SharePoint 2013 /2016: Active Directory Import and known behaviors


I had a chance to work with a customer for an Active Directory import problem where it was found that disabled users are not deleted in UPA automatically. I have blogged the same here. Digging a little deeper, discovered other behaviors seen with Active Directory import method. I have tried to document a few of them in this Blog Post, Will add more as observed …

What you need to know before choosing the Active Directory import option to sync users in SharePoint 2013. You may expect Active Directory import method will act similar way as FIM expect that you can export to AD, which is not the only difference and others are…

  • Disabled user accounts in Active Directory are not automatically deleted or marked for deletion in User Profile Service Application (bdeleted = 1)

 

  • It imports non user objects as well, like computer accounts.

 

  • If you have an OU which has both Computer & Users objects, then both are imported in UPA. However this is not the case with FIM based synchronization

 

  • If you select only few users under an OU, then import process does not bring in those users to UPA. It only imports all users in an OU & whole OU has to be selected .

 

  • If the user object has value for a property “LastKnownParent” and that points to an OU which is not being imported, then that profile will be ignored during import process.

Consider the scenario

# UPA has following OU’s imported

Root

OU1 (is selected in the import connection)

User1 (has “LastKnownParent” pointing to OU2.

OU2 (Not selected in the AD connection)

User1 will be ignored.

“LastKnownParent” attribute is generally filled when a user is deleted from AD and moved to recycle bin. This property will help to track where this user was earlier present. However if a delete a user from OU2 and restore it to OU1 then lastknowparent will have a value pointing to OU2.

  • ·AD Import does not delete the disabled accounts automatically in UPA. So, it was suggested to use the command

         o Set-SPProfileserviceApplication –PurgeNonImportedObjects $true

         o You need to understand the impact of above command.

#How are the profiles created in UPA?,

       Through import process

Manually creating the profiles or through object model

When a user hits the mysite host, then the profile is automatically created.

when you use PurgeNonImportedObjects command, it is going to delete all the objects that are NOT coming through import Which Includes

  • Not  imported due to change in OU selection , Disabled Account , Filtered Etc
  • Manually Created
  • Automatically Created by Browsing to mysite host.

So, when your AD is not in proper structure (like an OU has both user and other objects), or you import process needs complex filtering, then it is recommended to user FIM based synchronization.

 

POST by :Satheesh Palanisamy [MSFT]


Comments (13)

  1. Dennis Gaida says:

    "when you use PurgeNonImportedObjects command, it is going to delete all the objects that are coming through import. Including the ones that are manually created and the ones that are automatically created by getting to mysite host."

    This is not quite clear and I recently did exactly that – PurgeNonImportedObjects. AFAIK this deletes all objects that are NOT imported (anymore) via AD Import. If I understand correctly that would also mean that profiles only created through Login / MySite creation would be deleted? Also profiles that are manually created would be deleted?

    1. Hi Dennis, the answer on your question might come a little late, but could be helpful for others:

      Yes, your understanding is correct: Profiles created through Login / MySite creation as well as profiles that are manually created within Central Administration are targeted by the PurgeNonImportedObjects parameter.

  2. Dean says:

    How do these tips apply to SharePoint online and O365? Could you please write a similar article on synchronization with azure ad/office 365/SharePoint online

  3. Bob says:

    The biggest issue so far, related to this post, is that if a user in AD is deleted, the incremental profile sync will remove the profile.  If a user in AD is disabled, then some time later deleted, the incremental sync will not remove the profile.  The only way to correct this is to run a Full Profile Sync all the time, or write PowerShell to remove the disabled/disabled-deleted profiles.

    Seems like Microsoft assumed that AD accounts are always immediately deleted, and never disabled then deleted.

  4. Nice.. one..

    no requirement to deploy the UPS service instance, no “stuck on starting”

    it runs in the UP service instance

    it’s wicked fast in comparison to the FIM approach

    you can leverage old skool LDAP filters to constrain the objects being imported

    by default an incremental import will run every five minutes

    no Farm Account in the local admins shenanigans

    you don’t have to worry about an esoteric configuration option with the mystical name NetBiosDomainNames

    get up and running quickly and easily, especially to enable key “social” scenarios in SharePoint 2013.

  5. karthi says:

    I am using active directory import connection and I am not able to update the selected containers for the synchronization connection.  I just opened the edit connection

    page, enter the synchronization account password and click Populate Containers, scroll down and unselect a currently selected container and click OK.  The system showing the change is saved but if I go back to the edit page and load up the containers, the one I just unselected is still selected.  So I currently can't make any modifications to the selected containers which seems to be an application error or browser issue.

    I just tried different browser like chrome and  I've tried three different machines to make the change but no luck.

    My Sharepoint server 2013 Version is : 15.0.4420.1017

    I didnt update service pack 1 and later cumulative update.

    Should i update service pack 1 and latest update. Could you please help me out on this..

    1. Callie says:

      I’m having the exact same issue as Karthi. Has there been any new findings on this?

      1. Umar says:

        New finding but same issue . Any solution for this ?

        1. Spses says:

          Hi Umar and Callie,
          We have noted this issue and is being worked up on.

          1. Alisher says:

            Just my 5 cents also: I have the same issue in SharePoint 2016 with May 2017 CU installed. Still trying to fix it.

          2. Spses says:

            Hi Alisher,
            Yes, the issue is observed on SP2016 as well because there is not much difference between SP2013 and SP2016 with respect to the ADimport functionality. We are working on this and will update the blog once we have an update. Thanks.!

  6. jmaryj says:

    How can i exclude disable users from the sharepoint 2013 intranet site? The system does and Active Directory Import.
    I have checked ‘Filter out disabled users’ options under Synchrinization Conection->Edit. Have also given (!userAccountControl:1.2.840.113556.1.4.803:=2) in the ‘LDAP Filter’ textbox. But disabled users are still present in the search. What should I be doing to remove all disabled accounts ( ie. userAccountControl = 514 in AD) from appearing in the sharepoint system/ search.

    1. Spses says:

      Hi Jmaryj,
      Ideally the filter (!userAccountControl:1.2.840.113556.1.4.803:=2) should help us filter out the disabled users. You will need to run the purge command as mentioned in the blog post to mark them as deleted in Sharepoint. In addition to this, if your AD has recycle bin enabled, you may need to modify the filter to include isdeleted=True condition as well.

Skip to main content