参照URL: https://blogs.technet.microsoft.com/latam/2018/03/27/using-the-consistencyguid/ https://chinnychukwudozie.com/2015/04/10/matching-an-office-365-azure-cloud-user-identity-with-an-on-premise-active-directory-user-object/ https://mangolassi.it/topic/10178/azure-ad-connect-sync-issue/4 immutableID就是objectID[mS-DS-ConsistencyGuid]的base64编码 # 【AD服务器】 PS C:UsersAdministrator> (Get-ADUser -Identity test1).objectguid Guid ---- 198208a4-8cf1-4b27-89ba-297611c9b5e2 # 十进制显示 PS C:UsersAdministrator> (Get-ADUser -Identity test1 -Properties *).objectguid.tobytearray() 164 8 130 25 241 140 39 75 137 186 41 118 17 201 181 226 # 转换为16进制显示 A4 08 82 19 F1 8C 27 4B 89 BA 29 76 11 C9 B5 E2 # 默认十进制显示 PS C:UsersAdministrator> Get-ADUser -Identity test1 -Properties * | findstr /I mS-DS-ConsistencyGuid mS-DS-ConsistencyGuid : {164,8,130,25,241,140,39,75,137,186,41,118,17,201,181,226} # 【Office365】 # 停止同步 Set-MsolDirSyncEnabled -EnableDirSync $false #请注意,你需要等待一段时间(MS表示长达72小时 - 它可以更快地发生,但它肯定需要一段时间,所以计划在停电窗口或周末,当你可以预期时这样做您的广告中很少或根本没有变化。 (GET-MSOLCompanyInformation).DirectorySynchronizationEnabled True或False (GET-MSOLCompanyInformation).DirectorySynchronizationStatus ==>PendingDisabled,Enabled或Disabled # 问题是,一旦我将用户移动到本地AD中未同步的测试OU,然后强制同步,我仍然无法设置immutableID并且收到错误: Set-MsolUser:Uniqueness violation。Property: SourceAnchor. At line:1 char:1 # 这是因为当o365看到该帐户不再来自AD时,它将其移至已删除的用户。我找到了用户: Get-MsolUser -ReturnDeletedUsers | fl # 果然,immutableID与我试图设置的匹配。 # 我用以下方法清除了用户: Remove-MsolUser -UserPrincipalName username@theirdomain.onmicrosoft.com -RemoveFromRecycleBin # 然后OK Set-MsolUser -UserPrincipalName user@domain.com -ImmutableId $ImmutableID # 云端获取ImmutableID属性值 PS C:Usersgoozgk> Get-MsolUser -UserPrincipalName test1@pat201808.onmicrosoft.com | select ImmutableID ImmutableId ----------- pAiCGfGMJ0uJuil2Ecm14g== # 将云端的ImmutableId转换为本地AD的mS-DS-ConsistencyGuid(16进制显示) [system.convert]::FromBase64String("pAiCGfGMJ0uJuil2Ecm14g==") | %{$a += [System.String]::Format("{0:X}",$_)+" "};$result = $null;$result = $a.trimend();$result A4 8 82 19 F1 8C 27 4B 89 BA 29 76 11 C9 B5 E2 # 将云端的ImmutableId转换为本地AD的mS-DS-ConsistencyGuid(10进制显示) PS C:Usersgoozgk> [system.convert]::FromBase64String("pAiCGfGMJ0uJuil2Ecm14g==") 164 8 130 25 241 140 39 75 137 186 41 118 17 201 181 226 # 将云端的ImmutableId转换为本地AD的mS-DS-ConsistencyGuid(guid显示) PS C:Usersgoozgk> [guid][system.convert]::FromBase64String("pAiCGfGMJ0uJuil2Ecm14g==") Guid ---- 198208a4-8cf1-4b27-89ba-297611c9b5e2 # 【ADDC connect服务器】 # 登陆AADConnect服务器,停止计划任务 Set-ADSyncScheduler -SyncCycleEnabled $false # 登陆AADConnect服务器,执行增量同步任务 Start-ADSyncSyncCycle -PolicyType Delta # 登陆AADConnect服务器,执行全量同步任务 Start-ADSyncSyncCycle -PolicyType Initial # 【GUID和immutableID互相转换】 PS C:Usersgoozgk> $data_guid = "198208a4-8cf1-4b27-89ba-297611c9b5e2" PS C:Usersgoozgk> $immutableID = [system.convert]::ToBase64String( ([GUID]$data_guid).tobytearray() ) PS C:Usersgoozgk> $immutableID pAiCGfGMJ0uJuil2Ecm14g== PS C:Usersgoozgk> $data_immutableID="pAiCGfGMJ0uJuil2Ecm14g==" PS C:Usersgoozgk> $guid = [GUID]( [system.convert]::frombase64string($data_immutableID) ) PS C:Usersgoozgk> $guid Guid ---- 198208a4-8cf1-4b27-89ba-297611c9b5e2 # 【完整的匹配AD端的值到云端步骤】 # 获取AD用户的mS-DS-ConsistencyGuid $guid = (Get-ADUser -Identity test1).objectguid # 转换为immutableid $immutableid = [System.Convert]::ToBase64String($guid.tobytearray()) # 设定云端用户immutableid Set-MsolUser -UserPrincipalName test1@pat201808.onmicrosoft.com -ImmutableId $immutableid set-msoluser -userprincipalname test1@pat201808.onmicrosoft.com -ImmutableId "$null" # 执行同步 Start-ADSyncSyncCycle -PolicyType Initia
--------------------------------------------------
如果执行set-msoluser报错,可以试试下面的方法。参考链接https://stackoverflow.com/questions/42805114/how-to-set-immutable-id-of-an-msoluser-to-null-value-using-powershell
Move the federated domain onto a managed domain:
Set-MsolUserPrincipalName -UserPrincipalName edwardlt501edwar@KT2.kb.co.in -NewUserPrincipalName edwardlt501edwar@<managed domain, usually something.onmicrosoft.com>
Set immutableid to null:
Set-MsolUser -UserPrincipalName gw17edwardlt501edwar@<managed domain> -ImmutableId "$null"
Then wait for some time and assign a new immutable id:
set-msolUser -userprincipalname gw17edwardlt501edwar@<managed domain> -immutableID f33fc1d2-73bd-4957-995f-37c83d349ef3
Move back to federated domain:
Set-MsolUserPrincipalName -NewUserPrincipalName edwardlt501edwar@KT2.kb.co.in-UserPrincipalName edwardlt501edwar@<managed domain>
See the new immutable ID:
Get-MsolUser -UserPrincipalName edwardlt501edwar@KT2.kb.co.in | select ImmutableId
--------------------------------------------------