We use Qualtrics to run many important surveys, such as Community Engagement Insights.
In order to make Qualtrics's emails more legitimate, we set it up so that they are sent from a wikimedia.org addresss rather than a qualtrics.com one (T164424).
To do this, we set up a G Suite account with the address qualtrics@wikimedia.org and set Qualtrics to send through it using SMTP.
However, to limit security risks, we did not want that account to have access to other G Suite apps like Google Drive. It's not possible to turn off Google Drive access for an individual account, so we placed it in a special LDAP organizational unit (ou=qualtrics, ou=corp, ou=wikimedia, ou=org).
However, this OU is not replicated to the production LDAP. This means the account can't receive email (so we can't use Qualtrics's feature of counting bounce notices) and can't send email to wikimedia.org accounts (so password resets for staff users and staff surveys fail).
The fix for this is probably creating a special limited-access OU which will be replicated to production LDAP (T159750).