SharePoint 2010/2013: Using PowerShell script to Select / Unselect specific containers for User Profile Sync connection.

In Sharepoint 2010 / 2013, when clicking on “Populate containers” for creating a sync connection you may not see all the items displayed, hence you may not be able to select / unselect containers that are not visible in the Tree-view. The number of items to show in this view has been limited to 1000 considering the Performance issues. When you select the root OU, all the objects in the OU will be marked for synchronization by default. You may expand the Tree and un-select the containers, however once it reaches the display limit you will not be able to view them and unselect.

Here is the sample PowerShell Script that can be used to unselect an OU that’s not visible in the UI view. The value for the connection name should be updated. If you have more than one User Profile service application, the script is going to select the first one.


$snapin = Get-PSSnapin | Where-Object {$_.Name -eq 'Microsoft.SharePoint.Powershell'}

if ($snapin -eq $null)


Write-Host "Loading SharePoint Powershell Snapin"

Add-PSSnapin "Microsoft.SharePoint.Powershell"


$ups = @(Get-SPServiceApplication | Where-Object {$_.TypeName -eq 'User Profile Service Application'})[0] #Picks up the First User profile service application.

$context = [Microsoft.SharePoint.SPServiceContext]::GetContext($ups.ServiceApplicationProxyGroup,[Microsoft.SharePoint.SPSiteSubscriptionIdentifier]::Default)

$ConfigMgr = New-Object Microsoft.Office.Server.UserProfiles.UserProfileConfigManager($context)

$AD = $ConfigMgr.ConnectionManager['2013Connection'] #2013Connection is the connection name

$NamingContext = $AD.NamingContexts[0]

$ContainersExcluded = $NamingContext.ContainersExcluded

$ContainersIncluded = $NamingContext.ContainersIncluded



$CloneDSNC = new-object Microsoft.Office.Server.UserProfiles.DirectoryServiceNamingContext(










$NamingContexts = $ad.NamingContexts



$ad.NamingContexts = $NamingContexts









# This sample Code is provided for the purpose of illustration only and is not intended to be used in a production environment. THIS SAMPLE CODE AND ANY RELATED INFORMATION ARE PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. We grant You a nonexclusive, royalty-free right to use and modify the Sample Code and to reproduce and distribute the object code form of the Sample Code, provided that. You agree: (i) to not use Our name, logo, or trademarks to market Your software product in which the Sample Code is embedded; (ii) to include a valid copyright notice on Your software product in which the Sample Code is embedded; and (iii) to indemnify, hold harmless, and defend Us and Our suppliers from and against any claims or lawsuits, including attorneys’ fees, that arise or result from the use or distribution of the Sample Code.

Script Credit: Abhishek Saigal [MSFT]

Post By : Manjesh Menon [MSFT]

Comments (2)

  1. Thanks for this excellent post. I tried running this script, but the issue is that UPS Sync fails. I will have to manually go to FIM console and then reenter our sync account credentials(But making any manual change to FIM is not supported by Microsoft for SharePoint). In UI for UPS, we can enter these credentials only after which we get to populate containers. Is there a way to pass the sync account credentials using the above script?

    1. Spses says:

      Hi Santhosh ,
      Its not a good practice to pass the credentials with in the script. We haven’t seen the sync fails after the script is executed. However , if you experience so , please use the SharePoint UI and edit the Sync connection , key in the password and click on populate containers. This screen now should show the right OUs selected as the script is already executed. Then you can click ok (without making any changes to the OU through UI). This will help the SharePoint to send all the information to FIM including the credentials.
      Hope this clarifies your question.

Skip to main content