Disabled accounts in SharePoint User Profiles | Optimized Global Delivery
Optimized Global Delivery Blog

Disabled accounts in SharePoint User Profiles

I recently came across a SharePoint 2010 Environment with some disabled users profiles which got accidentally imported through the User Profile Service.

The reason for those disabled profiles import was absence of Exclusion Filters (A feature that enables you to exclude users or groups during Synchronization Process) not being configured before the first User Profile Synchronization was triggered.

A User profile service application uses Forefront Identity Manager (FIM) to import profiles from Active Directory and by default imports all profiles within the OU it’s pointed towards. Exclusion filters can easily be configured to prevent disabled users from being imported but should be done before the first import is run. If we add exclusion filters later, the newly disabled profiles are not imported but the once which were already imported become orphaned.

To make things more problematic, the SharePoint sites had a Custom solution deployed which prompted the user to fill in additional profile details to update the custom user profile properties when they first logged in.

Running a Full User Profile import would have eliminated all the custom profile data that users had entered and an incremental user profile import failed to clean up the incorrectly imported disabled user profiles. Deleting the User Profiles manually from the profile store leaves behind user information in People Picker, Organizational Browser and People search.

A User profile deletion and my sites associated with them are handled by My Site CleanUp Timer Job. It also handles deletions of its associated quick links, user profile picture and profile properties. Luckily we only had a few dozen disabled profiles and found a rather simple solution to trick SharePoint so that it starts looking at those orphaned disabled profile again and queues them for deletion through the My Site CleanUp timer job.

The solution was to temporarily enable the disabled accounts in AD and then disable them again followed by an Incremental User Profile Import. This forced the SharePoint to identify a change in the profile status of user account from the previous import synchronization and marked the account for deletion by updating the record bDeleted =1 in the UserProfile_Full table in the User Profile database.

This can also be looked at through Forefront Identity Manager (MIISClient) located at (C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\UIShell\miisclient.exe) on the server that is running user profile sync.

UserProfileService

Once the disabled profiles are marked for deletion, the My Site Cleanup Timer job which usually runs every hour follows its due procedure to delete user profile and its associated mysite. An incremental search crawl which runs on the system also deletes the user from people search.

Subscribe to the Optimized Global Delivery Weekly Digest

* indicates required

Leave a Reply

Optimized Global Delivery Blog

What it takes to deliver successful global engagements

Archives