First." Fantastic to see one of our favourite partners, HPE co… https://t.co/ybyVPHXvrA 6 years ago
- https://t.co/MGaBu7Xn2E https://t.co/182TrRaepq 6 years ago
Archives
- March 2018
- May 2017
- April 2017
- March 2017
- February 2017
- October 2016
- September 2016
- June 2016
- May 2016
- February 2016
- January 2016
- October 2015
- September 2015
- July 2015
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
- December 2014
- November 2014
- October 2014
- September 2014
- August 2014
- July 2014
- June 2014
- May 2014
- April 2014
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
Categories
- 3Par
- ADFS
- Azure
- Azure AD Connect
- Backup/Restore
- Configuration Manager 2012/2012R2
- ESX/ESXi
- Exchange 2010
- Fortinet/Fortigate
- HP
- Hyper-V
- Lync/Skype for Business
- ManageEngine/OpManager
- Networking
- Office 365
- Operations Manager
- Orchestrator
- Powershell
- Procurve
- Proliant
- PST/Exchange Archiving
- RDX
- Service Manager
- ShadowProtect
- SharePoint
- Storage Pools
- System Center 2012/2012R2
- Uncategorized
- vCenter
- Veeam
- Virtual Machine Manager
- Virtualization
- VMware
- Windows 8/8.1
- Windows Deployment Services
- Windows Server
- Windows Server 2003
- Windows Server 2008 R2
- Windows Server 2012
- Windows Small Business Server 2011
- WSUS