Filter to exclude certain AD accounts for on-premises environment

I would like to request a filter or a rule that excludes certain accounts from being synced to the cloud, i.e., service accounts, accounts that don't have a title assigned to them within AD, etc.

  • Hi Juan -

    Is your request for AD on-premises?

    Thank you for a quick update
    Jesper Frier

  • Hello Jesper, Yes, my request is for on-premises. Thank you, Juan
  • Got it Juan -

    With AD on-premises as your data source, you can filter and pull users from OUs and Groups.

    The /remove+ switch removes the service accounts and users that is not included in your filter.

    Learn more in example #3 and #4 >  Will this work for you?

    Jesper Frier

  • Can you please provide me with an example? I'm already using the /remove+ filter, however, the service accepts are still being synced up. Thank you
  • Below is example #3 linked above where you pull users from an OU and remove users that are not included in the OU:

    emsadexport.exe /user:"YourAPIAccount@SRV" /secret:"YourAPIAccountPassword" /domain:"OU=Users,OU=Company_1OU,DC=Company_1,DC=internal" /remove+

    Below is example #4 where you pull users from an Group and remove users that are not a member of the group:

    emsadexport.exe /user:"YourAPIAccount@SRV" /secret:"YourAPIAccountPassword" /group:"Test Group" /remove+

    Your service accounts are only pulled IF they are included in the OU or is a member of the Group.

    I can help you if you copy your script (change the user and secret since this is a public post) - Thanks.

  • My script is using example #3 exactly as you listed it in your post. All accounts under the User's OU are being pulled just fine,. What I want to exclude are accounts within the Users OU, that for instance, don't have a title linked in their profile. Perhaps, creating another filter that excludes accounts that don't meet a certain criteria could be the solution. Regards, J
  • When using AD on-prem, you cannot filter users without a job title.
    Such a filter is included with the AAD integration:

    $.title != null && $.title.length > 0

    I'll leave your suggestion open for likes/comments, which we use when prioritizing the roadmap.

    With AD on-premises, I suggest moving to a Group filter (#4) where you control which users are pulled into your account.
    If you cannot use an existing group, then you create a new group and exclude the service accounts - Done.

    Jesper Frier

Login or Signup to post a comment