Odd Profile Import from AD

I am running a clean install of MOSS 2007 SP2 on Windows Server 2008 R2, all patches/updates etc. have been applied (this was not an upgraded SP2003 server).

I have the following User Filter in place for the import from our Active Directory:

(&(objectCategory=Person)(objectClass=User)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(!company=*)))

This should be filtering such that I import only people with the account type of User, which are not disabled, and do not have a blank value listed in Company.

What I get: SOME disabled accounts are imported into the User Profiles and appear in the User Information list, while others are not.

This is happening AFTER 3 or more Full Imports have run since the time the user accounts were disabled in AD.  All of the accounts are ‘disabled’ the same way in AD, right-click and choose disable. Looknig at the menu via right-click on the account displays “enable” and looking at the properties shows that the accounts are disabled.

After searching and trying various things I did find one very interesting thing.  When the import is run using the domain administrator account rather than my SharePoint service account (which has read access to the AD) then all of the disabled accounts filter properly.  When I switch back and do a full import, then the rogue disabled accounts return to Active.  It is always the same accounts that do not filter and the same disabled accounts that do filter regardless of the user who runs the import.

There must be some kind of permission thing going on here, and I am still testing but this seems like an odd behavior that may have as its source Active Directory.  Updates to follow, if I ever find the final answer.

Resetting Colleagues in MySites

I have 4 posts in draft and continue to run out of time to complete them, so to combat that situation I am going to do a very quick post today.

We have My Sites enabled in our SharePoint 2007 intranet.  We also have a number of remote employees who rarely login to the network and have never gone to their My Site.  Internally, the My Sites are often used to find reporting relationships, colleagues and contact information.  In our environment “colleagues” are primarily co-workers in the same department…with exceptions for cross-department teams.  Employees can easily  add or remove colleagues in their My Site Profile page.

HR came to me today because one  person changed roles and the profile page shows colleagues for this person that are no longer considered colleagues.  The person is remote, has not gone to My Sites and will likely not do so, possibly ever.  HR wants to know if I can update the colleagues displayed for this person.

As a SharePoint Administrator, I cannot manage a My Site that the user has not ‘created’ .  That is, when anyone clicks on the name of a valid user they are taken to a My Site page…however if the user hasn’t created their My Site yet, this page is a profile page that SharePoint generates and it is NOT a site.  So I can’t edit the site.

After some digging around I found the answer.  There is no UI or SSP menu that will allow you to do this in 2007…it requires coding a tiny application that uses the UserProfileService web service.  The forum article that really answered this question can be found on TechNet, and sample code doing this is available on MSDN.  I hope this helps shorten someone’s research effort that may have a similar situation arise.

Property Mapping for Profile Import

If you import your User Profiles from Active Directory (or LDAP, or anywhere)  into SharePoint then at some point you may want to make use of some properties available in that external system.   The default import connection in SharePoint maps several commonly used properties for you, in my case properties found in Active Directory.

When you go into your Shared Service Provider (SSP) in SharePoint 2007 and navigate to User profiles and properties found under the User Profiles and My Sites section, you can View profile properties to see what is available.

When I did this, and selected Edit from the drop-down on one of the properties I noticed that I could not see any way to map the property – that is I couldn’t set the Mapped Attribute.  I could see the Mapped Attribute column, and see that many of the default properties had Mapped Attributes, but could not change them.  Since I wanted to create a new Property and map it to an AD Property I had a problem with this.

What I learned was that this was a permissions problem, not because of how I logged in but because of how the Import Connection was configured.  So here is what you do if you have the same problem.

Go to your SSP, navigate to User profiles and properties and select View import connections to get to the  “View Import Connections” screen.

View Import Connection

Select your import connection, and click Edit, this will take you into the Edit Connection screen.  Scroll down to the Authentication Information section.

The Use Default Account radio button is selected, click on the Specify Account radio button to add your farm credentials – Account and Password.  This account must have at least Read access to your Active Directory and can be one of the accounts you setup to manage your SharePoint environment.  Click the OK button to save your changes.

Authentication for Profile Import Connection

You will be returned to the View Import Connections screen.  Navigate back up to the User Profile and Properties page and select View profile properties.  This time when you Edit a property you should see the Data source field to map and Enter field to map fields under the Source Data Connection in the Property Import Mapping section.

Property Mapping

Hurray, now your work creating properties and mapping them starts.  Those steps may follow at a later date.