Controlling Accounts Synced by FOPE DST

  • Article

Some ideas around this I haven't personally tested these but do know that this method is used by some organizations:

Since the DST relies on querying AD for accounts it relies on permissions/ACL's on objects to read those accounts and their attributes.

  • One method that has been used is in the archival of accounts whereby users that are no longer with the organization have their accounts moved into an OU where the OU is ACL'ed in a way to prevent the account that DST uses from accessing that OU and the contents within.  The DST tool runs under the "Network Service" account so queries to AD would show up as the "user" account for the computer which the DST is running on.  So putting a DENY ACE in place on the OU for that computer account should prevent the DST from seeing objects in there and subsequently set those accounts to Disabled in the Admin Center.
  • Another method based on the same principle would be to ACL the actual account itself with a DENY ACE for the computer running the DST.  You could possibly consider running the DST under an actual service account as well that way if you ever had to move the DST tool to a different server you would not have to worry about the computer name being the same but would just have to set the service again to run under that service account.  The DENY ACE's on individual items would be a somewhat onerous process but could be useful for say Distribution Lists which should not receive email from externally.

For both of these methods they will not work to disable existing accounts for an incremental sync.  In order to force the DST to disable accounts that were already in the Admin Center you will need to force a Full Sync. 

See the following to force a full sync: [[articles:FOPE DST Forcing a Full Sync]]