SharePoint 2013 /2016: Active Directory Import and known behaviors

I had a chance to work with a customer for an Active Directory import problem where it was found that disabled users are not deleted in UPA automatically. I have blogged the same here. Digging a little deeper, discovered other behaviors seen with Active Directory import method. I have tried to document a few of them in this Blog Post, Will add more as observed …

What you need to know before choosing the Active Directory import option to sync users in SharePoint 2013. You may expect Active Directory import method will act similar way as FIM expect that you can export to AD, which is not the only difference and others are…

  • Disabled user accounts in Active Directory are not automatically deleted or marked for deletion in User Profile Service Application (bdeleted = 1)

 

  • It imports non user objects as well, like computer accounts.

 

  • If you have an OU which has both Computer & Users objects, then both are imported in UPA. However this is not the case with FIM based synchronization

 

  • If you select only few users under an OU, then import process does not bring in those users to UPA. It only imports all users in an OU & whole OU has to be selected .

 

  • If the user object has value for a property “LastKnownParent” and that points to an OU which is not being imported, then that profile will be ignored during import process.

Consider the scenario

# UPA has following OU’s imported

Root

OU1 (is selected in the import connection)

User1 (has “LastKnownParent” pointing to OU2.

OU2 (Not selected in the AD connection)

User1 will be ignored.

“LastKnownParent” attribute is generally filled when a user is deleted from AD and moved to recycle bin. This property will help to track where this user was earlier present. However if a delete a user from OU2 and restore it to OU1 then lastknowparent will have a value pointing to OU2.

  • ·AD Import does not delete the disabled accounts automatically in UPA. So, it was suggested to use the command

         o Set-SPProfileserviceApplication –PurgeNonImportedObjects $true

         o You need to understand the impact of above command.

#How are the profiles created in UPA?,

       Through import process

Manually creating the profiles or through object model

When a user hits the mysite host, then the profile is automatically created.

when you use PurgeNonImportedObjects command, it is going to delete all the objects that are NOT coming through import Which Includes

  • Not  imported due to change in OU selection , Disabled Account , Filtered Etc
  • Manually Created
  • Automatically Created by Browsing to mysite host.

So, when your AD is not in proper structure (like an OU has both user and other objects), or you import process needs complex filtering, then it is recommended to user FIM based synchronization.

 

POST by :Satheesh Palanisamy [MSFT]