0

We recently migrated from Exchange 2007 to 0365 Hybrid with a 2013 server on-prem.

I'm reasonably sure I've made changes to users in the 'Web/IT' OU since the migration and not run into this error, but I'm not 100% sure about that.

Now when I go to edit a user in that OU I get the following series of messages:

"Can't find the organizational unit that you specified. Make sure that you have typed the OU's identity correctly."

This is the OU as it is listed in the Exchange Contact object, which is correct:

xcompany.com/XUsers/Web/IT

And if I attempt to save I get this follow-up error:

"Property expression "username@" isn't valid. Valid values are: Strings that includes '@', where '@' cannot be the last character"

Just to add a bit more background:

I checked to see if this was even valid to begin with - I've only been here shy of 2 years and the OU was created in 2011, and this is the first time any issue has come up.

https://social.technet.microsoft.com/wiki/contents/articles/5312.active-directory-characters-to-escape.aspx

Appears to say that this is fine except that it needs to be escaped in LDAP connections and any scripts that use ASDI like powershell and vbs. Which is all fine and good, the only problem is we had a contractor set this up and his solution appears to be to change the OU name.

It is escaped (I assume automatically, though not sure) in the Canonical name of object in the Object Tab in AD.

So my question is two-fold: One is, was this a recent change or has this been in place for a while?

Regardless of the above, is there a way to change this in Exchange 2013 and O365 - or perhaps in our ADSync - that would circumvent being forced into changing the OU name?

Since this is all Microsoft stuff under the hood I'm surprised we didn't get warned, we don't get any sync errors, and that everything else does seem to work.

Mainly, though, I don't believe the MSP/migration vendor. I feel he's trying to give me a solution where I have to do a lot of work (change the OU right now in order to make other changes we want to make) when I'm pretty sure that something can be added to the sync connector or something so we can at least edit the users from that OU and something he should have known about and accounted for when he did the migration. If the OU name is a problem we can get it fixed, but that being a hurdle to editing our stuff in Exchange is going to rush something that needs to be done careful and - given all the other evidence - sounds outlandish to me. There's got to be a way to fix it in all the "middleware" syncing between AD, on-prem and 0365.

Sam K
  • 506
  • 5
  • 21
  • Can you clarify the downside to changing the OU name? Seems like an easy fix to me. – Todd Wilcox May 30 '19 at 12:26
  • All sorts of apps written with OU filtered LDAP connectors, we have several applications that can't be installed via MDT that CAN be deployed from that application's central server admin panel that also works off OUs, GPOs, etc. – Sam K May 30 '19 at 20:39

0 Answers0