none
Deleting existing user profiles from SharePoint 2010

    Question

  • After googling around for couple of hours, I didnt find any relevant post or information about deleting existing profiles that have been imported from AD during test run.

    Aim: I want to clean (delete existing) or remove all imported user profiles.

    One way is to select the users from 'Manager user profiles' section and delete in the batch of 50 records. But I have about 5000 user profiles and manual delete will take lot of time.

    Environment: SharePoint 2010 Search Server on 2 web farms, 2 application servers and 1 database server. Database is running SQL Server 2008 R2. Operating System is Windows Server 2008 R2 Enterprise.

    Any Pointers/PowerShell command... Thank You.

    Friday, August 20, 2010 3:12 PM

All replies

  • Hi,

    Have you read this blog post ?

    http://www.gilham.org/Blog/Lists/Posts/Post.aspx?ID=488

    I hope this will help you.

    Regards.

    Shafaquat Ali.


    M.C.I.T.P Exchange 2007/2010, M.C.I.T.P Windows Server 2008, M.C.T.S OCS Server 2007 R2, URL: http://blog.WhatDoUC.net Phone: +923008210320
    Friday, August 20, 2010 3:17 PM
  • Yes! But it is more relevant to SharePoint 2007. Not sure if the recommended PowerShell commands are applicable to 2010 too.
    Friday, August 20, 2010 3:20 PM
  • Hi ,

    AFAIK you can use these command on 2010 as well.

    But I will suggest you that make some test user and do it in that way.

    Regards.

    Shafaquat Ali


    M.C.I.T.P Exchange 2007/2010, M.C.I.T.P Windows Server 2008, M.C.T.S OCS Server 2007 R2, URL: http://blog.WhatDoUC.net Phone: +923008210320
    Friday, August 20, 2010 3:25 PM
  • Option 1. Actually I found another 'easy' way which deletes the existing profiles automatically. It is in-built feature of SharePoint 2010. you need to change the OU mapping of the existing profile connections, and then run full synchronization. It eventually deletes the existing profiles and then sync up the users per the new OU mappings.

    Option 2. Another option (tedious operation though) - Search all users which would display users list in batch of 50 records, and then select all and then delete. As I said, there is very tedious operation but it is secure.

    Above two options are good for those who are not yet comfortable with PowerShell (including me). Powershell is not tough, rather easy to understand and use, but still one has to learn it.

    Option 3. Guru's link looks more optimistic, and once again, as I said that I can't run the command directly on production unless I test it. Learning and implementing takes time, however, the options I mentioned are straight forward and out of the box - so I used the first option.

    Hope this helps.

    Saturday, August 28, 2010 6:54 AM
  • There are various ways to approach this issue, as stated previously you can remove the Sync connections and SharePoint's User Profile Clean-up service will remove them when it next runs. I haven't tried it but you could try running it manually via Monitoring > Review Job Definitions. 

    DO NOT RUN THE FOLLOWING SCRIPT ON A PRODUCTION SYSTEM UNLESS FULLY TESTED IN YOUR DEV ENVIRONMENT.

    THE SCRIPT WILL DELETE ALL USERS, EXCEPT THE ADMIN ACCOUNT YOU SPECIFY.

    For me I found the following worked very well, I'm running it on my dev box right now against 7000+ profiles. It's a PowerShell script. You just need to edit the lines highlighted in bold and underlined to match your circumstances. Save the file, give it any name but make sure you save it with the extension .PS1, i.e. removeProfiles.ps1:

    #PowerShell Script - Delete All User Profiles - SharePoint 2010
    #The scripts is distributed "as-is." Use it on your own risk. The author give no warranties, guarantees or conditions.
     
     #Add SharePoint PowerShell SnapIn if not already added
     if ((Get-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue) -eq $null) {
        Add-PSSnapin "Microsoft.SharePoint.PowerShell"
    }
    
    
    $site = new-object Microsoft.SharePoint.SPSite("http://mysite.com");  
    $ServiceContext = [Microsoft.SharePoint.SPServiceContext]::GetContext($site);  
    
    #Get UserProfileManager from the My Site Host Site context
    $ProfileManager = new-object Microsoft.Office.Server.UserProfiles.UserProfileManager($ServiceContext)  
    $AllProfiles = $ProfileManager.GetEnumerator()  
    
    foreach($profile in $AllProfiles)  
    {  
        $DisplayName = $profile.DisplayName  
        $AccountName = $profile[[Microsoft.Office.Server.UserProfiles.PropertyConstants]::AccountName].Value  
       
        #Do not delete setup (admin) account from user profiles. In this case account is 
        if($AccountName -ne "Domain\MySiteServiceAccount")
        {
            $ProfileManager.RemoveUserProfile($AccountName); 
            write-host "Profile for account ", $AccountName, " has been removed"
        }
    
    }  
    write-host "Finished." 
    $site.Dispose() 

    Also, for those of you new to PowerShell, you must run the script (if running from a PS console) as .\filename.PS1.

    Hope this helps.



    Friday, April 20, 2012 12:18 PM
  • I had a very similar problem with old users still being listed in the all users list even though a profile does not show in central admin.

    I ran the script to delete all users from the list and now no users are listed.  So i was thinking i could just run a profile sync and viola only active accounts from AD would now display in all users and everything would be good to go.  But now all users and there permissions are missing from the site collection. 

    Did i just destroy everyones access to this site collection? 

    Friday, May 04, 2012 2:14 PM
  • I'm not sure if the script deletes the users site collections (AKA My Content sites), I got the script from somebody else. My Profile and My Site are shared pages, the content is generated dynamically. Running a full synchronisation should return your users from Active Directory, first ensure your synchronisation connections are set up. 

    The script removes ALL users, except for the one you specify (the admin account). You should not run the script on a production system (unless fully tested and out of hours) and you should always test in a development environment first, not only to make sure the script works within your environment but also to make sure you understand the implications of it running.

    What do you mean by "access to the site collection"? Do you mean access to the My Site web application? If the users are missing your import was not successful, check this first. Let us know how you get on.

    Friday, May 04, 2012 2:24 PM
  • Thanks for the reply and i did run this in my model environment.  Trust me.  I have made that mistake before.  LOL.  you only make that once (hopefully)! 

    I have two site collections and i ran the script against one of them.  This paticular site collection now shows only my farm adminsitrator accounts under the /_catalogs/users/simple.aspx list.  All of my groups still exist but they show zero users under them as well.  I have ran a profile sync and in central admin shows 1800 profiles but users are unable to login into that site collection like they could before i wiped out there accounts. 

    Maybe i was just misunderstanding how this whole thing is suppose to work.  Than you again for responding and attempting to help.  I will keep working on trying to figure out why atleast the synced profiles are not showing. 

    Before i wiped them out a profile sync would update the accounts with AD changes listed in the all users list so i atleast know it was sort of working

    Friday, May 04, 2012 2:49 PM
  • Phew! When you said "Did I destroy everyone's access" I thought it was a prod env and I would have felt partly responsible for not being clear on what the script did (notice the update to my original post)!
    I don't think that list shows users in the User Profile Service. I have 7500k+ imported users and that list only shows permissions currently set across the site collection, or where users have accessed their My Site. If you removed the users their permissions would also have been removed, because SharePoint would no longer have any user accounts to populate the permissions lists, and until they access their My Site again (I believe) they will not appear in that list.

    You can check user profile imports at Central Administration > Manage Service Applications > Click on the text of User Profile Service Application (unless of course you recreated a new one with a different name), on the right of the page should be all the user profiles listed.  Number of User Profiles will show how many profiles you have, if you run the script you should probably do another full sync, good luck!

    One last thing, if you have old users in permissions lists make sure they are disabled or deleted in Active Directory, an incremental sync will remove them from the UPS and the User Profile Service Clean Up Timer job will delete the profiles.

    Friday, May 04, 2012 3:30 PM
  • LOL!  I know how ya feel.  I think i understand now.  So i did indeed just remove all permissions for users on that paticular site collection and they will have to be manually added back (we dont use mysites) to each site in order for them to access the data.  So the profile sync is really just keeping there account up to date with AD.  it has nothing to do with adding users into sharepoint. 

    So basically what i just learned is that if i want to clean up old accounts in sharepoint i need to manually delete them one by one.  There is no way to just clear out all users info and let it refresh on the next sync.

    See what prompted me to do this is since we stopped using mysites and allowing users to edit there personal info i wanted to clean up the profiles.  Because some users still have these 2 and 3 paragraph "about me" descriptions and they have rediculous looking pictures that i would like to have removed.  I figured i could just refresh the entire lot of accounts by deleting them from the all users list.

    One thing.  After i deleted all the users i noticed that after i give them rights back if you click there name in the top right corner it still shows creation date as when it was first created.  Like my account shows 2007.  Does that make any sense to you?  Where is this being stored at? 

    Once again thankyou for taking the time to answer my questions. 

     
    Friday, May 04, 2012 3:46 PM