Skip Ribbon Commands
Skip to main content

Anders Rask on SharePoint

:

Anders Rask on SharePoint > Posts > Configuring LDAP filters in AD Import
October 28
Configuring LDAP filters in AD Import

So if you have played around a bit with SharePoint 2013, you might have noticed one of the new features: AD Import for User Profile Service Application.

This baby is lightning fast! I haven't tried it on the RTM yet against a serious AD, but it is safe to say it is way way faster than its FIM counterpart: User Profile Synchronization Service Instance!

Instead I will show how to set up LDAP filters, and how that effect what profiles are imported and how they affect already imported profiles (or dont).

I will also talk a bit about a couple of problems that you may bump into when working with AD Import combined with LDAP filters.

First off a quick guide on how to set up AD Import on an already configured UPA (if you are interested in further details on how AD Import works, check out Spence Harbar's post on that subject here).

After setting up your User Profile Service Application, click Configure Synchronization Settings

configureADimport.JPG

and select "Use SharePoint Active Directory Import".

configureADimport2.JPG


Fair warning: If you already have created a User Profile Synchronization connection that uses UPS, this and all its mappings will be deleted at this point!

It is true that articles mention that you can "swap between" UPS and AD Import, but it comes at a price: all your mappings will be gone! If you provision and export those using PowerShell and XML (as I do) and those XML files are up to date with what ever user configuration your users have been up to, this is fine! But if not, you are out of luck! Anyone who have tried setting up mappings manually, feeling like an idiot clicking those small "up" and "down" arrows to move properties on the public profile page will know what I am talking about :-)

Now all we need to do is create a new Synchronization Connection:

configureADimport3.JPG

You can only select Active Directory Import. Authentication provider can be Windows, Forms or Trusted Claims Provider.

At the very bottom you can select LDAP Filters in a tiny text box (almost comically small, considering how large those LDAP filters can grow really!).

adimport.JPG



<EDIT>

As Spence pointed out after me publishing this post, there is a nice little check box for filtering out disabled users.

The quirks are the same though when you use the checkbox, and for other filters as well, so the conclusion (if there are any) stands :)

</EDIT>

First try and set up your connection without filters: add domain name, user name and password (remember that the account must have Replicating Directory Changes permissions, just like with UPS, nothing changed there!), click Populate Containers and select the OU's you want to include in your synchronization.

Click OK and go back to the User Profile management page. Here you select Start Profile Synchronization and select a Full Synchronization for the initial sync.

configureADimport4.JPG

So while that one finishes... uhh wait!??! It is already finished! WOW that was fast huh? ;-) Nothing slow about this babe comparing it to the FIM sync!

So next step is LDAP filters! What is the syntax?

It is probably no surprise to the admin guys out there that LDAP filters are no new invention. There are tons of info out there on the syntax of these bad-boys, here are a few:

This is the kind of stuff that you would set back in MOSS on your SSP import connection back in the days, and the good old KB article from back then still applies on how to filter out disabled accounts: How to import user profile information of enabled user accounts from Active Directory to SharePoint

A thing to point out here, that may or may not seem illogical to you, is that in LDAP filters you dont tell what items to exclude, but what to include (in contrast to when you create UPS Exclusion filters). So in order to tell the Synchronization Connection to filter out disabled users, we need to tell it to only include enabled users:

(&(objectClass=User)(!userAccountControl:1.2.840.113556.1.4.803:=2))

The thing to point out here is the "!" (or "not" if you happen to be a developer). In plain wording it say: "Give me all users who are not disabled". Hint: You can use ADSIedit.exe to check the userAccountControl setting on your AD objects.

So why use LDAP filters at all when we have UPS Exclusion filters? Well as the name kind of gives away, those babies only works on UPS, and we are not using UPS, we are using AD Import, right?

OK so lets try and set this up on our synchronization connection: just paste the above (or any other filter you may need) into the Filter in LDAP syntax for Active Directory Import field and populate the container. First thing you notice is that the filter dont seem to be applied on the tree view that is opened. This is probably per design I would venture...

After setting it up, go to your AD and list (for example with an LDAP filter ;-) disabled users in the selected UA. Also try and add some new users, both disabled and not.

Now do a sync (an incremental seems to be enough to make the filter take effect).

What happens now in my experience (on beta2 anyway), is that any disabled users already in your user profile stays in the user profile. This may and may not surprise you, but apparently that is how this importer works: since the filter is no longer including these disabled users, they are simply left alone! Trying to update these users confirms this: adding a value in a mapped property is not propegated to the user profile either.

So what happens if you disable a user that is already in your user profile, and you have the above LDAP filter applied? Well, still nothing! Same as before: since the user is not in your import its user profile is no longer updated. Eg. if you set an email on the disabled account and synchronize, changes are not moved to the user profile.

In both cases this kind of makes sense, since the user is not included any more, but the fact that it is not considered "deleted" or "removed" might surprise you administrators out there: you will have to delete already included user profiles for disabled users yourself!

So what happens when you delete a user in your AD and you are using AD Import?

Just like when running FIM users are marked for deletion in the Profile database when an incremental sync would detect that the users were gone. After a while (every hour in SP2010, but at least in SP2013 beta2 this was changed to daily) the My Site Cleanup Job would finish up removing User Profiles marked for deletion (for more info read another blog post by Spence here on Account Deletion).

So this works like with UPS. Well almost:

An unexpected gotcha: the users with disabled accounts that was initially included in the User Profiles are not deleted when the LDAP filter to only include enabled users are active on the AD Import synchronization connection! The logic behind this is the same as before: since the user is no longer a part of the import, it being deleted is ignored!

So what do we conclude? Old skool LDAP filters does work -kindof, but be aware of the above mentioned quirks!

If you use AD Import, LDAP filters are the only option! And I never thought I would have to say this, but the nerdy LDAP filter syntax actually is easier than working with UPS Exclusion filters, but that is mostly because of the really non-intuitive and quirky UI that UPS Exclusion filters have...

Comments

FYI

I just wanted to add this configuration does not allow thumbnailPhoto to be imported during sync. I learned you have to use sharepoint profile synchronization connection type in order import picture from AD to SharePoint.
 on 5/15/2015 12:28 PM

Add Comment

Title


Body *


Migrated Source URL


Commentator Name


Commentator Email


BotCheck *


Are you human? What is the sum of fifty-two minus ten?

Attachments