Changing Security Group Filtering to Exclude

%3CLINGO-SUB%20id%3D%22lingo-sub-137446%22%20slang%3D%22en-US%22%3EChanging%20Security%20Group%20Filtering%20to%20Exclude%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-137446%22%20slang%3D%22en-US%22%3E%3CP%3EHoping%20someone%20might%20be%20able%20to%20help%20me%20with%20this.%20I%20am%20implementing%20a%20new%20Azure%20AD%20Connect%20system%20and%20I%20have%20been%20trying%20to%20find%20a%20way%20to%20reverse%20the%20security%20group%20filtering%3B%20rather%20than%20group%20membership%20being%20a%20requirement%20for%20sync%2C%20I%20would%20like%20only%20users%20NOT%20in%20the%20group%20to%20be%20synced.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EI%20have%20tried%20editing%20(copy-edit)%20the%20existing%20In%20From%20AD%20-%20User%20Filtering%20rule%20and%20changing%20the%20ISNOTMEMBER%20to%20ISMEMBER%20condition%2C%20but%20this%20doesn't%20appear%20to%20actually%20do%20anything%2C%20and%20the%20security%20group%20is%20ignored%20until%20I%20put%20the%20rule%20back%20to%20how%20it%20was%2C%20where%20it%20starts%20working%20as%20default.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EI%20am%20looking%20for%20an%20easy%20way%20to%20exclude%20discrete%20numbers%20of%20users%20from%20synchronization%20that%20doesn't%20involve%20OU%20Filtering%20and%20thought%20a%20security%20group%20would%20be%20the%20logical%20choice%20but%20this%20doesn't%20seem%20to%20work.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EAnyone%20have%20a%20similar%20situation%3F%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-137446%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Deleted
Not applicable

Hoping someone might be able to help me with this. I am implementing a new Azure AD Connect system and I have been trying to find a way to reverse the security group filtering; rather than group membership being a requirement for sync, I would like only users NOT in the group to be synced. 

I have tried editing (copy-edit) the existing In From AD - User Filtering rule and changing the ISNOTMEMBER to ISMEMBER condition, but this doesn't appear to actually do anything, and the security group is ignored until I put the rule back to how it was, where it starts working as default. 

I am looking for an easy way to exclude discrete numbers of users from synchronization that doesn't involve OU Filtering and thought a security group would be the logical choice but this doesn't seem to work. 

Anyone have a similar situation? 

0 Replies