none
People Profile Exclusion Filter

    Question

  • Greetings:  I am trying to filter out a number of OU's that are located below our Domain Users OU, however when I populate the containers and select the + sign beside domain users the other OU's are not present

    Current AD Structure. I have already filtered out the Disabled users using the bit on value =2 but need to filter out the other OU's Joint Account, Kiosk Accounts, OW Users, Temp Acting Supervisors and Test Accounts

    Containers in Sharepoint. As you can see Sharepoint is not showing the above containers that need to be filtered. 

    If I could get some assistance on this it would be appreciated.

    We are using Sharepoint 2010 and all servers are up to date.

    Kim


    Tuesday, April 11, 2017 1:21 PM

Answers

  • Hi Kim Maclnryre,

    Please check if the current user you are using to configure the synchronization connection has permissions on the “Domain Users” OU.

    1. Open the “Domain Users” OU.

    2. Click the Security tab on the property sheet on the OU.

    3. Check if the user has access on this OU and its contents. If the user does not have access, grant this use access using the Security tab on the property sheet.

    Best regards,

    Linda Zhang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, April 12, 2017 7:18 AM
    Moderator
  • Hi Kim Maclnryre,

    Yes, the synchronization account must have Read permission on OU at least.

    The synchronization account for a connection to Active Directory Domain Services (AD DS) must have the following permissions:

    • It must have Replicate Directory Changes permission on the domain with which you'll synchronize.
    • If the domain controller is running Windows Server 2003, the synchronization account must be a member of the Pre-Windows 2000 Compatible Access built-in group. 
    • If the NetBIOS name of the domain differs from the fully-qualified domain name, the synchronization account must have Replicate Directory Changes permission on the cn=configuration container. 
    • If you'll export property values from SharePoint Server to AD DS, the synchronization account must have Create Child Objects (this object and all descendants) and Write All Properties (this object and all descendants) permissions on the organizational unit (OU) with which you are synchronizing.

    Review the information in the Plan account permissions section of the "Plan for profile synchronization" article, and make sure that the synchronization account has the necessary permissions.

    Best regards,

    Linda Zhang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, April 13, 2017 1:51 AM
    Moderator

All replies

  • Hi Kim Maclnryre,

    Please check if the current user you are using to configure the synchronization connection has permissions on the “Domain Users” OU.

    1. Open the “Domain Users” OU.

    2. Click the Security tab on the property sheet on the OU.

    3. Check if the user has access on this OU and its contents. If the user does not have access, grant this use access using the Security tab on the property sheet.

    Best regards,

    Linda Zhang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, April 12, 2017 7:18 AM
    Moderator
  • Thank you Linda Zhang.  What type of permissions are required, would read do it?

    Kim

    Wednesday, April 12, 2017 12:54 PM
  • Hi Kim Maclnryre,

    Yes, the synchronization account must have Read permission on OU at least.

    The synchronization account for a connection to Active Directory Domain Services (AD DS) must have the following permissions:

    • It must have Replicate Directory Changes permission on the domain with which you'll synchronize.
    • If the domain controller is running Windows Server 2003, the synchronization account must be a member of the Pre-Windows 2000 Compatible Access built-in group. 
    • If the NetBIOS name of the domain differs from the fully-qualified domain name, the synchronization account must have Replicate Directory Changes permission on the cn=configuration container. 
    • If you'll export property values from SharePoint Server to AD DS, the synchronization account must have Create Child Objects (this object and all descendants) and Write All Properties (this object and all descendants) permissions on the organizational unit (OU) with which you are synchronizing.

    Review the information in the Plan account permissions section of the "Plan for profile synchronization" article, and make sure that the synchronization account has the necessary permissions.

    Best regards,

    Linda Zhang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, April 13, 2017 1:51 AM
    Moderator
  • Hi Linda,

    I am still having issues with this. I tried to use my admin account to see if I could see below the Domain Users OU and I could. My admin account does not have all the permissions I would need to sync from AD though, it was just a test.

    Our Admins say the sync account has the correct permissions so I am not really sure where to go from here.

    Kim

    Tuesday, April 18, 2017 1:10 PM