We recently came across cases where Profiles of Disabled users in AD are not getting deleted from SharePoint User Profile Service Application when using ADImport. Read further to get more details on the issue & the workarounds .
Behavior: When using “SharePoint Active Directory Import” for the Synchronization Options in SharePoint 2013 , the users who are disabled in Active Directory are not getting removed from SharePoint post a Full/Incremental Import . . A deeper look into this reveals that account is not marked as deleted ( bdeleted=1 flag in UserProfile_full Table of the Profile Database of the UPA) . This behavior is seen even though we check the option to “Filter out disabled users” while creating the Sync Connection.
Note : The behavior is continued to be seen even when a Custom Filter is defined in LDAP syntax in the box provided . Also If the user is not disabled & moved to another OU which is not selected to be Sync , similar behavior is observed.
Since we are not using FIM for synchronization, there is nothing to look into Sync DB. Everything happens within Profile DB. Full import will detect the user is not getting imported and marks the field ‘IsImported’ to 0 on DNLookup table in Profile DB for the affected user. However it still does not set bdeleted to 1 in UserProfile_Full table which is needed for MySiteCleanUp Job to delete the profile and finally Personal Site.
Following is the sample query to check all the users which exist in Profile DB with the Status , ‘IsImported’ to 0 , You can match this list with your disabled users in AD to Confirm .
SELECT A.RecordID,A.NTName, A.bDeleted, B.IsImported
FROM [UserProfile_Full] A (nolock)
inner join [DNLookup] B (nolock)
on A.RecordID = B.RecordId
where b.IsImported =0
Note : It is not recommended to Query any Sharepoint databases or to make changes other than ones described at http://support.microsoft.com/kb/841057 .
The “SharePoint Active Directory Import” does not mark the profile to be deleted either with incremental or Full Import when they are disabled and only way to remove the obsolete users is as mentioned HERE .
1 Run Full Import
2 Post that run Use SharePoint Management Shell to Run following
a) $upa = Get-SPServiceApplication -id <Identity of User Profile Service Application> b) Set-SPProfileServiceApplication -Identity $upa - PurgeNonImportedObjects $true
a) $upa = Get-SPServiceApplication -id <Identity of User Profile Service Application>
b) Set-SPProfileServiceApplication -Identity $upa - PurgeNonImportedObjects $true
At this point of writing this blog (31-Mar-2014), this is known behavior with work around as tested against SharePoint 2013 SP1 Build .
Note: The Deletion of an account in AD is handled as expected & profile in SharePoint Profile Database is marked as deleted ( bdeleted=1) & eventually cleared by Mysite Cleanup job .
I believe it may be safe to say that the LDAP filter is not working at all with ADImport Profile Import method. I recently tried to exclude users with non-expiring passwords (i.e. "(&(objectCategory=User)(userAccountControl:1.2.840.1135126.96.36.1993:=65536))" and they are not filtered. I didn't have a chance to try the "PurgeNonImportedObjects" but believe it should accomplish the goal as you mentioned above. Thanks for the POST!
Shameless plug to my blog that describes this (and the one in comments) issue andersrask.sharepointspace.com/.../Post.aspx
Not worked for me. Disabled users still present in Active Profiles
Does this also remove the users from SharePoint groups?
Thanks for the posting this update.
This basically is making AD Import useless in production :(
Is this ever getting fixed?