Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

AAD COnnect object not in metaverse

Copper Contributor

I have AAD Connect running and cannot sync this one user.  Here are some facts

 

1. User is in an OU that's configured to Sync

2. User is found in the Connector Space for on prem AD

3. User is NOT found in the metaverse search

4. User has correct UPN suffix

5. in the CS I'm able to bring up the properties of the user and generated a full sync preview and even committed it successfully.

 

So when I force a delta sync... I see nothing at all … no new object add or changes in the logs... 

 

I looked at this article but can't really understand regarding the scoping filters.  Everything is default, there should be no filters.

 

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-object-not-syncing

 

Please help with some more detailed troubleshooting?  Seems like this user is being skipped for some weird reason....

 

10 Replies

Check that these properties are populated on the user account:

  • Mail/Windows Mail
  • MailNickname/Alias
  • EmailAddress

 

Even if the user account is not going to have mail, it can keep the account from syncing.

It can simply be filtered by one of the default (or custom) rules. You should see which of those affect the object when you run the preview/commit. And do force a Full sync as some changes might not be reflected upon delta.

@Vasil Michev  Ok I will check that but how can I tell which rule is applying during the preview?  Sorry I'm very new at this

@Vasil Michev  When I click Generate Preview...all it says is successful.  Then I click on the source object details...it shows whole bunch of stuff on the "NEW VALUE" column and "OLD VALUE" is empty...which is to be expected since this is not syncing yet.  And that's all I see...I don't see rules or anything

@Steve Mahoneythanks so much, I checked and all those attributes are filled out

best response confirmed by ch0wd0wn (Copper Contributor)
Solution

@Vasil Michev  Thanks for the article. 

 

I'm really trying to follow this but the verbiage is confusing:

" In the following scoping filter, if the isCriticalSystemObject value is null or FALSE or empty, it's in scope."

 

When I look at the "In from AD - User Join" and the scoping filter shows isCriticalSystemObject has a value of "TRUE" … so according to the statement above this rule is NOT in scope? the double negative is confusing me, also because User Join sounds like its something that SHOULD be in scope right?

Hi Vasil

Also in the article it is stating the following -

"Go to the CS Import attribute list and check which filter is blocking the object from moving to the MV. The Connector Space attribute list will show only non-null and non-empty attributes. For example, if isCriticalSystemObject doesn't show up in the list, the value of this attribute is null or empty."

But I click on the link to the CS Import page and it still doesn't show HOW TO LOOK for which filter is blocking... it just goes into explaining the import and lineage tabs. Sorry I am just not getting this.

Can you just tell me where exactly would it show what is blocking this object from being in the MV?

Gosh sorry to keep bugging you just wanted to give you an update...

I found that this user object has isCriticalSystemObject set to "TRUE" which after reading 1000s I understand that because of this, he's not being sync'd. Conversely I looked at this attribute for other syncing users and its "NOT SET". So I am sure I found the issue... however I'm unable to modify this due to some SAM error, that may be another issue.
Turns out this account was the BUILT-IN Administrator account that has been renamed!!!!!
1 best response

Accepted Solutions
best response confirmed by ch0wd0wn (Copper Contributor)
Solution

@Vasil Michev  Thanks for the article. 

 

I'm really trying to follow this but the verbiage is confusing:

" In the following scoping filter, if the isCriticalSystemObject value is null or FALSE or empty, it's in scope."

 

When I look at the "In from AD - User Join" and the scoping filter shows isCriticalSystemObject has a value of "TRUE" … so according to the statement above this rule is NOT in scope? the double negative is confusing me, also because User Join sounds like its something that SHOULD be in scope right?

View solution in original post