Chat now with support
Chat with Support

Quest has tools and processes in place to identify, protect, detect, and remediate vulnerabilities and incidents when they occur, including external security partners. As part of our standard security operations, Quest does not use CrowdStrike in any of our operations. We are reviewing our third parties, and so far, there is minimal affect. It is Quest's policy not to provide further technical details unless they directly impact customer data.

Identity Manager 9.0 LTS - Administration Guide for Connecting to Microsoft Exchange

Managing Microsoft Exchange environments Synchronizing a Microsoft Exchange environment
Setting up initial synchronization with Microsoft Exchange Customizing the synchronization configuration Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Basic data for managing a Microsoft Exchange environment Microsoft Exchange structure Microsoft Exchange mailboxes Microsoft Exchange mail users and Microsoft Exchange mail contacts Microsoft Exchange mail-enabled distribution groups Microsoft Exchange dynamic distribution groups Microsoft Exchange mail-enabled public folders Extensions for supporting Exchange hybrid environments Error handling Configuration parameters for managing a Microsoft Exchange environment Default project template for Microsoft Exchange Processing methods of Microsoft Exchange system objects Microsoft Exchange connector settings

Displaying synchronization results

Synchronization results are summarized in the synchronization log. You can specify the extent of the synchronization log for each system connection individually. One Identity Manager provides several reports in which the synchronization results are organized under different criteria.

To display a synchronization log

  1. In the Synchronization Editor, open the synchronization project.

  2. Select the Logs category.

  3. Click in the navigation view toolbar.

    Logs for all completed synchronization runs are displayed in the navigation view.

  4. Select a log by double-clicking it.

    An analysis of the synchronization is shown as a report. You can save the report.

To display a provisioning log

  1. In the Synchronization Editor, open the synchronization project.

  2. Select the Logs category.

  3. Click in the navigation view toolbar.

    Logs for all completed provisioning processes are displayed in the navigation view.

  4. Select a log by double-clicking it.

    An analysis of the provisioning is shown as a report. You can save the report.

The log is marked in color in the navigation view. This mark shows you the status of the synchronization/provisioning.

TIP: The logs are also displayed in the Manager under the <target system> > synchronization log category.

Synchronizing single objects

Individual objects can only be synchronized if the object is already present in the One Identity Manager database. The changes are applied to the mapped object properties. If a membership list belongs to one of these properties, the entries in the assignment table will also be updated.

NOTE: If the object is no longer present in the target system, then it is deleted from the One Identity Manager database.

To synchronize a single object

  1. In the Manager, select the Active Directory category.

  2. Select the object type in the navigation view.

  3. In the result list, select the object that you want to synchronize.

  4. Select the Synchronize this object task.

    A process for reading this object is entered in the job queue.

Features of synchronizing memberships

If you synchronize changes in an object's member list, run single object synchronization on the assignment's root object, The base table of an assignment contains an XDateSubItem column containing information about the last change to the memberships.


Base object for assigning receive restrictions for email users and mail-enabled distribution groups is the distribution group.

In the target system, mail acceptance for a mail-enabled distribution group was allowed for an email user. To synchronize this assignment, in the Manager, select this distribution group and run single object synchronization. In the process, all of the distribution group's assignments are synchronized.

The email user must already exist as an object in the One Identity Manager database for the assignment to be made.

Detailed information about this topic

Tasks following synchronization

After the synchronization of data from the target system into the One Identity Manager database, rework may be necessary. Check the following tasks:

Post-processing outstanding objects

Objects, which do not exist in the target system, can be marked as outstanding in One Identity Manager by synchronizing. This prevents objects being deleted because of an incorrect data situation or an incorrect synchronization configuration.

Outstanding objects:

  • Cannot be edited in One Identity Manager.

  • Are ignored by subsequent synchronizations.

  • Are ignored by inheritance calculations.

This means, all memberships and assignments remain intact until the outstanding objects have been processed.

Start target system synchronization to do this.

To post-process outstanding objects

  1. In the Manager, select the Active Directory > Target system synchronization: Exchange category.

    The navigation view lists all the synchronization tables assigned to the Microsoft Exchange target system type.

  2. On the Target system synchronization form, in the Table / object column, open the node of the table for which you want to post-process outstanding objects.

    All objects that are marked as outstanding are shown. The Last log entry and Last method run columns display the time at which the last entry was made in the synchronization log and which processing method was run. The No log available entry can mean the following:

    • The synchronization log has already been deleted.

      - OR -

    • An assignment from a member list has been deleted from the target system.

      The base object of the assignment was updated during the synchronization. A corresponding entry appears in the synchronization log. The entry in the assignment table is marked as outstanding, but there is no entry in the synchronization log.

    • An object that contains a member list has been deleted from the target system.

      During synchronization, the object and all corresponding entries in the assignment tables are marked as outstanding. However, an entry in the synchronization log appears only for the deleted object.


    To display object properties of an outstanding object

    1. Select the object on the target system synchronization form.

    2. Open the context menu and click Show object.

  1. Select the objects you want to rework. Multi-select is possible.

  2. Click on one of the following icons in the form toolbar to run the respective method.

    Table 7: Methods for handling outstanding objects





    The object is immediately deleted from the One Identity Manager database. Deferred deletion is not taken into account.

    Indirect memberships cannot be deleted.


    The object is added to the target system. The Outstanding label is removed from the object.

    This runs a target system specific process that triggers the provisioning process for the object.


    • The table containing the object can be published.

    • The target system connector has write access to the target system.


    The Outstanding label is removed for the object.

  3. Confirm the security prompt with Yes.

NOTE: By default, the selected objects are processed in parallel, which speeds up the selected method. If an error occurs during processing, the action is stopped and all changes are discarded.

Bulk processing of objects must be disabled if errors are to be localized, which means the objects are processed sequentially. Failed objects are named in the error message. All changes that were made up until the error occurred are saved.

To disable bulk processing

  • Disable the icon in the form's toolbar.

NOTE: The target system connector must have write access to the target system in order to publish outstanding objects that are being post-processed. That means, the Connection is read-only option must not be set for the target system connection.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating