Selecting predefined scope of users in BPOS

BPOS customization is a subject of conversation that I am lately having with many customers of ours. One of the most asked questions is how do we choose the subset of users that are available for BPOS synchronization and leave “administrator“, “guest” and whole bunch of system accounts behind?

Well, by popular demand (more exactly by request form my friend and co-worker Mitchell Groeneveld) I wanted to share one troublesome story of our BPOS customization. Several months ago I was taking our internal BPOS deployment and pushing all users into the cloud. As a person who is never satisfied with “default” installation I’ve dug in into BPOS sync server and took it apart, service by service, and setting by setting.
Since BPOS is running on ILM 2007 back-end it was not difficult for me to do. What I have forgotten is that BPOS is having its own scheduling service that kicks-off synchronization cycle several times a day. After scoping-out most of our Active Directory from BPOS synchronization cycle I have made one crucial change, which cost us a LOT of grief in the following weeks. I have performed one of the basic operations in AD – rename of a OU/container. It sounds trivial and simple: click-type-done. Not so fast!
Since I’ve scooped-out most of the OUs in BPOS Sync Engine rename of OU was interpreted by sync Engine as “delete” and “re-create“… Should it have been “canned” scenario, when every object in AD is included – no problems…  However in my “tweaked” configuration BPOS-configured ILM faithfully deleted all sub-OUs and all users located in it… The sync-cycle kicked-in shortly thereafter and… hold your breath… all of my user’s mailboxes for entire US branch of the company were deleted in the instant. In the second instant new set of mailboxes were created – fresh and empty. Ta-da!
Needless to say that I’ve spend rest of the night of the phone with Microsoft and rest of the week in meetings with users and management. Eventually mailboxes were restored and re-attached. In the meanwhile we have learned a valuable lesson – messing with BPOS and its pre-canned configuration can be done – with great care. And if you are ought to modify something – disable the synchronization service and pay very close attention to your pending exports.
In the meanwhile, our instance of BPOS now is clean and “selective”; GAL contains no “administrator”, no “guest”, no service accounts and no disable accounts from the past – just the accounts we consider BPOS worthy.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: