SharePoint 2013 : ADImport is not cleaning up User Profiles in SharePoint whose AD Accounts are disabled .


We recently came across cases where  Profiles of Disabled users in AD are not getting deleted from SharePoint User Profile Service Application when using ADImport. Read further to get more details on the issue & the workarounds .

Behavior: When using “SharePoint Active Directory Import” for the Synchronization Options in SharePoint 2013 , the users who are disabled  in Active Directory are not getting removed from SharePoint post a Full/Incremental Import . .  A deeper look into this reveals that account is not marked as deleted ( bdeleted=1 flag in UserProfile_full Table of the Profile Database of the UPA) . This behavior is seen even though we check the option to “Filter out disabled users” while creating the Sync Connection.


Note : The behavior is continued to be seen even when a Custom Filter is defined in LDAP syntax in the box provided .  Also If the user is not disabled & moved to another OU which is not selected to be Sync , similar behavior is observed.


Since we are not using FIM for synchronization, there is nothing to look into Sync DB. Everything happens within Profile DB. Full import will detect the user is not getting imported and marks the field ‘IsImported’ to 0 on DNLookup table in Profile DB for the affected user. However it still does not set bdeleted to 1 in UserProfile_Full table which is needed for MySiteCleanUp Job to delete the profile and finally Personal Site.

Following is the sample query to check all the users which exist in Profile DB with the Status , ‘IsImported’ to 0 , You can match this list with your disabled users in AD to Confirm .

SELECT A.RecordID,A.NTName, A.bDeleted, B.IsImported

FROM [UserProfile_Full] A (nolock)

inner join [DNLookup] B (nolock)

on A.RecordID = B.RecordId

where b.IsImported =0

Note : It is not recommended to Query any Sharepoint databases or to make changes other than ones described at .


The “SharePoint Active Directory Import” does not mark the profile to be deleted either with incremental or Full Import when they are disabled and only way to remove the obsolete users is as mentioned HERE .

1 Run Full Import

2 Post that run Use SharePoint Management Shell to Run following

a) $upa = Get-SPServiceApplication -id <Identity of User Profile Service Application>

b) Set-SPProfileServiceApplication -Identity $upa -GetNonImportedObjects $true

Note: Review the output of this command before proceeding with the next step. The objects retrieved using this command will be marked for deletion once the next command is executed.

C) Set-SPProfileServiceApplication -Identity $upa -PurgeNonImportedObjects $true

At this point of writing this blog (31-Mar-2014), this is known behavior with   work around as tested against SharePoint 2013 SP1 Build .

Note: The Deletion of an account in AD is handled as expected & profile in SharePoint Profile Database is marked as deleted ( bdeleted=1) & eventually cleared by Mysite Cleanup job .


POST BY: Satheesh Palanisamy [MSFT]

Comments (18)
  1. Dennis Goss says:

    I believe it may be safe to say that the LDAP filter is not working at all with ADImport Profile Import method.  I recently tried to exclude users with non-expiring passwords (i.e. "(&(objectCategory=User)(userAccountControl:1.2.840.113556.1.4.803:=65536))" and they are not filtered.  I didn't have a chance to try the "PurgeNonImportedObjects" but believe it should accomplish the goal as you mentioned above.  Thanks for the POST!

  2. Anders Rask says:

    Shameless plug to my blog that describes this (and the one in comments) issue…/Post.aspx

  3. Dimm says:

    Not worked for me. Disabled users still present in Active Profiles

  4. Mike Serpa says:

    Does this also remove the users from SharePoint groups?

  5. Faisal Masood says:

    Thanks for the posting this update.


    Faisal Masood

  6. Is this ever getting fixed says:

    This basically is making AD Import useless in production 🙁

  7. Ed S says:

    Is this ever getting fixed?

    This basically is making AD Import useless in production 🙁

  8. Divesh says:

    We're still having  this issue  . is it ever got fixed ?

  9. Martin says:


    We had this issue

    I found this Marco's blog post…/sharepoint-2013-profile-synchronization-does-not-delete-user-profiles


    (isDeleted=TRUE) to LDAP filter worked for us

  10. BlueSky2010 says:

    Great post – thanks!

  11. Heints says:

    worked for me @SP2013 (15.0.4727.1000)!

    1. LenC says:

      [Responding to Martin] I think the issue was that users that no longer pass the import filter criteria will not get cleaned up. Deleted users WILL get cleaned up. But if you filter out based on other criteria, a user that no longer passes will remain in the profile store. As per the blog, user accounts changed to *disabled* rather than simply deleted will remain in the profile store indefinitely. Have not found a bug fix for that.

  12. John says:

    We had our UPS pointing at one OU and are now pointed to a much smaller one (in terms of users). Would this script clean up the overabundance of users we now see in our Profile App?

    1. Spses says:

      Yes, that’s right John

  13. Nitish says:

    Thanks Satheesh, would be trying it in our environment

  14. Ivy says:

    What Martin suggested also works for me. The method suggested above does not unfortunately, since I have a couple of users who are IsImported=0 even though they match the LDAP filter and changes to their profile are imported in SharePoint.

    1. Spses says:

      Hello Ivy,
      Isdeleted parameter comes to picture when you have recycle bin enabled on the Active directory. In this case , the profiles may not be deleted / marked for deletion with other filters.

Comments are closed.

Skip to main content