Excluding Disabled User Accounts from Profile Synchronization in SharePoint 2010

Filtering profile imports is a much more powerful experience in SharePoint 2010, due in large part to the much more generic and extensible profile import mechanism in place. Those familiar with http://support.microsoft.com/default.aspx?scid=kb;en-us;827754 know that in the past, you had to construct an LDAP filter that excluded accounts based on the value of the userAccountControl attribute in Active Directory. In SharePoint 2010, the exact same thing is required, but instead of constructing an LDAP filter, you use the Connection Filtering support baked in.

The magic setting:

For certain attribute fields, you are able to perform a bitwise comparison. What we’re essentially saying (in pseudo-code) is:

if ((userAccountControl & 2) == 2) { skipUser(); }

Or, in English, if the ‘Account Disabled’ flag is set on the userAccountControl attribute, exclude the object. You can do the opposite – that is, only import when the flag isn’t set, by using the ‘Bit off equals‘ operator. What that does is changes the above pseudo-code to:

if ((userAccountControl & 2) != 2) { skipUser(); }

What makes this new connection filtering mechanism powerful is that you can layer these exclusions, choose to require multiples (if this AND that OR this then exclude), which allows administrators to impose some signifigant logic on what gets imported when and why without writing any code. This is a Good Thing ™, and opens up import scenarios from non-directory or LDAP based repositories down the line.



Comments (4)

  1. Anonymous says:

    hi could u help me how to do the same thing using PowerShell?

    Thanks in Advance…


  2. Anonymous says:

    OK, how do I also check for "Normal Account".   Using an LDAP filter in 2007 was easy.    However, try setting that useraccountcontrol value in 2010?

  3. Anonymous says:

    Can I specifiy say exclude numerics on the filter itself e.g extensionAttribute1 contains # or some such notation to exclude not just a specific match….more generally  Where can I find more documentation on the Allowable Syntax?

  4. Anonymous says:

    This is not working for me inactive people are still coming from AD. Can anyone help please.