My customer has Exchange 2013 in a Resource Forest. Obviously, all AD accounts are a disabled state and the source users are located in another forest.
I have read several KB articles stating it’s not a good idea to skip this attribute as it could cause issues with the DSA. Unfortunately, the objects in the Resource Forest has their passwords set to “never expire”. The DSA for the source AD objects brings over the correct setting. On top of that, they have MIM (Microsoft Identity Manager) that notices the password expiry discrepancy and sets it back to the correct value (0x200). This is causing their Cyber Security department fits.
I cannot filter out userAccountControl in the DSA configuration for the directory pair that services the Resource Forrest as the box is greyed out. What are my options here? We’ve matched about 15K objects so far and this is the only thing getting in our way to starting our pilot.
As always, thanks for the responses.
Eric