DirSync question- password sync ONLY

Hi all,

I have a windows 2012R2 network with about 250 users. They are set up in security groups/OU's etc for permission needs to certain folders/files.
I also have Office 365 I'm using for exchange, and have Distribution only groups set up there.

The two systems are quite different in group memberships.

My question is:  Can I set up dirsync and not have it change/migrate any groups or memberships, and just sync the password only of users?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Raheman M. AbdulSenior Infrastructure Support Analyst & Systems DeveloperCommented:
Yes you can do only password sync (tick) and untick to "Synchonize your directories now" when you run the Windows Azure Active Directory Sync Tool.
see attached.
SeaSenorAuthor Commented:
Does it automatically create a user in Office 365 if I create a user in my local AD?
Vasil Michev (MVP)Commented:
The users in question still need to be synced for password sync to work. Or at least have the ImmutableId populated.
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

SeaSenorAuthor Commented:
All the users I need are already in Office 365.
They have the identical domain name (email address) as my local domain users.

will I get the dreaded double users scenario in office 365 that I read about?
Vasil Michev (MVP)Commented:
Depends. When you first activate dirsync, it will try to match the accounts via ImmutableID (which should be empty in your case), and then by the primary SMTP address. If it finds a match - it will overwrite the attributes of this object with the on-prem values. If not - it will create a new account. The process is explained here (so-called soft-matching): http://support.microsoft.com/kb/2641663

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SeaSenorAuthor Commented:
The users were in fact migrated earlier. I just kept it all separate due to the group membership discrepancies.  Would they have an ImmutableID in that case?
Vasil Michev (MVP)Commented:
Define migrated, did you use dirsync previously? You can easily check if the ImmutableID is populated via PowerShell:

Get-MsolUser -UserPrincipalName user@domain.com | fl ImmutableID

Open in new window

Or in general:

Get-MsolUser -All | ? {$_.ImmutableId -ne $null}

Open in new window

SeaSenorAuthor Commented:
No dirsync ever yet.  
I just migrated the mailboxes from our on premise Exchange 2010 servers.
After that I set up distribution groups and added users accordingly.
Other than password sync I have no desire to sync them. I'm wondering if it's worth it even then.
Vasil Michev (MVP)Commented:
That's up to you. It will certainly be easier for the users to remember a single set of credentials. But enabling dirsync means that you must keep the Exchange server on-prem active in order to manage any Exchange related attributes (if you want to stay in supported scenario that is). And can indeed cause you some trouble with overwritting attributes, DG membership management, etc.
SeaSenorAuthor Commented:
I don't have any exchange servers on prem. They were removed long ago after the migration.

I don't have any desire to manage them on prem either really.  
Just wanted to know if it was possible to sync passwords only without dirsync messing with anything else.
SeaSenorAuthor Commented:
the ImmutableID's are blank from what I can tell.
SeaSenorAuthor Commented:
Not worth it in the long run I guess.  The convenience of having users with one password seems neutralized by having the additional overhead of running dirsync and on prem server to maintain.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Office 365

From novice to tech pro — start learning today.