[GUIDE] Hide users from Global Address List in AD Hybrid Joined Domains.

[LittleNeutrino Veteran]

My company recently deployed a Hybrid Joined environment, and we came across an issue where the Entra and Admin portals were not allowing us to hide accounts from the global address list any longer. Here is the solution I came up with the resolve the issue.

1) on the Machine hosting the AD Connect tool. Open Synchronization Rules Editor.

2) Verify Direction is set to "Inbound" and then click "Add new Rule" On the right side.

3) Give it a name like "Hide user from GAL" or whatever makes sense to you. Connected System is your Local Domain, Connected System Object Type "User", Metaverse object type "Person", Link Type "Join", Precedence "50", then leave Tag, Enable Password Sync, and Disabled alone.

4) Hit Next, and Skip, "Scoping Filter, and Join Rules"

5) on Transformation rules, set Flow Type to "Expression", Target Attribute to "msExchHideFromAddressLists", then set Merge Type to "Update" Use the following script in the "Source" field.
 

IIF(IsPresent([msDS-cloudExtensionAttribute1]),IIF([msDS-cloudExtensionAttribute1]="HideFromGAL",True,False),NULL)

6) Thats the Hard part done. Now you need to manipulate each user account that you want to be hidden. You have 2 options here, you can use PowerShell, or just AD Users and Computers.

7) The PowerShell way.

8 ) Run PowerShell as a Domain Admin and simply run the command below.

Set-ADUser -Identity "FULL USERNAME" -Replace @{'msDS-cloudExtensionAttribute1'="HideFromGAL"}

9) The AD Users and Computers way

10) Open AD Users and Computers and click View to Verify "Advanced Features" is enabled.

11) Manually navigate to the user that needs hidden. unfortunately you cannot use the Search command here because when you search for a user Attrribute editor is not available.

12) on the user in question go to the Attribute Editor tab and then look for "msDS-cloudExtensionAttribute1", and set it to "HideFromGAL"

13) Once you have updated the user, either way for the AD to Azure Sync or force it to run. (You can do that from the machine running the Azure AD Connect by running PowerShell as an admin and running the following command.)

start-adsyncsynccycle -policytype delta

 

[binaryzero]

Can I assume you removed your last exchange box\management tools?

If Exchange wasn't present, extend the AD schema (using the Exchange setup) and install the Exchange management tools, you'll be able to hide the a user from a GAL in a supported\non hacky way.

https://learn.microsoft.com/en-us/Exchange/plan-and-deploy/prepare-ad-and-domains?view=exchserver-2019

[LittleNeutrino Veteran]

In this circumstance we are not using self-hosted Exchange we are using M365 Exchange so there are no management tools other than the include Exchange admin center, Entra, and M365 Admin Center. All of which when you attempt to Hide a user from GAL you receive a Generic error message. The check boxes are there it just refuses to comply. I even tried using the Attribute editor to set " msExchHideFromAddressLists" attribute to True however, it did nothing.

[binaryzero]

I understand what you've got configured, the supported method of hiding from the GAL is to extend the AD schema with the Exchange attributes. Once you've done that you'll be able to install the Exchange management tools (Exchange shell specifically), and hide users from the GAL.

...I know because this is exactly what I've configured in many greenfield deployments in the past several years, on-prem AD becomes the source anchor when you turn on directory sync.

To be clear, you don't need a full Exchange Server configured.