Filter Disabled User Accounts using SharePoint Active Directory Import

It often happens that users disabled in AD still appear in SharePoint. To avoid the situation it's good to filter disabled user accounts. This will particularly be handy for CCM profile synchronization, and make such user profiles automatically deactivated. Below guide will walk you though the steps to achieve this.

Configure Active Directory Import

Once User Profile Service Application is created,  go to manage it:

  • click the Configure Synchronization Settings link within the Synchronization section
  • On the Configure Synchronization Settings page, in the Synchronization Options section, select the Use SharePoint Active Directory Import radio button

The next step is to configure a Synchronization Connection. Click the Configure Synchronization Connections link in the Synchronization Options section. From the Synchronization Connections page, click the Create New Connection button. 

In the Connection Settings area, enter a domain name in the Fully Qualified Domain Name text box. This is a domain name, not a forest name.

Select an Authentication Provider Type  (Windows Authentication, Forms (actually LDAP) or Trusted Provider Claims). To keep things simple choose the default, Windows Authentication.

Important part is  the account you use to perform the import must have Replicating Directory Permissions on the domain you wish to import from. To grant Replicate Directory Changes permission on a domain:

  1. On the domain controller, click Start, click Administrative Tools, and then click Active Directory Users and Computers.

  2. In Active Directory Users and Computers, right-click the domain, and then click Delegate Control.

  3. On the first page of the Delegation of Control Wizard, click Next.

  4. On the Users or Groups page, click Add.

  5. Type the name of the synchronization account, and then click OK.

  6. Click Next.

  7. On the Tasks to Delegate page, select Create a custom task to delegate, and then click Next.

  8. On the Active Directory Object Type page, select This folder, existing objects in this folder, and creation of new objects in this folder, and then click Next.

  9. On the Permissions page, in the Permissions box, select Replicating Directory Changes (select Replicate Directory Changes on Windows Server 2003), and then click Next.

  10. Click Finish.

To filter out the disabled accounts, check the Filter out disabled users check box, and no filter is necessary. But if needed you can author the filter in ADSIEdit and copy and paste it in. You can use both this option and filters together.

Further down the Add New Synchronization Connection page in the Containers area we have the Populate Containers button. Select the objects you wish to import from in the tree view and click the OK button to save the changes.

Cleaning Up User Profiles

Now that Active Directory Import is set up, and synchronization is running we need to make sure user profiles are deleted for the disabled accounts. The My Site Cleanup Job is responsible for deleting user profiles and My Sites of those users. By default this job runs once per hour. 

When the timer job first executes, it queries the UserProfile_Full table in the User Profile database for any profiles queued for deletion by filtering on bDeleted=1, via the Profile_GetDeletedUserList stored procedure. 

The behavior we met at our environment, and it seems to be known, that disabled user accounts in Active Directory are not automatically deleted or marked for deletion in User Profile Service Application (bdeleted = 1). To solve the problem we used the following script which can be scheduled to purge such objects:

Get-SPServiceApplication
$upa = Get-SPServiceApplication <identity>
Set-SPProfileServiceApplication $upa -GetNonImportedObjects $true
Set-SPProfileServiceApplication $upa -PurgeNonImportedObjects $true

Synchronization with CCM Profiles

Considering that 'User profile Synchronization Settings' in Manage CCM Application Host  are configured to sync SharePoint Profiles with CCM Profiles, CCM Profiles of users who don't have a SharePoint profile anymore will be set to 'Deactivated' status.

References used when creating this article:

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Article is closed for comments.

Powered by Zendesk