Wednesday, February 18, 2015

Office 365 Active Directory DirSync how to exclude or specify an OU

If you do directory sync from AD to Office 365 you may not want to replicate all users and groups in your full AD structure which is what is replicated by default. You can exclude or specify which OU’s to synchronize using the following instructions.

Caution: Seasoned Domain Admins Only

“you break it you bought it…”

Create the following shortcut to the desktop

C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell\miisclient.exe

Open and select Management Agents and The Active Directory Connection:


Right Click and Select Properties:


Select Configure Directory Partitions and Containers:


You will be prompted for credentials enter in your LOCAL ADSync Username and Password:


Browse and Include or Exclude the OU’s as necessary:

Select “OK” “OK”

You can now force the DirSync process.
Open up PowerShell as Administrator and Run the following command to initiate a sync:

Import-Module DirSync
Start-OnlineCoexistenceSync -fullsync


Select the Operations tab to view status:

Note the Deletions in the bottom left as I excluded a previously synchronized OU:

You can click on the Export Statics fields above for further information.

Note: I recommend forcing the DirSync process 2 to 3 times to make sure all settings synchronize

Log onto Office365 portal and confirm settings changes. In my example it moved the excluded OU Users to Deleted Users as shown below:


Note: if you make a mistake and exclude an OU you didn’t mean to or vice versa. Make the change ASAP and rerun through the sync process and the accounts should be re-enabled/disabled as necessary. If they appear as “In Cloud” that means it is not AD synced.


  1. Dumb question... but this utility has no write back abilities does it? ie. it won't change anything on the local AD?

  2. That is correct DirSync is currently a one way street.