Post Exchange attribute cleanup
Posted by rtm516@reddit | sysadmin | View on Reddit | 11 comments
Along time before I started in my current role we moved from exchange on-prem to exchange online and there's still tonnes of old msExch... attributes in AD.
We run a hybrid system with Entra Connect Sync so will likely need some but not all.
Does anyone have a definitive list of what attributes to keep/remove or even a tool to handle it?
There's also some other objects in the AD tree like contacts and public folders, are those safe to be removed?
Frothyleet@reddit
What problem are you trying to solve?
As others have mentioned, you need the Exchange schema to manage your hybrid environment. If it's working, don't futz with it.
rtm516@reddit (OP)
Just having to scroll past like 200 empty attributes when using the attribute editor in ADUC is painful
Frothyleet@reddit
Hmm. Kind of a lot to unpack - I mean for one, you should rarely be needed to futz around in ADUC's attribute editor.
But if you are, well - there's literally a filter checkbox "only show attributes with values." That's a better solution to your problem than fucking around with AD schemas.
So immediate term, just filter. Longer term, whatever you're doing in there, stop doing it with the GUI! Attack it with powershell/scripting/automation.
rtm516@reddit (OP)
I didn't know that was a filter. I'll have to go hunting for it tomorrow. Thanks.
BrilliantJob2759@reddit
It's not as painful as removing attributes to only found out later they were integral to some niche account or functionality. There's a reason the recommendation is not to uninstall Exchange, rather to shut it down & remove the object references manually.
alraffa218@reddit
ManageEngine AD Manager Plus allows you to rename attributes. It will at least give you the attribute list to start with and then if you do want to rename it or modify them - you can take a call. Check their demo portal and see if works for you. Just FYI - AD Manager is an On Premise Solution and if you do want to run it in your environment - you will need a windows server.
Bright_Arm8782@reddit
I'd say leave them there unless they are proven to cause a problem, otherwise you're changing things for changes' sake and that tends to come unstuck.
disclosure5@reddit
Keep them all. You're not supposed to clean these all up. At most you clean up the Exchange accounts.
https://learn.microsoft.com/en-us/exchange/manage-hybrid-exchange-recipients-with-management-tools#permanently-shutting-down-your-last-exchange-server
rtm516@reddit (OP)
Updated my comment to make it clear. Also thanks for the link there's some stuff further down on the page that looks handy although I'll have to look over the script before running to make sure it won't break things.
That_Lemon9463@reddit
in active hybrid you can't really "clean up" msExch* attributes because Entra Connect Sync still needs most of them. they look like cruft but they're load-bearing. if you start deleting them with ADUC, you'll break recipient lookups and provisioning for those mailboxes.
if your end goal is actually to get out of hybrid (vs just tidiness), Microsoft's supported path is the new object-level Source of Authority feature. you transfer SOA for Users, Groups, and Contacts from on-prem AD to the cloud per object, then decommission the last Exchange Server. the cloud-based management of Exchange attributes feature (IsExchangeCloudManaged) is the related per-mailbox piece and is GA in commercial tenants now.
for AD contacts and public folder objects: same story. if Exchange is still running (LES), they're synced for a reason. if you're decommissioning, the supported path removes them as part of the Exchange uninstall, not via manual AD object deletion.
short version: if you're staying hybrid, leave them alone. if you're not staying hybrid, follow MS's decommission guide rather than building a custom cleanup list.
rtm516@reddit (OP)
Ive seen Microsoft's article on it but that's mentioning moving everything to azure from my knowledge where as we want to keep normal users and computers on prem just cleanup the stuff left behind when the last exchange on-prem box was deleted.