SharePoint 2013 : ADImport is not cleaning up User Profiles in SharePoint whose AD Accounts are disabled .
We recently came across cases where Profiles of Disabled users in AD are not getting deleted from SharePoint User Profile Service Application when using ADImport. Read further to get more details on the issue & the workarounds .
Behavior: When using “SharePoint Active Directory Import” for the Synchronization Options in SharePoint 2013 , the users who are disabled in Active Directory are not getting removed from SharePoint post a Full/Incremental Import . . A deeper look into this reveals that account is not marked as deleted ( bdeleted=1 flag in UserProfile_full Table of the Profile Database of the UPA) . This behavior is seen even though we check the option to “Filter out disabled users” while creating the Sync Connection.
Note : The behavior is continued to be seen even when a Custom Filter is defined in LDAP syntax in the box provided . Also If the user is not disabled & moved to another OU which is not selected to be Sync , similar behavior is observed.
Observation:
Since we are not using FIM for synchronization, there is nothing to look into Sync DB. Everything happens within Profile DB. Full import will detect the user is not getting imported and marks the field ‘IsImported’ to 0 on DNLookup table in Profile DB for the affected user. However it still does not set bdeleted to 1 in UserProfile_Full table which is needed for MySiteCleanUp Job to delete the profile and finally Personal Site.
Following is the sample query to check all the users which exist in Profile DB with the Status , ‘IsImported’ to 0 , You can match this list with your disabled users in AD to Confirm .
SELECT A.RecordID,A.NTName, A.bDeleted, B.IsImported
FROM [UserProfile_Full] A (nolock)
inner join [DNLookup] B (nolock)
on A.RecordID = B.RecordId
where b.IsImported =0
Note : It is not recommended to Query any Sharepoint databases or to make changes other than ones described at https://support.microsoft.com/kb/841057 .
Workaround:
The “SharePoint Active Directory Import” does not mark the profile to be deleted either with incremental or Full Import when they are disabled and only way to remove the obsolete users is as mentioned HERE .
1 Run Full Import
2 Post that run Use SharePoint Management Shell to Run following
a) $upa = Get-SPServiceApplication -id <Identity of User Profile Service Application>
b) Set-SPProfileServiceApplication -Identity $upa -GetNonImportedObjects $true
Note: Review the output of this command before proceeding with the next step. The objects retrieved using this command will be marked for deletion once the next command is executed.
C) Set-SPProfileServiceApplication -Identity $upa -PurgeNonImportedObjects $true
At this point of writing this blog (31-Mar-2014), this is known behavior with work around as tested against SharePoint 2013 SP1 Build .
Note: The Deletion of an account in AD is handled as expected & profile in SharePoint Profile Database is marked as deleted ( bdeleted=1) & eventually cleared by Mysite Cleanup job .
POST BY: Satheesh Palanisamy [MSFT]
Comments
Anonymous
April 21, 2014
I believe it may be safe to say that the LDAP filter is not working at all with ADImport Profile Import method. I recently tried to exclude users with non-expiring passwords (i.e. "(&(objectCategory=User)(userAccountControl:1.2.840.113556.1.4.803:=65536))" and they are not filtered. I didn't have a chance to try the "PurgeNonImportedObjects" but believe it should accomplish the goal as you mentioned above. Thanks for the POST!Anonymous
April 22, 2014
Shameless plug to my blog that describes this (and the one in comments) issue andersrask.sharepointspace.com/.../Post.aspxAnonymous
May 29, 2014
Not worked for me. Disabled users still present in Active ProfilesAnonymous
July 21, 2014
Does this also remove the users from SharePoint groups?Anonymous
November 13, 2014
Thanks for the posting this update. Regards Faisal Masood http://www.softvative.com http://www.faisalmasood.comAnonymous
June 09, 2015
This basically is making AD Import useless in production :(Anonymous
June 09, 2015
Is this ever getting fixed? This basically is making AD Import useless in production :(Anonymous
January 09, 2016
Nice Blog..Anonymous
January 18, 2016
We're still having this issue . is it ever got fixed ?Anonymous
March 08, 2016
Hello, We had this issue I found this Marco's blog post mwiedemeyer.de/.../sharepoint-2013-profile-synchronization-does-not-delete-user-profiles Adding (isDeleted=TRUE) to LDAP filter worked for usAnonymous
April 05, 2016
Great post - thanks!Anonymous
June 29, 2016
worked for me @SP2013 (15.0.4727.1000)!Thanks- Anonymous
October 07, 2016
[Responding to Martin] I think the issue was that users that no longer pass the import filter criteria will not get cleaned up. Deleted users WILL get cleaned up. But if you filter out based on other criteria, a user that no longer passes will remain in the profile store. As per the blog, user accounts changed to disabled rather than simply deleted will remain in the profile store indefinitely. Have not found a bug fix for that.
- Anonymous
Anonymous
November 29, 2016
We had our UPS pointing at one OU and are now pointed to a much smaller one (in terms of users). Would this script clean up the overabundance of users we now see in our Profile App?- Anonymous
February 22, 2017
Yes, that's right John
- Anonymous
Anonymous
June 09, 2017
Thanks Satheesh, would be trying it in our environmentAnonymous
August 15, 2017
What Martin suggested also works for me. The method suggested above does not unfortunately, since I have a couple of users who are IsImported=0 even though they match the LDAP filter and changes to their profile are imported in SharePoint.- Anonymous
August 15, 2017
Hello Ivy, Isdeleted parameter comes to picture when you have recycle bin enabled on the Active directory. In this case , the profiles may not be deleted / marked for deletion with other filters.
- Anonymous