Disabled AD accounts not excluded in Profile Import
I am running a clean install of MOSS 2007 SP2 on Windows Server 2008 R2, all patches/updates etc. have been applied. (this was not an upgraded SP2003 server)
I have the following User Filter in place for the import from our Active Directory:
(&(objectCategory=Person)(objectClass=User)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(!company=*)))
SOME disabled accounts
are imported into the User Profiles and appear in the User Information list, while
others are not. This is happening
AFTER 3 or more Full Imports have run since the time the user accounts were disabled in AD. All of the accounts are 'disabled' the same way in AD, right-click and choose disable. Looknig at the menu via right-click on the account displays
"enable" and looking at the properties shows that the accounts are disabled.
I have tried several different versions of the user filter but cannot seem to find a way to exclude all disabled user accounts. I searched through the forum and found several similar, but not exactly the same, posts which have never been "answered".
Since this situation is a variation on those I thought I would try again to find a solution which may help others as well.
Is this a bug in the import or possibly a problem in the way AD is marking the accounts as 'disabled'?
Does it matter when the account was disabled, meaning if we disable an account and then run a full import 3 times, shouldn't the account be removed from the import?
September 23rd, 2010 8:22pm
Hi,
did you try to use:
(&(objectCategory=Person)(objectClass=User)(!(userAccountControl:1.2.840.113556.1.4.803:=2))
cheers,Daniel Bugday
Web: SharePoint Forum Blog:
SharePoint By Bugday
Free Windows Admin Tool Kit Click here and download it now
September 23rd, 2010 11:42pm
Hi Daniel,
Yes I did. I tried several variations, including removing the company restriction. I can verify that the import is impacted by changing the user filter, however none of the variations caused all of the disabled users to be excluded.
New Info:
It appears that the same disabled accounts are always imported and the same disabled accounts that do get filtered always get filtered (as long as I am using the userAccountControl filter).
I tried running the import with the Domain Admin account and it filtered all disabled accounts, but when I run the same import using my service account then I get the behavior originally described. (all settings the same, except "Specify User" in
the Authentication Information section)
This leads me to believe there is some permissions issue, although why would SOME disabled users be filtered based on the import account's permissions while other disabled users are not?
September 24th, 2010 2:52am
yea, its sounds a permision issue, read this post, its good one
http://www.sharepointdev.net/sharepoint--general-question-answers-discussion/how-to-prevent-giving-disabled-active-directoty-accounts-to-access-sharepoint-site-8447.shtml
thanks
wsi am at SharePoint administrator
Free Windows Admin Tool Kit Click here and download it now
September 24th, 2010 7:59am
Thanks ws, but that post doesn't really address any permissions issues. The links it provides regarding filtering on the AD import are the same sites I reviewed in setting up my import. The people picker portion is helpful, but isn't the focus
here.
I am now assuming there is some kind of ood permissions issue that causes certain disabled accounts to not appear disabled to the profile import service. I don't want to just run the import with the domain admin account unless I really cannot
find another solution. Any other ideas anyone?
September 24th, 2010 6:49pm
When I run the profile import using the domain admin account everything is as expected, all disabled accounts are filtered. When I adjust the import to run as the sharepoint service account with AD permissions the import only filters some of the disabled
accounts. I have verified this by adjusting the account used several different times over the past week and it is consistent.
Does anyone know what permissions might be causing this behavior?
Free Windows Admin Tool Kit Click here and download it now
October 1st, 2010 6:51pm
I think I have the same problem. Any luck with this?
April 16th, 2011 7:17pm