The other day I was doing some configuring on a brand new SharePoint 2010 farm at a customer. My task was to configure the profile import just as their old SharePoint 2007 farm was configured. Easy peasy...not.
I started the user profile synchronization service, created a new connection to their AD, made the first synchronization and got no profiles at all. Then I remembered that the profile synchronization service account must have replication directory changes permission. This sounds worse than it actually is and is fixed by following this TechNet article, http://technet.microsoft.com/en-us/library/hh296982.aspx#RDCdomain. After that the profile database was populated correctly.
Then I just had to create a filter for a handful of AD-groups. In SharePoint 2007 this was done by adding a LDAP-filter to the connection. In the filter you define what should be included/excluded in the synchronization. In SharePoint 2010 this is no longer a valid option. Instead you define one or more exclusion filters. First of all, to limit the filter to just being an exclusion filter is really stupid. The other setback is that it's not possible to filter on AD-groups any more, just AD-parameters! I found this official blog post to confirm this, http://blogs.msdn.com/b/spses/archive/2011/05/31/sharepoint-2010-profile-sync-inability-to-import-users-based-on-group-membership.aspx.
The story ends with a custom profile database clean-up job, which is a story in itself, and a slightly unhappy customer. I find some comfort in the fact that I'm not alone, http://donalconlon.wordpress.com/2011/04/26/fun-with-filters-user-profile-synchronization-somebody-shoot-me-now/.
Yet another day in SharePoint paradise...
No comments:
Post a Comment