No way to see included OU's?

[JeremyTBradshaw]

I don't think this is a problem with the documenter, but instead with AAD Connect's design itself. In the exported XML for the on-premises connector, there are exclusions for OU's, but only one inclusion, and that is the root of the domain. Is there anyway to report on what OU's are currently included? I mean without using other tools.

Thanks.

[Bob-Bradley]

You're right to think this is a design issue as it stems from the core technology which is MIM's sync engine (originally a Zoomit product acquired by Microsoft in about 2001). Internal to the AD connector configuration is the collection of OU exclusions and inclusions which you refer to - this is the minimal information required by the connector to determine what is in and out of scope - including when a new OU is added. If the inverse approach was taken then every new OU would have to be added explicitly over time - something considered an undesirable overhead in most scenarios. Consequently you definitely need "other tools" to interpret this information - and the easiest way to do this would be using PowerShell to compare the XML against a live OU tree structure.

[JeremyTBradshaw]

Thanks very much for the confirmation. It makes perfect sense. Sounds like a fun mission for PowerShell actually.

[NileshGhodekar]

Yes, AADC (or FIM/MIM) works on the assumption that if you include an OU all child OUs - Current as well as Future - are included as well unless you explicitly exclude them. Since the scope would include child OUs that you might create in future automatically, the in-scope OU hierarchy information is a dynamic configuration as opposed to static configuration that is being documented. I'll close this issue now.