Maintain profile synchronization (SharePoint Server 2010)
Applies to: SharePoint Server 2010
Profile Synchronization in SharePoint Server 2010 enables an administrator of an instance of the user profile service to synchronize user and group profile information that is stored in the SharePoint Server 2010 profile store with profile information that is stored in directory services across the enterprise. After you have configured Profile Synchronization, you must complete tasks to maintain those settings. These tasks include, for example, removing users whose accounts have been disabled or deleted, moving or renaming a server, and starting or stopping the User Profile Synchronization service. For more information, see Plan for profile synchronization (SharePoint Server 2010).
Before you complete the procedures in this article, you must have completed the procedures in Configure profile synchronization (SharePoint Server 2010).
Task requirements
The farm is running either the Standard or Enterprise version of SharePoint Server 2010 and you have run the farm configuration wizard.
Warning
Profile Synchronization does not work on a stand-alone installation of SharePoint Server 2010.
An instance of the User Profile service application exists and is started. For more information, see Create, edit, or delete a User Profile service application (SharePoint Server 2010).
If you are using Microsoft SQL Server 2008, Microsoft SQL Server 2008 with Service Pack 1 (SP1) with Cumulative Update 2 (CU2) (https://go.microsoft.com/fwlink/?LinkId=165962) is required.
The WCF hotfix (KB976462) for Windows Server 2008 R2 is installed.
Important
See release notes for other task requirements that may be needed for Profile Synchronization.
Procedures in this article
Rename users or change user domains
Exclude users whose accounts have been disabled
Remove obsolete users and groups
Maintain profile schema changes
Rename a profile synchronization server
Move the User Profile Synchronization service to a new server
Restrict profile synchronization communication to a specific domain controller
Adjust profile synchronization timeouts
Rename users or change user domains
SharePoint Server 2010 provides a way to handle several different user migration scenarios. The following are examples of the scenarios handled for Active Directory Domain Services (AD DS):
Account name (sAMAccountName) changes in the AD DS where the user exists.
Security Identifier (SID) changes.
Distinguished Name (DN) changes that include changes in the Organizational Unit (OU) container in the AD DS where the user account exists. This is new in SharePoint Server 2010. For example, if a user's DN is moved in AD DS from "User= EUROPE\John Smith, Manager=CN=John Rodman, OU=Users, DC=EMEA1, DC=corp, DC=contoso, DC=com" to "User= EUROPE\John Smith, Manager=CN=John Rodman, OU=Managers, DC=EMEA1, DC=corp, DC=contoso,DC=com", the MigrateUser command updates the user profile store for this user. The user profile for John Smith is updated when synchronizing user profiles from the EMEA1.corp.contoso.com AD DS to the SharePoint Server user profile store.
To rename users or to change user domains
Verify that you have the following administrative credentials:
See Add-SPShellAdmin.
You must be a member of the Farm Administrators group on the computer that is running the SharePoint Central Administration Web site.
The Farm Administrator account, which is created during the SharePoint farm setup, must also be a Local Administrator on the server where the User Profile Synchronization service is deployed.
If a profile synchronization run is in progress, go to the Central Administration page and click Manage service applications in the Application Management section. Select the appropriate User Profile service application from the list of service applications. On the Manage service application page, click Stop Profile Synchronization.
Disable the User Profile Incremental Synchronization timer job.
Ensure that user migration by using
stsadm -o migrateuserhas succeeded.Ensure that the profile of the migrated user can be accessed by browsing to the My Site for that user, for example, http://mysite/person.aspx?accountname=<new account name>.
Run Profile Synchronization. For more information, see Start profile synchronization manually (SharePoint Server 2010).
Recheck access to the profile of the migrated user by browsing to the My Site for that user.
Enable the User Profile Incremental Synchronization timer job.
Exclude users whose accounts have been disabled
You can exclude users whose accounts have been disabled in AD DS by using exclusion filters in SharePoint Server 2010. For the steps that are needed to exclude users whose accounts have been disabled, see Configure profile synchronization (SharePoint Server 2010).
Remove obsolete users and groups
There are two reasons why obsolete users or groups can exist in the SharePoint Server 2010 user profile store:
Obsolete users: The My Site cleanup timer job is not active. The User Profile Synchronization timer job marks for deletion users who have been deleted from the directory source. When the My Site cleanup job runs, it looks for all users marked for deletion and deletes their profiles. Respective My Sites are then assigned to the manager for the deleted user and an e-mail message notifies the manager of this deletion.
Obsolete users and groups: Users and groups that were not imported by Profile Synchronization exist in the user profile store. This can occur, for example, if you upgraded from an earlier version of SharePoint Server and chose to only synchronize a subset of domains with SharePoint Server 2010.
To find and remove obsolete users and groups by using Windows PowerShell
Verify that you meet the following minimum requirements:
See Add-SPShellAdmin.
You must have Execute permission on the ImportExport_GetNonimportedObjects and the ImportExport_PurgeNonimportedObjects stored procedures in the profile database.
You can use SQL Management Studio or Transact-SQL to grant permissions. For more information, see GRANT Object Permissions (Transact-SQL) (https://go.microsoft.com/fwlink/?LinkId=213464).
On the Start menu, click All Programs.
Click Microsoft SharePoint 2010 Products.
Right-click SharePoint 2010 Management Shell and then click Run as administrator.
In the User Account Control dialog box, click Yes.
At the Windows PowerShell command prompt, type the following commands:
To get the User Profile Service application object, type the following command:
$upa = Get-spserviceapplication <identity>Where <identity> is the GUID of the User Profile Synchronization service application.
To view the users and groups to delete, type the following command:
Set-SPProfileServiceApplication $upa -GetNonImportedObjects $trueTo delete the obsolete users and groups, type the following command:
Warning
This action cannot be undone.
Set-SPProfileServiceApplication $upa -PurgeNonImportedObjects $true
For more information, see Get-SPServiceApplication and Set-SPProfileServiceApplication.
Maintain profile schema changes
Profile schema changes include things such as adding a new user profile property, changing a user profile property mapping, or changing a Profile Synchronization connection filter. When the profile schema changes, you must first perform a full nonrecurring synchronization before scheduling recurring profile synchronization. For the steps that are needed to perform full nonrecurring profile synchronization, see Start profile synchronization manually (SharePoint Server 2010).
Rename a profile synchronization server
Use the following procedure to rename a profile synchronization server.
To rename a profile synchronization server by using Windows PowerShell
Verify that you meet the following minimum requirements: See Add-SPShellAdmin.
On the Start menu, click All Programs.
Click Microsoft SharePoint 2010 Products.
Click SharePoint 2010 Management Shell.
At the Windows PowerShell command prompt, type the following command:
Rename-SPServer <Identity> -Name <newName>Where:
Identity is the old name of the server.
newName is the new name for the server.
For more information about renaming a server by using Windows PowerShell, see Rename-SPServer.
Move the User Profile Synchronization service to a new server
Use the following procedure to move the User Profile Synchronization service to a new server.
To move the User Profile Synchronization service to a new server by using Central Administration
Verify that you have the following administrative credentials:
See Add-SPShellAdmin.
You must be a member of the Farm Administrators group on the computer that is running the SharePoint Central Administration Web site.
The farm account, which is created during the SharePoint farm setup, must also be a Local Administrator on the server where the User Profile Synchronization service is deployed.
This is required to start the User Profile Synchronization service. After the User Profile Synchronization service is started you can remove the farm account from the Administrators group.
On the current Profile Synchronization server, on the SharePoint Central Administration Web site, in the System Settings section, click Manage services on Server.
Next to the User Profile Synchronization Service, click Stop to stop the User Profile Synchronization service.
On the new Profile Synchronization server, on the SharePoint Central Administration Web site, in the System Settings section, click Manage services on Server.
Next to the User Profile Synchronization Service, click Start to start the User Profile Synchronization service.
On the new Profile Synchronization server, on the SharePoint Central Administration Web site, in the Application Management section, click Manage service applications.
On the Service Applications page, click the link for the name of the appropriate User Profile service application.
On the User Profile Service Application page, in the Synchronization section, click Start Profile Synchronization.
On the Start Profile Synchronization page, select Start Full Synchronization, and then click OK.
Restrict profile synchronization communication to a specific domain controller
Use the following procedure to restrict profile synchronization communication to a specific domain controller.
To restrict profile synchronization communication to a specific domain controller by using Windows PowerShell
Verify that you meet the following minimum requirements: See Add-SPShellAdmin.
On the Start menu, click All Programs.
Click Microsoft SharePoint 2010 Products.
Right-click SharePoint 2010 Management Shell and then click Run as administrator.
In the User Account Control dialog box, click Yes.
At the Windows PowerShell command prompt, type the following commands:
To get the User Profile Service application object, type the following command:
$upa=Get-SPServiceApplication <GUID>Where <GUID> is the GUID of the User Profile Synchronization Service application.
To restrict profile synchronization communication to a specific domain controller, type the following command:
Set-SPProfileServiceApplication $upa -UseOnlyPreferredDomainControllers $true
Note
It may take up to five minutes for the changed property value to propagate to the Central Administration Web site. Resetting IIS on the Central Administration server will force the new value to be loaded immediately. For more information about resetting IIS, see IIS Reset Activity (https://go.microsoft.com/fwlink/p/?LinkId=179336).
For more information, see Get-SPServiceApplication and Set-SPProfileServiceApplication.
Adjust profile synchronization time-outs
A time-out can occur on the following occasions:
When trying to connect to the directory service server on the Add/Edit a synchronization connection page in Central Administration.
Note
This time-out is available in the Microsoft SharePoint Server 2010 June 2010 Cumulative Update. For more information about the cumulative update, see https://support.microsoft.com/kb/983497.
When trying to populate the list of containers on the Add/Edit a synchronization connection page in Central Administration. This will occur as a JavaScript timeout error in the status bar.
When clicking OK on the Add/Edit a synchronization connection page in Central Administration. This will result in the following error message and occurs because of a timeout by the Forefront Identity Manager Web service when creating or updating a profile synchronization connection:
"The request channel timed out while waiting for a reply after 00:01:29.9062626. Increase the timeout value passed to the call to Request or increase the SendTimeout value on the Binding. The time allocated to this operation may have been a part of a longer timeout."
To adjust profile synchronization timeouts by using Windows PowerShell
Verify that you meet the following minimum requirements: See Add-SPShellAdmin.
If you want to change the time-out value for connecting to the directory service server, do the following:
Copy the following code and paste it into a text editor, such as Notepad:
$upsAppProxy = Get-SPServiceApplicationProxy <UPSAppProxyGUID> $upsAppProxy.LDAPConnectionTimeout = <NewTimeout> $upsAppProxy.Update()Replace <UPSAppProxyGUID> with the GUID of the User Profile service application proxy and <NewTimeout> with the new time-out value in seconds. The default time-out is 120 seconds.
Save the file as an ANSI-encoded text file whose extension is .ps1.
If you want to change the time-out value for the Populate Containers control, do the following:
Copy the following code and paste it into a text editor, such as Notepad:
$upsAppProxy = Get-SPServiceApplicationProxy <UPSAppProxyGUID> $upsAppProxy.ImportConnAsyncTimeout = <NewTimeout> $upsAppProxy.Update()Replace <UPSAppProxyGUID> with the GUID of the User Profile service application proxy and <NewTimeout> with the new time-out value in seconds. The default time-out is 1,000 seconds (approximately 17 minutes).
Save the file as an ANSI-encoded text file whose extension is .ps1.
If you want to change the time-out value for calls into the Forefront Identity Manager Web service, do the following:
Copy the following code and paste it into a text editor, such as Notepad:
$upsApp = Get-SPServiceApplication <UPSAppGUID> $upsApp.FIMWebClientTimeOut = <NewTimeout> $upsApp.Update()Replace <UPSAppGUID> with the GUID of the User Profile service application and <NewTimeout> with the new time-out value in milliseconds. The default time-out is 300,000 milliseconds (5 minutes).
Save the file as an ANSI-encoded text file whose extension is .ps1.
On the Start menu, click All Programs.
Click Microsoft SharePoint 2010 Products.
Click SharePoint 2010 Management Shell.
Change to the directory where you saved the file(s).
At the Windows PowerShell command prompt, type the following command to execute a script file:
./<filename>.ps1Where <filename> is the name of the file to execute.
For more information, see Get-SPServiceApplicationProxy and Get-SPServiceApplication.