Freigeben über


SharePoint 2013 /2016: Active Directory Import and known behaviors

I had a chance to work with a customer for an Active Directory import problem where it was found that disabled users are not deleted in UPA automatically. I have blogged the same here. Digging a little deeper, discovered other behaviors seen with Active Directory import method. I have tried to document a few of them in this Blog Post, Will add more as observed …

What you need to know before choosing the Active Directory import option to sync users in SharePoint 2013. You may expect Active Directory import method will act similar way as FIM expect that you can export to AD, which is not the only difference and others are…

  • Disabled user accounts in Active Directory are not automatically deleted or marked for deletion in User Profile Service Application (bdeleted = 1)

 

  • It imports non user objects as well, like computer accounts.

 

  • If you have an OU which has both Computer & Users objects, then both are imported in UPA. However this is not the case with FIM based synchronization

 

  • If you select only few users under an OU, then import process does not bring in those users to UPA. It only imports all users in an OU & whole OU has to be selected .

 

  • If the user object has value for a property “LastKnownParent” and that points to an OU which is not being imported, then that profile will be ignored during import process.

Consider the scenario

# UPA has following OU’s imported

Root

OU1 (is selected in the import connection)

User1 (has “LastKnownParent” pointing to OU2.

OU2 (Not selected in the AD connection)

User1 will be ignored.

“LastKnownParent” attribute is generally filled when a user is deleted from AD and moved to recycle bin. This property will help to track where this user was earlier present. However if a delete a user from OU2 and restore it to OU1 then lastknowparent will have a value pointing to OU2.

  • ·AD Import does not delete the disabled accounts automatically in UPA. So, it was suggested to use the command

         o Set-SPProfileserviceApplication –PurgeNonImportedObjects $true

         o You need to understand the impact of above command.

#How are the profiles created in UPA?,

       Through import process

Manually creating the profiles or through object model

When a user hits the mysite host, then the profile is automatically created.

when you use PurgeNonImportedObjects command, it is going to delete all the objects that are NOT coming through import Which Includes

  • Not  imported due to change in OU selection , Disabled Account , Filtered Etc
  • Manually Created
  • Automatically Created by Browsing to mysite host.

So, when your AD is not in proper structure (like an OU has both user and other objects), or you import process needs complex filtering, then it is recommended to user FIM based synchronization.

 

POST by :Satheesh Palanisamy [MSFT]

Comments

  • Anonymous
    March 03, 2015
    "when you use PurgeNonImportedObjects command, it is going to delete all the objects that are coming through import. Including the ones that are manually created and the ones that are automatically created by getting to mysite host." This is not quite clear and I recently did exactly that - PurgeNonImportedObjects. AFAIK this deletes all objects that are NOT imported (anymore) via AD Import. If I understand correctly that would also mean that profiles only created through Login / MySite creation would be deleted? Also profiles that are manually created would be deleted?

    • Anonymous
      January 26, 2017
      Hi Dennis, the answer on your question might come a little late, but could be helpful for others:Yes, your understanding is correct: Profiles created through Login / MySite creation as well as profiles that are manually created within Central Administration are targeted by the PurgeNonImportedObjects parameter.
  • Anonymous
    March 03, 2015
    How do these tips apply to SharePoint online and O365? Could you please write a similar article on synchronization with azure ad/office 365/SharePoint online

  • Anonymous
    March 10, 2015
    The comment has been removed

  • Anonymous
    January 04, 2016
    Nice.. one.. no requirement to deploy the UPS service instance, no “stuck on starting” it runs in the UP service instance it’s wicked fast in comparison to the FIM approach you can leverage old skool LDAP filters to constrain the objects being imported by default an incremental import will run every five minutes no Farm Account in the local admins shenanigans you don’t have to worry about an esoteric configuration option with the mystical name NetBiosDomainNames get up and running quickly and easily, especially to enable key “social” scenarios in SharePoint 2013.

  • Anonymous
    January 06, 2016
    I am using active directory import connection and I am not able to update the selected containers for the synchronization connection.  I just opened the edit connection page, enter the synchronization account password and click Populate Containers, scroll down and unselect a currently selected container and click OK.  The system showing the change is saved but if I go back to the edit page and load up the containers, the one I just unselected is still selected.  So I currently can't make any modifications to the selected containers which seems to be an application error or browser issue. I just tried different browser like chrome and  I've tried three different machines to make the change but no luck. My Sharepoint server 2013 Version is : 15.0.4420.1017 I didnt update service pack 1 and later cumulative update. Should i update service pack 1 and latest update. Could you please help me out on this..

    • Anonymous
      June 21, 2016
      I'm having the exact same issue as Karthi. Has there been any new findings on this?
      • Anonymous
        April 25, 2017
        New finding but same issue . Any solution for this ?
        • Anonymous
          April 26, 2017
          Hi Umar and Callie, We have noted this issue and is being worked up on.
          • Anonymous
            May 20, 2017
            Just my 5 cents also: I have the same issue in SharePoint 2016 with May 2017 CU installed. Still trying to fix it.
            • Anonymous
              May 20, 2017
              Hi Alisher,Yes, the issue is observed on SP2016 as well because there is not much difference between SP2013 and SP2016 with respect to the ADimport functionality. We are working on this and will update the blog once we have an update. Thanks.!
  • Anonymous
    August 31, 2017
    How can i exclude disable users from the sharepoint 2013 intranet site? The system does and Active Directory Import. I have checked 'Filter out disabled users' options under Synchrinization Conection->Edit. Have also given (!userAccountControl:1.2.840.113556.1.4.803:=2) in the 'LDAP Filter' textbox. But disabled users are still present in the search. What should I be doing to remove all disabled accounts ( ie. userAccountControl = 514 in AD) from appearing in the sharepoint system/ search.

    • Anonymous
      September 04, 2017
      The comment has been removed