SharePoint 2010 Profile Sync - Inability to import users based on group membership

 

As more customers adopt SharePoint 2010 and implement the various features etc, one thing that we are starting requests around is the ability to limit the number of users imported from AD based on group membership.

In SharePoint 2007, this functionality was achievable by expressing an LDAP filter such as: (&(objectClass=user)(memberOf=<DNofSomeGroup>))

SharePoint 2010 does not have the ability anymore because the profile sync feature was completely overhauled and we now rely on FIM 2010 which does not allow filtering on "reference attributes" like memberOf, manager, etc.

In light of that, our goal here is to show a couple of alternative options for SP2010 for solving whatever business problem driving the need to filter by group.

Some of these options may not be feasible depending on your business scenario. So pick whichever works best.

• Option 1: Put all the users you want to import into SharePoint into their own OU and configure the synchronization connection to pull data from just that OU(s).

• Option 2: Populate an unused attribute on the users you wish to import and create a connection filter based on that attribute.

• Option 3: Import all users and only grant the ability to create mySites or use specific SharePoint functionality to the desired AD group(s).

• Option 4: Use the LDIF import option documented at https://technet.microsoft.com/en-us/library/ff959234.aspx. With this method, you can use LDIFDE to export the members of that group to an LDIF file and tell FIM to import from that file.