none
User profile synchronization - is two way possible for same attribute?

    Question

  • I have user profile synchronization working (what a painful series of steps, but it works!)

    We already have a web page for people to update their info, including photos, org information, etc.  We do not want to switch (entirely) to sharepoint as we roll out sharepoint.  we may eventually, may not.

    But it would be nice to allow sharepoint to be used to ALSO update AD info. 

    Can it be two way?   Is it smart enough to reconcile changes and take the latter?   Or must I choose (field by field I realize) either import or export only?

    PS. I could just change this and try but am afraid doing so might wipe a field in AD that I really need, e.g. export all nulls since sharepoint wasn't populated right.

     

    Monday, February 21, 2011 3:09 PM

Answers

  • No, UPS in SharePoint 2010 does not provide real synchronization (despite the name) it's one way or the other - a designed limitation.

    The only way to achieve real sync is to implement an external metadirectory, which unfortunately is unsupported at present.


    Cheers
    Spence
    www.harbar.net
    Microsoft Certified Master | SharePoint 2010
    Microsoft Certified Master | SharePoint 2007
    Thursday, February 24, 2011 11:03 AM

All replies

  • Hi,

     

    Did you want to export information from sharepoint user profiles to AD?

    If yes, you can manage the user profile properties to realize it. For details, please refer to:

    http://technet.microsoft.com/en-us/library/ff182925.aspx#section6

    http://technet.microsoft.com/en-us/library/ee721049.aspx#Phase4

    http://blogs.msdn.com/b/tehnoonr/archive/2010/11/22/mapping-user-profile-properties-in-sharepoint-2010-to-ldap-attributes.aspx

     

    Note: You cannot edit a mapping to change the direction of a mapping, you must first remove the mapping that contains the old direction, and then create a mapping in the new direction and add the mapping. And both directions(import and export) for same properties cannot exist at the same time.

     

    Regards,

    Seven

    Thursday, February 24, 2011 7:55 AM
  •  

    Did you want to export information from sharepoint user profiles to AD?

     

    Yes and no, I was hoping that two way replication was supposed like DFS or domain controllers do, so that changes could be made (to the same attribute) on either AD or Sharepoint and reconcile to take the latest.

    From everything I read (and thanks for the additional pointers) the answer is a clear no, there is only import or export for any given attribute, plus you can have only one AD connector.

    So we are (at least for now until we can get photos working) turning off editing in sharepoint and leaving people using our existing web application to update their personal info.

    Thursday, February 24, 2011 10:19 AM
  • No, UPS in SharePoint 2010 does not provide real synchronization (despite the name) it's one way or the other - a designed limitation.

    The only way to achieve real sync is to implement an external metadirectory, which unfortunately is unsupported at present.


    Cheers
    Spence
    www.harbar.net
    Microsoft Certified Master | SharePoint 2010
    Microsoft Certified Master | SharePoint 2007
    Thursday, February 24, 2011 11:03 AM
  • Spencer,

    could you update your legendary article "Rational Guide to Implementing SP 2010 UPS", to add this little caveat in the section about writing back to AD?  That will save hundreds (maybe thousands?) of SP admins and consultants a lot of wasted time.

    We followed your article and setup UPS, then setup write back to AD, but did not realize that it was not a true two-sync as described in this thread until I found this discussion.

    Apparently, a lot of people are looking to do this and when we read that SP2010 can do two-way user profile sync, we get fooled by a little misinterpretation of that statement.

    So, with that nugget of information in mind, would it be appropriate to introduce a custom "edit" page that writes directly to AD changes to a couple of properties that I am interested in, and let the UPS sync that change back down from AD?

    Thanks, again for shedding even more light into the topic!


    --Thiago
    Tuesday, November 22, 2011 10:22 PM