維護 SharePoint Server 2013 中的使用者設定檔同步處理設定Maintain user profile synchronization settings in SharePoint Server 2013

摘要:了解如何設定使用者設定檔同步處理之後保留在 SharePoint Server 2013 中的使用者設定檔同步處理設定。Summary: Learn how to maintain User Profile synchronization settings in SharePoint Server 2013 after you configure User Profile synchronization.

設定檔同步處理 SharePoint Server 2013 中的啟用同步處理使用者和群組設定檔資訊儲存在設定檔資訊的 SharePoint Server 2013 設定檔存放區中之 [使用者設定檔服務的執行個體的管理員整個企業儲存在目錄服務中。設定使用者設定檔同步處理之後,您必須完成工作來維護的那些設定。這些工作包括,例如,移除的使用者帳戶已停用或刪除、 移動或重新命名伺服器,並啟動或停止 User Profile Synchronization service。如需詳細資訊,請參閱 < Plan for SharePoint Server 2013 的設定檔同步處理Profile synchronization in SharePoint Server 2013 enables an administrator of an instance of the User Profile service to synchronize user and group profile information that is stored in the SharePoint Server 2013 profile store with profile information that is stored in directory services across the enterprise. After you have configured User Profile synchronization, you must complete tasks to maintain those settings. These tasks include, for example, removing users whose accounts are disabled or deleted, moving or renaming a server, and starting or stopping the User Profile Synchronization service. For more information, see Plan profile synchronization for SharePoint Server 2013.

若要執行本文中的 PowerShell cmdlet,確認您具備下列成員資格:To run the PowerShell cmdlets in this article, verify that you have the following memberships:

  • SQL Server 執行個體上的 securityadmin 固定伺服器角色。securityadmin fixed server role on the SQL Server instance.

  • 所有要更新之資料庫上的 db_owner 固定資料庫角色。db_owner fixed database role on all databases that are to be updated.

  • 正在執行 PowerShell Cmdlet 之所在伺服器上的系統管理員群組。Administrators group on the server on which you are running the PowerShell cmdlets.

重要

本文僅適用於 SharePoint Server 2013。This article applies to only SharePoint Server 2013.

重新命名使用者或變更使用者網域Rename users or change user domains

SharePoint Server 2013 可讓您處理數個不同的使用者移轉案例。處理的 Active Directory 網域服務 (AD DS) 的案例的範例如下:SharePoint Server 2013 lets you handle several different user migration scenarios. The following are examples of the scenarios handled for Active Directory Domain Services (AD DS):

  • 帳戶名稱 ( sAMAccountName) 在使用者所在的 AD DS 中發生變更。Account name ( sAMAccountName) changes in the AD DS where the user exists.

  • 安全性識別碼 (SID) 發生變更。Security Identifier (SID) changes.

  • 包含組織單位 (OU) 容器中的使用者帳戶所在的 AD DS 中變更的辨別的名稱 (DN) 變更。例如,如果使用者的辨別名稱移從 AD DS 中"使用者 = EUROPE\John Smith 管理員 = CN = John Rodman,OU = Users,DC = EMEA1,DC = corp,DC = contoso,DC = com"到"使用者 = EUROPE\John Smith 管理員 = CN = John Rodman,OU = 管理員、 DC = EMEA1,DC = corpDC = contoso,DC = com", MigrateUser命令更新該使用者的 「 使用者設定檔儲存。John Smith 的使用者設定檔會更新時同步處理使用者設定檔從 EMEA1.corp.contoso.com AD DS 至 SharePoint Server 2013 使用者設定檔儲存。Distinguished name (DN) changes that include changes in the organizational unit (OU) container in the AD DS where the user account exists. For example, if a user's distinguished name is moved in AD DS from "User= EUROPE\John Smith, Manager=CN=John Rodman, OU=Users, DC=EMEA1, DC=corp, DC=contoso, DC=com" to "User= EUROPE\John Smith, Manager=CN=John Rodman, OU=Managers, DC=EMEA1, DC=corp, DC=contoso,DC=com", the MigrateUser command updates the user profile store for this user. The user profile for John Smith is updated when synchronizing user profiles from the EMEA1.corp.contoso.com AD DS to the SharePoint Server 2013 user profile store.

    若要重新命名使用者或變更使用者網域To rename users or to change user domains

  1. 確認執行此程序的使用者帳戶具有下列認證:Verify that the user account that is performing this procedure has the following credentials:

    • 執行此程序的使用者帳戶是執行 SharePoint 管理中心網站之電腦上伺服器陣列管理員 」 群組的成員。The user account that performs this procedure is a member of the Farm Administrators group on the computer that is running the SharePoint Central Administration website.

    • 執行此程序的使用者帳戶是安裝 User Profile Synchronization Service 之電腦的管理員群組成員。The user account that performs this procedure is a member of the Administrators group on the computer on which you installed the User Profile synchronization service.

  2. 如果正在進行同步處理,則開啟管理中心,然後再按一下 [管理服務應用程式應用程式管理] 區段中。從服務應用程式清單中選取適當的 User Profile service 應用程式。按一下 [管理服務應用程式] 頁面的 [停止設定檔同步處理]。If synchronization is in progress, open Central Administration and then click Manage service applications in the Application Management section. Select the appropriate User Profile service application from the list of service applications. On the Manage service application page, click Stop Profile Synchronization.

  3. 停用使用者設定檔累加同步處理計時器工作。Disable the User Profile Incremental Synchronization timer job.

  4. 確保該移轉的使用者能夠使用stsadm -o migrateuser是否已順利完成。Ensure that user migration by using stsadm -o migrateuser has succeeded.

  5. 確認已移轉使用者設定檔可以存取經由瀏覽至該使用者,例如 「 我的網站http://mysite/person.aspx?accountname=<新的帳戶名稱>。Ensure that the profile of the migrated user can be accessed by browsing to the My Site for that user, for example, http://mysite/person.aspx?accountname=<new account name>.

  6. 執行使用者設定檔同步處理。如需詳細資訊,請參閱 <啟動設定檔同步處理 SharePoint Server 中以手動方式Run User Profile synchronization. For more information, seeStart profile synchronization manually in SharePoint Server.

  7. 重新移轉的使用者設定檔的存取檢查所瀏覽至該使用者的 「 我的網站。Recheck access to the profile of the migrated user by browsing to the My Site for that user.

  8. 啟用使用者設定檔累加同步處理計時器工作。Enable the User Profile Incremental Synchronization timer job.

排除已停用帳戶的使用者Exclude users whose accounts are disabled

您可以排除已停用帳戶在 AD DS 中使用 SharePoint Server 2013 中的排除篩選的使用者。排除已停用之帳戶的使用者所需的步驟,請參閱Synchronize user 和 SharePoint Server 2013 中的群組設定檔You can exclude users whose accounts are disabled in AD DS by using exclusion filters in SharePoint Server 2013. For the steps that are needed to exclude users whose accounts are disabled, see Synchronize user and group profiles in SharePoint Server 2013.

移除過時的使用者與群組Remove obsolete users and groups

有過時的使用者或群組可以存在 SharePoint Server 2013 使用者設定檔儲存中的兩個原因:There are two reasons why obsolete users or groups can exist in the SharePoint Server 2013 user profile store:

  • 過時的使用者: 「 我的網站清除計時器工作不在作用中。使用者設定檔同步處理計時器工作會標示的目錄來源中已刪除的刪除使用者。「 我的網站清除工作執行時標記為待刪除的所有使用者的外觀與會刪除其設定檔。個別 「 我的網站便會指派給已刪除之使用者的管理員與電子郵件訊息通知主管的此刪除。Obsolete users: The My Site cleanup timer job is not active. The User Profile Synchronization timer job marks for deletion users who have been deleted from the directory source. When the My Site cleanup job runs, it looks for all users marked for deletion and deletes their profiles. Respective My Sites are then assigned to the manager for the deleted user and an e-mail message notifies the manager of this deletion.

  • 已過時的使用者與群組: 使用者設定檔儲存中存在的使用者並不設定檔同步處理來匯入的群組。便會發生此,例如,如果您從舊版的 SharePoint Server 2013 升級並選擇只與 SharePoint Server 2013 同步的網域子集。Obsolete users and groups: Users and groups that were not imported by Profile Synchronization exist in the user profile store. This can occur, for example, if you upgraded from an earlier version of SharePoint Server 2013 and chose to only synchronize a subset of domains with SharePoint Server 2013.

    尋找及移除過時的使用者與群組使用 PowerShellTo find and remove obsolete users and groups by using PowerShell

  1. 確認您具備下列成員資格:Verify that you have the following memberships:

    • 執行 」 權限ImportExport_GetNonimportedObjectsimportexport_purgenonimportedobjects 預預存程序設定檔資料庫中。Execute permission on the ImportExport_GetNonimportedObjects and the ImportExport_PurgeNonimportedObjects stored procedures in the profile database.
  2. 啟動 SharePoint 管理命令介面。Start the SharePoint Management Shell.

  3. 在 PowerShell 命令提示字元中執行下列動作:At the PowerShell command prompt, do the following:

  4. 若要取得 User Profile Service 應用程式物件,請輸入下列命令:To get the User Profile Service application object, type the following command:

    $upa = Get-spserviceapplication <identity>
    

    其中_<identity>是 User Profile synchronization service 應用程式的 GUID。Where <identity>_ is the GUID of the User Profile synchronization service application.

  5. 若要檢視要刪除的使用者和群組,請輸入下列命令:To view the users and groups to delete, type the following command:

    Set-SPProfileServiceApplication $upa -GetNonImportedObjects $true
    
  6. 若要刪除過時的使用者和群組,請輸入下列命令:To delete the obsolete users and groups, type the following command:

    警告

    此動作無法復原。This action cannot be undone.

    Set-SPProfileServiceApplication $upa -PurgeNonImportedObjects $true
    

如需詳細資訊,請參閱 < Get-spserviceapplication >與 < Set-spprofileserviceapplicationFor more information, see Get-SPServiceApplication and Set-SPProfileServiceApplication.

維護設定檔結構描述變更Maintain profile schema changes

設定檔結構描述變更包括例如新增新的使用者設定檔屬性,變更使用者設定檔屬性對應,或變更設定檔同步處理連線篩選器的事項。當設定檔結構描述變更時,您必須先執行完整非週期性的同步處理之前排程週期性設定檔同步處理。如需執行完整非週期性設定檔同步處理所需的步驟,請參閱 <啟動設定檔同步處理 SharePoint Server 中以手動方式Profile schema changes include things such as adding a new user profile property, changing a user profile property mapping, or changing a Profile Synchronization connection filter. When the profile schema changes, you must first perform a full nonrecurring synchronization before scheduling recurring profile synchronization. For the steps that are needed to perform full nonrecurring profile synchronization, seeStart profile synchronization manually in SharePoint Server.

重新命名執行 User Profile Synchronization Service 的伺服器Rename a server that is running the User Profile synchronization service

請使用下列程序來重新命名設定檔同步處理伺服器。Use the following procedure to rename a profile synchronization server.

若要重新命名執行 User Profile synchronization service 使用 PowerShell 伺服器To rename a server that is running the User Profile synchronization service by using PowerShell

  1. 啟動 SharePoint 管理命令介面。Start the SharePoint Management Shell.

  2. 在 PowerShell 命令提示字元處,輸入下列命令:At the PowerShell command prompt, type the following command:

    Rename-SPServer <Identity> -Name <newName>
    

    其中:Where:

    • Identity_是伺服器的舊名稱。_Identity is the old name of the server.

    • newName_是伺服器的新名稱。_newName is the new name for the server.

如需使用 Microsoft PowerShell 重新命名伺服器的詳細資訊,請參閱 < Rename-spserver >For more information about renaming a server by using Microsoft PowerShell, see Rename-SPServer.

將 User Profile Synchronization Service 移至新的伺服器Move the User Profile Synchronization service to a new server

使用下列程序,將 User Profile Synchronization Service 移至新伺服器。Use the following procedure to move the User Profile Synchronization service to a new server.

若要使用管理中心將 User Profile Synchronization service 移至新的伺服器To move the User Profile Synchronization service to a new server by using Central Administration

  1. 確認執行此程序的使用者帳戶具有下列認證:Verify that the user account that is performing this procedure has the following credentials:

    • 執行此程序的使用者帳戶是執行 SharePoint 管理中心網站之電腦上伺服器陣列管理員 」 群組的成員。The user account that performs this procedure is a member of the Farm Administrators group on the computer that is running the SharePoint Central Administration website.

    • 執行此程序的使用者帳戶是安裝 User Profile Synchronization Service 之電腦的管理員群組成員。必須符合此條件才能啟動 User Profile Synchronization Service。User Profile Synchronization Service 啟動之後,您可以從管理員群組移除伺服器陣列帳戶。The user account that performs this procedure is a member of the Administrators group on the computer on which you installed the User Profile synchronization service. This is required to start the User Profile Synchronization service. After the User Profile Synchronization service is started you can remove the farm account from the Administrators group.

  2. 在目前執行 User Profile synchronization service,在 SharePoint 管理中心網站的 [系統設定] 區段中的伺服器上按一下 [管理伺服器上的服務]。On the server that is currently running the User Profile synchronization service, on the SharePoint Central Administration website, in the System Settings section, click Manage services on Server.

  3. 按一下User Profile Synchronization Service] 旁的 [停止] 以停止 User Profile Synchronization service。Next to the User Profile Synchronization Service, click Stop to stop the User Profile Synchronization service.

  4. 新使用者設定檔同步處理伺服器上,在 SharePoint 管理中心網站的 [系統設定] 區段中按一下 [管理伺服器上的服務]。On the new User Profile synchronization server, on the SharePoint Central Administration website, in the System Settings section, click Manage services on Server.

  5. 按一下User Profile Synchronization Service] 旁的 [啟動 User Profile synchronization service啟動Next to the User Profile Synchronization Service, click Start to start the User Profile synchronization service.

  6. 按一下 [新增使用者設定檔同步處理伺服器,在 SharePoint 管理中心網站的 [應用程式管理] 區段中的 [管理服務應用程式]。On the new User Profile synchronization server, on the SharePoint Central Administration website, in the Application Management section, click Manage service applications.

  7. 在 [服務應用程式] 頁面中按一下適當的 User Profile service 應用程式的名稱的連結。On the Service Applications page, click the link for the name of the appropriate User Profile service application.

  8. 按一下 [ User Profile Service 應用程式] 頁面上的 [同步處理] 區段中的 [啟動設定檔同步處理]。On the User Profile Service Application page, in the Synchronization section, click Start Profile Synchronization.

  9. 在 [啟動設定檔同步處理] 頁面上選取 [啟動完整同步處理,並再按一下 [確定]On the Start Profile Synchronization page, select Start Full Synchronization, and then click OK.

將使用者設定檔同步處理通訊限制在特定網域控制站Restrict User Profile synchronization communication to a specific domain controller

請使用下列程序將設定檔同步處理通訊限制在特定網域控制站。Use the following procedure to restrict profile synchronization communication to a specific domain controller.

若要使用 Windows PowerShell 限制在特定網域控制站的使用者設定檔同步處理通訊To restrict User Profile synchronization communication to a specific domain controller by using Windows PowerShell

  1. 啟動 SharePoint 管理命令介面。Start the SharePoint Management Shell.

  2. 若要取得 User Profile Service 應用程式物件,請輸入下列命令:To get the User Profile service application object, type the following command:

    $upa=Get-SPServiceApplication <GUID>
    

    其中_<GUID>是 User Profile Synchronization Service 應用程式的 GUID。Where <GUID>_ is the GUID of the User Profile Synchronization Service application.

  3. 若要將設定檔同步處理通訊限制在特定網域控制站,請輸入下列命令:To restrict profile synchronization communication to a specific domain controller, type the following command:

    Set-SPProfileServiceApplication $upa -UseOnlyPreferredDomainControllers $true
    

    注意

    可能需要五分鐘,讓要傳播至 SharePoint 管理中心網站的變更的屬性值。在管理中心伺服器上重設 IIS 會強制要載入立即的新值。如需重設 IIS 的詳細資訊,請參閱IIS 重設活動It may take five minutes for the changed property value to propagate to the SharePoint Central Administration website. Resetting IIS on the Central Administration server will force the new value to be loaded immediately. For more information about resetting IIS, see IIS Reset Activity.

如需詳細資訊,請參閱 < Get-spserviceapplication > 與 < Set-spprofileserviceapplication。For more information, see Get-SPServiceApplication and Set-SPProfileServiceApplication.

調整使用者設定檔同步處理逾時Adjust User Profile synchronization time-outs

下列情況會發生逾時問題:A time-out can occur on the following occasions:

  • 嘗試連線至目錄服務伺服器在管理中心的 [新增/編輯同步處理連線] 頁面上。When trying to connect to the directory service server on the Add/Edit a synchronization connection page in Central Administration.

  • 當嘗試要填入容器上管理中心的 [新增/編輯同步處理連線] 頁面上的清單。這會為在狀態列中 JavaScript 逾時錯誤發生。When trying to populate the list of containers on the Add/Edit a synchronization connection page in Central Administration. This will occur as a JavaScript time-out error in the status bar.

  • 當在管理中心的 [新增/編輯同步處理連線] 頁面上按一下[確定] 。這會導致下列錯誤訊息及 Forefront Identity Manager web 服務建立或更新的使用者設定檔同步處理連線時所發生因逾時:When clicking OK on the Add/Edit a synchronization connection page in Central Administration. This causes the following error message and occurs because of a time-out by the Forefront Identity Manager web service when creating or updating a User Profile synchronization connection:

「要求通道在等待回覆時於 00:01:29.9062626 之後逾時。請增加傳送至要求呼叫的逾時值,或增加繫結上的 SendTimeout 值。分配給此作業的時間可能是較長逾時的一部分。」"The request channel timed out while waiting for a reply after 00:01:29.9062626. Increase the timeout value passed to the call to Request or increase the SendTimeout value on the Binding. The time allocated to this operation may have been a part of a longer timeout."

若要使用 Windows PowerShell 調整使用者設定檔同步處理逾時To adjust User Profile synchronization timeouts by using Windows PowerShell

  1. 如果您想變更連線目錄伺服器的逾時值,請執行下列動作:If you want to change the time-out value for connecting to the directory server, do the following:

  2. 將下列程式碼貼到 [記事本] 等文字編輯器:Paste the following code into a text editor, such as Notepad:

    $upsAppProxy = Get-SPServiceApplicationProxy <UPSAppProxyGUID>
    $upsAppProxy.LDAPConnectionTimeout = <NewTimeout>
    $upsAppProxy.Update()
    
  3. 取代_<UPSAppProxyGUID> User Profile service 應用程式 proxy 的 guid 和<NewTimeout>與新的逾時值以秒為單位。預設逾時為 120 秒。Replace <UPSAppProxyGUID> with the GUID of the User Profile service application proxy and <NewTimeout>_ with the new time-out value in seconds. The default time-out is 120 seconds.

  4. 將檔案儲存成以 ANSI 編碼的文字檔案,副檔名為 .ps1。Save the file as an ANSI-encoded text file whose extension is .ps1.

  5. 如果想要變更「填入容器」控制項的逾時值,請執行以下步驟:If you want to change the time-out value for the Populate Containers control, do the following:

  6. 將下列程式碼貼到記事本等文字編輯器:Paste the following code into a text editor, such as Notepad:

    $upsAppProxy = Get-SPServiceApplicationProxy <UPSAppProxyGUID>
    $upsAppProxy.ImportConnAsyncTimeout = <NewTimeout>
    $upsAppProxy.Update()
    
  7. 如果想變更呼叫 Forefront Identity Manager Web 服務的逾時值,請執行下列動作:If you want to change the time-out value for calls into the Forefront Identity Manager web service, do the following:

    取代_<UPSAppProxyGUID> User Profile service 應用程式 proxy 的 guid 和<NewTimeout>與新的逾時值以秒為單位。預設逾時為 1000 秒 (大約 17 分鐘)。Replace <UPSAppProxyGUID> with the GUID of the User Profile service application proxy and <NewTimeout>_ with the new time-out value in seconds. The default time-out is 1,000 seconds (approximately 17 minutes).

  8. 將下列程式碼貼到 [記事本] 等文字編輯器:Paste the following code into a text editor, such as Notepad:

    $upsApp = Get-SPServiceApplication 
    <UPSAppGUID>
    $upsApp.FIMWebClientTimeOut = 
    <NewTimeout>
    $upsApp.Update()
    
  9. 取代_<UPSAppGUID>與 User Profile service 應用程式的 GUID 和<NewTimeout>與新的逾時值 (毫秒)。預設逾時為 300000 毫秒 (5 分鐘)。Replace <UPSAppGUID> with the GUID of the User Profile service application and <NewTimeout>_ with the new time-out value in milliseconds. The default time-out is 300,000 milliseconds (5 minutes).

  10. 將檔案儲存成以 ANSI 編碼的文字檔案,副檔名為 .ps1,例如 AdjustProfileSyncTimeouts.ps1。Save the file as an ANSI-encoded text file whose extension is .ps1, such as AdjustProfileSyncTimeouts.ps1.

  11. 在 [開始] 功能表上,按一下 [所有程式]。On the Start menu, click All Programs.

  12. 按一下 [Microsoft SharePoint 2013 產品]。Click Microsoft SharePoint 2013 Products.

  13. 按一下 [SharePoint 2013 管理命令介面]。Click SharePoint 2013 Management Shell.

  14. 變更至您儲存檔案的目錄。Change to the directory where you saved the file.

  15. 在 Microsoft PowerShell 命令提示字元處輸入下列命令來執行指令碼檔案:At the Microsoft PowerShell command prompt, type the following command to execute a script file:

    ./<file name>.ps1
    

    其中_<檔案名稱>是要執行之檔案的名稱。Where <file name>_ is the name of the file to execute.

如需詳細資訊,請參閱 < Get-spserviceapplicationproxy > 與 < Get-spserviceapplication。For more information, see Get-SPServiceApplicationProxy and Get-SPServiceApplication.