locked
Removal of disabled AD users in SharePoint 2010 User Profile RRS feed

  • Question

  • Hi,

    When the AD account of a user, (who is already in SP 2010 user profile database) is disabled. The User Profile Synch job (run in full or incremental mode) does not flag or remove the user from the SP User Profiles. Is this a bug or am I missing something here. Thanks in advance.

     

    Tuesday, February 1, 2011 4:38 PM

Answers

  • To filter/exclude users during imports, do the following:

    • Go to Central Administration and under Application Management, click Manage service applications
    • Click on the link to your User Profile Service Application
    • Under Synchronization, click Configure Synchronization Connections
    • Click on the connection you want to filter and select Edit Connection Filters from the drop down
    • Under Exclusion Filter for Users, select whether the statement should be "AND" or "OR" (So if you have multiple filter statements, make sure you pick the right one)
    • Select the Attribute to filter (wait for the page to reload as it's updating the Operator fields)
    • Select the Operator to use (changes based on attribute)
    • Input the filter value into the Filter field
    • Click Add to include the exclusion filter

    Examples

    Exclude disabled users:

    • Attribute - userAccountControl
    • Operator - Bit on equals
    • Filter - 2
    Tuesday, February 1, 2011 11:08 PM
  • Many thanks to all the forum member suggestions. Finally the following worked for us.

    Exclude disabled users:Attribute - userAccountControl Operator - Bit on equals Filter - 2

    The disbaled user accounts were moved to disabled objects OU. Synching with this OU flagged the ex-employees. The timer job then removed those flagged user accounts.

    The following article helped me a lot.

    http://www.harbar.net/archive/2011/02/10/account-deletion-and-sharepoint-2010-user-profile-synchronization.aspx?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+Harbar+(harbar.net)

     

    • Marked as answer by svblr Thursday, February 17, 2011 3:09 PM
    Thursday, February 3, 2011 9:33 PM

All replies

  • Hi,

    SharePoint does not remove this users because these user might still have meta information in your sites (team sites). The user is disabled in AD and does not have access anymore, however, items such as (documents, discussion, etc.) of this user might be still associated to the user profile and are therefore not removed.

     

    br,

    patrick



    follow my blog http://patrick.lamber.blogspot.com to get additional tips and information about SharePoint, Project and ASP.NET
    Tuesday, February 1, 2011 4:48 PM
  • You can prevent them from being searchable however in people search by moving disabled ad accounts to an OU that is not being sync'd.

    Domain.corp/OU=DisabledUsers <--like that

    Generally the business case for keeping the user information for historical purposes, is MUCH more important than the minor issue of 'omg this person isn't here anymore and I can still see document by them and permissions they once had'

    Tuesday, February 1, 2011 8:46 PM
  • Hi,

    When an account resource is deleted from Active Directory or NT, SharePoint does not automatically remove the account resource information from it's sites and webs. Please take a look at this http://secretsofsharepoint.com/cs/blogs/tips/archive/2010/12/13/dead-accounts-in-sharepoint.aspx

    I'd recommend to try out the product provided by the company where I work for, and name of that product is DeliverPoint . DeliverPoint 2010 is a permission management tool for SharePoint 2010. DeliverPoint will report on dead accounts and provide you with a removal tool.

     

    Dmitry

     


    Lightning Tools Check out our SharePoint tools and web parts

     


    Tuesday, February 1, 2011 10:45 PM
  • To filter/exclude users during imports, do the following:

    • Go to Central Administration and under Application Management, click Manage service applications
    • Click on the link to your User Profile Service Application
    • Under Synchronization, click Configure Synchronization Connections
    • Click on the connection you want to filter and select Edit Connection Filters from the drop down
    • Under Exclusion Filter for Users, select whether the statement should be "AND" or "OR" (So if you have multiple filter statements, make sure you pick the right one)
    • Select the Attribute to filter (wait for the page to reload as it's updating the Operator fields)
    • Select the Operator to use (changes based on attribute)
    • Input the filter value into the Filter field
    • Click Add to include the exclusion filter

    Examples

    Exclude disabled users:

    • Attribute - userAccountControl
    • Operator - Bit on equals
    • Filter - 2
    Tuesday, February 1, 2011 11:08 PM
  • Many thanks to all the forum member suggestions. Finally the following worked for us.

    Exclude disabled users:Attribute - userAccountControl Operator - Bit on equals Filter - 2

    The disbaled user accounts were moved to disabled objects OU. Synching with this OU flagged the ex-employees. The timer job then removed those flagged user accounts.

    The following article helped me a lot.

    http://www.harbar.net/archive/2011/02/10/account-deletion-and-sharepoint-2010-user-profile-synchronization.aspx?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+Harbar+(harbar.net)

     

    • Marked as answer by svblr Thursday, February 17, 2011 3:09 PM
    Thursday, February 3, 2011 9:33 PM
  • Hi Dmitry,

    However, In order to actually delete the profiles, we need to run the My Site Cleanup Timer job. so that it will clean up the disabled users from profile.

    I am not understanding about your tool in deliver point. Could you please tell me how this dead account removal will help when OOTB feature is available (my site cleanup timer job)

    Regards,

    Navaneeth


    Navaneeth

    Monday, October 21, 2013 6:22 AM