none
User Profiles not being deleted for leavers.

    Question

  • Hello,

    In my organization if someone leaves, they don't delete their AD accounts right then and there.

    So when we create the connection to AD in the user profile sync, we setup filters. We filter out the non active accounts by filter criteria

    userAccountControl "Bit on equals" 2

    I think filtering on userAccountControl attribute and getting value of 2 gives us only the accounts which are active. (and not deactivated).

    However I see that a lot of people who have left the company still have their user profile page in sharepoint.

    What can I do so that the user profile page of people who have left the company gets deleted?

    Edit:: Also could you confirm what is the behavior of User Profile Service if a user has a profile ... has been using it actively (skills, comments, tag) leavers the company and his account falls out of the filter condition defined on the AD connection for User Profile.

    Will the User Profile service delete the user's profile at the next sync?


    MSDNStudent Knows not much!


    Friday, May 11, 2012 1:27 PM

All replies

  • What is the exact filter you are using? Are the accounts for the employees who have left somehow been marked as no longer being part of the company? The best practice is to disable the account in AD, though I have seen other methods such as moving the user to a dedicated "no longer at the company" OU.

    It should behave as you describe. If the user's account in AD changes in a way that it no longer is retrieved by the query then their profile will get marked as deleted. There is a clean up timer job that runs that deletes all profiles marked as deleted. Off hand I do not remember how often this job runs, though I imagine it's daily or weekly.

    You can check in the Forefront Identity Management (FIM) client (by default it resides at: C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\UIShell\miisclient.exe) to see how the synchronizations are intepreting these users. 


    Jason Warren
    Infrastructure Specialist

    Friday, May 11, 2012 4:36 PM
  • is there an audit log or something where I can check if any deletes have happened in the past?

    MSDNStudent Knows not much!

    Friday, May 11, 2012 7:04 PM
  • Yes, you can see the synchronization history with the FIM client.

    Jason Warren
    Infrastructure Specialist

    Friday, May 11, 2012 7:13 PM
  • A file or DB would be more convenient. the UI becomes too much to scroll through

    MSDNStudent Knows not much!

    Friday, May 11, 2012 7:25 PM
  • Did you check if My Site Cleanup Job is enabled and running?

    http://technet.microsoft.com/en-us/library/ff681014.aspx#obsoleteUsers

    Thanks

    Guru

    Saturday, May 12, 2012 10:38 PM
  • Here are the steps which I did 

    1. get-sptimerjob | ?{$_.Name -like "*UserProfile*"}

    I can see

    • SweepSync
    • SocialRatingSyncJob
    • ProfSync
    • LanguageSynchronizationJob
    • ProfileSynchronizationJob
    • UserProfileChangeJob
    • ProfileImportJob
    • UserProfileChangeCleanupJob
    • MySiteSuggestionEmailJob
    • ActivityFeedCleanupJob
    • ActivityFeedJob
    • AudienceCompilationJob
    • SocialDataMaintenanceJob
    • daily-any-userprofileservice-health-analysis-job
    • hourly-any-userprofileservice-health-analysis-job
    • weekly-any-userprofileservice-health-analysis-job

    I can see that the "UserProfileChangeCleanupJob" is running on a daily basis and it had run successfully on 12th May.

    Very surprisingly I don't see any "My Site Cleanup Job" as mentioned in 

    http://www.harbar.net/archive/2011/02/10/account-deletion-and-sharepoint-2010-user-profile-synchronization.aspx

    I also checked in CA and the MySite Host is configured for my user profile service app.

    2. Now I did Set-SPProfileServiceApplication $upa -GetNonImportedObjects $true

    It gave me a list of 8 accounts but these didn't look very intersting.

    3. I went into the user profile store database and did a 

    select * from UserProfile_FULL where NTName like '%account%' 

    here I put in the name of many people whom I know have left the company... and for all of them the records are still there... and the bDeleted flag is 0

    4. I ran the MIISClient.exe

    I can see that it runs 3 operations on a daily basis

    MOSS_Export

    MOSS_DeltaSync

    MOSS_DeltaImport

    I can see that Moss_deltasync and moss_deltaimport are completed successfully everyday (however there are 0 deletes). I scrolled down till february. 

    I can see that moss_export job completes with errors most of these errors come for a few users who have more than 1 DN for the same profile.

    So one thing is very clear... there is no cleanup happening on my system because the database records in UserProfile_FULL table are still there.

    Edit:: In my company users are not deleted from AD when they leave. their OU is also not changed. The only thing they do is to update a attribute called userAccountControl. all active users have this value set to 2. when this value becomes NULL, then the user is taken as a leaver.


    Sunday, May 13, 2012 5:15 AM