Fun with Filters (User Profile Synchronization). Somebody shoot me now.
While doing a migration from MOSS 2007 to SPS 2010, I had to import all the existing profiles from the SSP. The steps to this work pretty well, so yay for that.
The previous sync connection to AD had a custom connection for the source using an LDAP query:
Translated means, only give me users and enabled accounts. Not terribly unusual for a sync connection.
See how easy that was? Call your directory guy, ask for a query to filter out disabled accounts and non-users, copy string from email, paste into user filter field. Save. Done.
Nice, so lets do that with our User Profile Connection.
And so the problems begin…
1. Not inclusive, Exclusive!
MOSS 2007 filters were inclusive, i.e you gave it a query that define all users to include in the syncronization.
SPS 2010 does the opposite. It makes you pick your containers to sync and then you apply exclusion filters.
2. No pasty the query
Either Microsoft decided LDAP queries were to much for SharePoint folk to handle, or they really like trees, or something, but now you have to use an interface to build out your query. So you create your new connection by specifying your source details (in this case AD forest, and sync account details. Then you populate a shiny tree in a box that represents your directory objects.
Doesn’t that look nice! So lets go and select our IT group to sync for starters. They’re in DOMAIN\AMRS\DEPTS\USERS\IT. No problem
That was such an efficient experience, and only took me 3 cups of coffee.
CRAP!#! I just clicked the “select all” (conveniently located close to the ok button), so now I have to do it all again.
Can’t wait until I have to do this in production where I have several containers I want to select.
3. Filters, are painnnnnfulllllll
Well, we have our connection defined, time to add some filters to it.
Lets do the same as before, no disabled accounts and only users as defined by objectClass or objectCategory.
Easy one first, disabled users is defined by
userAccountControl bit on equals 2. No problem. Select userAccountControl from the Attribute list, and wait for it to post back to get the applicable operators….. and wait…. (coz it ain’t that fast).
Great, I set bit on equals 2 and click Add.
ok, we have our first exclusion filter.
No problem there, and if that’s the only filter you’d be golden. But we want more.
Let’s exclude accounts that are not objectClass equals user.
Where’s the objectClass attribute"?
Looks like there isn’t one. Even though there is.
Moving onto the objectCategory attribute, which is there.
Select objectCategory attribute.
Set value to not equal person
Crap. I forgot to select OR instead of AND for the operator. Now I have to delete (wait), and re-add (wait).
Ok, lets go with these two filters for now and save them.
And we get a lovely error thanks to the objectCategory attribute. This correlates to:
Microsoft.ResourceManagement.WebServices.Faults.ServiceFaultException: Unable to process Put message
at Microsoft.Office.Server.UserProfiles.DirectoryServiceConnection.SetExclusionFilters(List`1 exclusionFilters)
at Microsoft.SharePoint.Portal.UserProfiles.AdminUI.EditConnectionFilters.ButtonOK_Click(Object sender, EventArgs e)
at System.Web.UI.WebControls.Button.OnClick(EventArgs e)
at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)
at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
Make of that what you will, but it basically means we cannot use the objectCategory attribute for filtering (fix coming in SP1 or beyond apparently).
So I try a few different filters, like
Mail Is not equal to * (to exclude accounts that do not have a mail address)
The only way I could get profiles migrated was to only use the disable accounts property.
4. My profiles are there, but they’re not
So another thing I tried is I ran a successful import (only excluding disabled accounts), and got 42 profiles back. So lets try adding a filter that excludes users that do not have an email address (mail not equals *).
FIM shows my deletions ok. So that’s promising (even though all these accounts do have an email address ).
So I go back to my user profiles page, and I expect to see a count of 0. Except I don’t. I see there are still 42 profiles there. Huh? Lets search to see who’s still there.
And there you have it, 42 profiles and none of them visible. So are they there or not? I’m so done with this, I really don’t care at this point.
5. What’s my query again?
So lets go back and check my query,as in what containers I selected and what filters I have applied.
Are you kidding me? I have to reconnect to the source, populate the tree, then navigate all the way down to see what’s selected?
I GIVE UP.
- @eircare Waiting nearly 2 months for an address to be registered. How is that even possible? 2 months ago
- We dug into the drug company Martin Shkreli sold out to the Feds, and man is it ugly lnkd.in/dzrdgGW 2 months ago
- @oneplus I love the 3T. Can it charge from a regular charger if i do not have the fast-charger adapter with me? 2 months ago
- @IKEAIE Thanks for ruining Christmas. Promised to deliver today and no show. Staying in hotel for Christmas now. 4 months ago
- @AskCiti CAN SOMEONE PLEASE ANSWER THE PHONE!! I HAVE BEEN CALLING ALL DAY! 9 months ago
- June 2014
- March 2014
- December 2013
- August 2013
- April 2013
- February 2013
- November 2012
- September 2012
- August 2012
- March 2012
- February 2012
- June 2011
- April 2011
- March 2011
- January 2011
- December 2010
- November 2010
- October 2010
- September 2010
- August 2010
- July 2010
- June 2010
- May 2010
- March 2010
- February 2010
- December 2009
- November 2009
- October 2009