SharePoint Profile Cleanup

SharePoint Profile Cleanup

  • Comments 10
  • Likes

I ended up having to do quite a bit of cleanup on the profiles associated with a team SharePoint server, and learned a bit in the process that doesn’t seem to be on the Internet in one place, so I thought I’d share.

Note: I will touch on several related areas in this post, so I apologize if I jump all over the place.  All buckled in?  Let’s go!

Ideally, in SharePoint, you have profiles (and maybe My Sites) for users that actually use the site (or that you want to search).  For the most part, you do not want profiles of users that are disabled in Active Directory, users who have left the company, etc.

Most of the work that y0u do with profiles as an Administrator is within the SSP, under “User Profiles and My Sites”.

image

By default, when setting up Profile Import, SharePoint imports all users from your current domain.  This is fine as a default, but you may end up pulling profiles that are not needed and/or wanted in two cases (off the top of my head):

1) You have a bunch of user/service accounts that are disabled in Active Directory.

2) You only want accounts from a particular group or OU to be imported into your SharePoint profiles.

image

In either of these cases, you will have to customize the LDAP query that SharePoint does on the backend to pull users out of AD. By default, the query searches for (&(objectCategory=Person)(objectClass=User)).  In other words “Pull all users”. 

image

SharePoint does not distinguish whether they are active or not.  KB 827754 gives us the modified query we need to use if only pulling active users:

(&(objectCategory=person)(objectClass=user)( !(userAccountControl:1.2.840.113556.1.4.803:=2)))

If you want to import users just from a particular group or OU, the query will look something like:

(&(objectCategory=Person)(objectClass=User)(memberOf=[distinguished name of the group]))

Wayne Hall’s post here is the definitive source on how to find the Distinguished Name of the group you are looking for, and how to write the query.  If you want to go completely buck-wild, you can read all about LDAP Search Query Syntax on MSDN.

All right.  Now if you ran the full profile import before modifying the query, and have a bunch of disabled users in AD, or imported all AD users instead of a specific group, those extra profiles now exist in SharePoint where they are not doing a lot of good.

How can you delete them?

The answer is that you have to do a Full (not incremental) profile import.  This does not delete the users, but marks them as “Profiles Missing from Import”.  On the “User Profiles and Properties” page of the SSP, click on “View User Profiles”

image

From here, there is a drop down box that lets you choose between “Active Profiles” and “Profiles Missing from Import”

Don’t laugh at the difference between my Total number of user profiles and Number of active user profiles in the picture below.  Long story, no happy ending ;)

image

In any case, if you select “Profiles Missing from Import”, it will show all profiles that exist in SharePoint that did NOT get pulled/updated from AD in your last full crawl.  This could be because someone left the company, or because your modified query now pulls less people.  In any case, once you verify that that user no longer exists (or shouldn’t have a profile on the server), check the box next to their profile/account name and hit delete.  You can also wait for SharePoint to run three full (not incremental) imports, after which it will delete the profiles on its own. *Update: Although this is how it worked in SPS 2003, it is not how it works in MOSS 2007.  It is actually the “My Site Cleanup Job” that does the dirty work.  Gyorgy covers how this works here: http://blogs.msdn.com/b/gyorgyh/archive/2009/11/13/how-it-works-moss-2007-automatic-user-profile-removal.aspx

A few other considerations to be aware of…  If the user is no longer with the company, but somebody explicitly assigned them permissions to a site, list, or library… they will continue to have permissions if they ever come back (This is an issue at Microsoft as vendors may do work for one team and then come back some months later to do work for another team using the same AD account).  Removing explicit permissions is a manual process (and is the reason why explicit user permissions should be the exception and not the rule).  Use (and do not break) permission inheritance where ever possible.  I usually put Active Directory groups within SharePoint groups, and assign SharePoint permissions to SharePoint groups.  That way, if any given person joins or leaves the company, I assign/remove them from the appropriate AD group and their permissions accordingly come or go in SharePoint.

The other consideration is My Sites.  How do you delete My Sites that belong to people that left the company?  Once SharePoint no longer has a profile for a user with a My Site (see above), it will (by default) send an e-mail to that user’s Manager (assuming their profile has a manager listed) saying:

The My Site of Joe Blow is scheduled for deletion. As their manager you are now the temporary owner of their site. This temporary ownership gives you access to the site to copy any business-related information you might need. To access the site use this URL:  http://servername/mysite/personal/joeblow

The manager is then added as the secondary site collection administrator for the user’s My Site, and any important documents can be copied off before the My Site is deleted.  The wording of the e-mail itself is hardcoded and the wording cannot be changed.  As well, this My Site cleanup is NOT part of or related to the “Site Use confirmation and deletion” feature of SharePoint.  It takes place as part of the “My Site Cleanup Job” which runs hourly (you can find it under Central Administration –> Operations –> Timer Job Definitions).  There were some problems with this job in RTM, but they were fixed in SP1 (in case you are still running RTM and old My Sites are still hanging around). (update to the paragraph above… commenter Chris reminded me that I was not quite right about the My Site deletion.  While the e-mail itself is not related to the “Site Use confirmation and deletion” feature, sites are not actually deleted unless that feature is turned on.  The e-mail to the manager is telling a fib.  If the “Site Use confirmation and deletion” feature is enabled, the site is deleted due to the fact that the user never confirms the e-mail checking to see if they are still using the site; not due to the My Site Cleanup Job itself.  I also came across another great resource on My Sites and disabled/deleted users from Phil Wicklund that is well worth reading: http://philwicklund.com/whitepapers/Documents/My%20Site%20Concerning%20Scenarios%20Study%20and%20Strategy.pdf)

I hope the information above helps someone if they ever end up trying to figure out how to clear out 75,000 profiles from a SharePoint server that is only used by a few hundred people :) (yes, I think I am the very definition of an edge case)

-Sean

Comments
  • Great post.  I'm working on this right now and it was extremely helpful.  Of note here is the fact that the MySite will only be deleted if the Automatic Site Deletion is enabled.  This is located at:

    Central Administration > Application Management > Site Use Confirmation and Deletion  

  • Thanks for catching that Chris... you are absolutely correct.  I have updated the post :)

    -Sean

  • I have a question regarding how the User Profiles actually get "cleared out".

    Steps Taken...

    1.  created new LDAP Filter to limit a number of user profiles that match.  

    2.  Ran Full User Import (Now am showing about 10,000 User Profiles that show up under "Profiles Missing from Import")

    3.  Manually ran 3 or 4 more Full User Imports.  (User Profiles continue to show up under "Profiles Missing from Import").

    When does Sharepoint actually delete these missing user profiles?  Is there a step I am missing?

  • Excellent post! This post and the link to the white paper clears it up for me. Thanks!

  • Great Article!

    I have the same issue as Kkirkpat described above. Even though I'm deleting a profile manually from the 'profile missing from import' the same profile is reappearing after the profile crawl. How can I get rid of these MOSS profiles permanently?

    Any suggestion would be appreciated.

  • In SharePoint 2003, user profiles were deleted after being missing from three full profile imports. Apparently, this changed in 2007, but this change has never been formally documented.

    In 2007, the My Site Cleanup job also goes through all profiles marked "missing from import" and attempts to look up the user in AD. If it can't find the user, it deletes the profile. See blogs.msdn.com/.../how-it-works-moss-2007-automatic-user-profile-removal.aspx.

  • my sync with AD is working fine except it is not pulling the pictures in the AD.

    Here is my issue, we have photos of all employees stored as xyz.jpg in the custom attribute (emp_pics_2001) with type string, but the picture url type is url (is this the culprit type change), I am using the custom attribute to map the field in the Sharepoint 2010 miis client.

    I am using the below url to do the set up: goodbadtechnology.blogspot.com/.../setting-up-pictureurl-user-profile.html

    i did check the profile db picture url field is NULL, i have all the other values for person except the picture.. , I have already wasted more than 2 days in figuring this out

    If i just get xyz.jpg pulled to sharepoint, then i can prefix a url in front of it using powershell

    I am using a full trusted service account with full permissions to the domain

    please help me out..

    thank you

    Neel

  • I have close to 200,000 profiles when I know my true user base is around a 1/20th of that.  I want to perform this operation, but worried I might accidently remove changes to user profiles from mysites, like description.

    BTW, I i get the expected 150k + users in profiles not in the last import, will I be able to delete them from the GUI.

  • Hi,

    I have a server where full import is done followed by a incremental import every time.

    The requirement is to delete the inactive/orphaned user profiles rom SSP.

    The issue I am facing is I am not able to identify the inactive/orphaned users from the profile list.

    Do we have any command line statement or any other option to identify an inactive/orphaned user profile in SSP?

  • Thank you very much for this informtion, it really help me. Thanks bro.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment