Export (0) Print
Expand All

Maintain user profile synchronization settings in SharePoint Server 2013

SharePoint 2013
 

Applies to: SharePoint Server 2013

Topic Last Modified: 2014-07-28

Summary: Learn how to maintain User Profile synchronization settings in SharePoint Server 2013 after you configure User Profile synchronization.

Profile synchronization in SharePoint Server 2013 enables an administrator of an instance of the User Profile service to synchronize user and group profile information that is stored in the SharePoint Server 2013 profile store with profile information that is stored in directory services across the enterprise. After you have configured User Profile synchronization, you must complete tasks to maintain those settings. These tasks include, for example, removing users whose accounts are disabled or deleted, moving or renaming a server, and starting or stopping the User Profile Synchronization service. For more information, see Plan profile synchronization for SharePoint Server 2013.

ImportantImportant:
This article applies to only SharePoint Server 2013.

In this article:

Before you begin this operation, review the following information about prerequisites:

ImportantImportant:
See Hardware and software requirements for SharePoint 2013 for other requirements that may be needed for Profile Synchronization.
NoteNote:
Because SharePoint 2013 runs as websites in Internet Information Services (IIS), administrators and users depend on the accessibility features that browsers provide. SharePoint 2013 supports the accessibility features of supported browsers. For more information, see the following resources:

SharePoint Server 2013 lets you handle several different user migration scenarios. The following are examples of the scenarios handled for Active Directory Domain Services (AD DS):

  • Account name (sAMAccountName) changes in the AD DS where the user exists.

  • Security Identifier (SID) changes.

  • Distinguished name (DN) changes that include changes in the organizational unit (OU) container in the AD DS where the user account exists. For example, if a user's distinguished name is moved in AD DS from "User= EUROPE\John Smith, Manager=CN=John Rodman, OU=Users, DC=EMEA1, DC=corp, DC=contoso, DC=com" to "User= EUROPE\John Smith, Manager=CN=John Rodman, OU=Managers, DC=EMEA1, DC=corp, DC=contoso,DC=com", the MigrateUser command updates the user profile store for this user. The user profile for John Smith is updated when synchronizing user profiles from the EMEA1.corp.contoso.com AD DS to the SharePoint Server user profile store.

To rename users or to change user domains
  1. Verify that the user account that is performing this procedure has the following credentials:

    • The user account that performs this procedure is a member of the Farm Administrators group on the computer that is running the SharePoint Central Administration website.

    • The user account that performs this procedure is a member of the Administrators group on the computer on which you installed the User Profile synchronization service.

  2. If synchronization is in progress, open Central Administration and then click Manage service applications in the Application Management section. Select the appropriate User Profile service application from the list of service applications. On the Manage service application page, click Stop Profile Synchronization.

  3. Disable the User Profile Incremental Synchronization timer job.

  4. Ensure that user migration by using stsadm -o migrateuser has succeeded.

  5. Ensure that the profile of the migrated user can be accessed by browsing to the My Site for that user, for example, http://mysite/person.aspx?accountname=<new account name>.

  6. Run User Profile synchronization. For more information, see Start profile synchronization manually in SharePoint Server 2013.

  7. Recheck access to the profile of the migrated user by browsing to the My Site for that user.

  8. Enable the User Profile Incremental Synchronization timer job.

You can exclude users whose accounts are disabled in AD DS by using exclusion filters in SharePoint Server 2013. For the steps that are needed to exclude users whose accounts are disabled, see Synchronize user and group profiles in SharePoint Server 2013.

There are two reasons why obsolete users or groups can exist in the SharePoint Server 2013 user profile store:

  • Obsolete users: The My Site cleanup timer job is not active. The User Profile Synchronization timer job marks for deletion users who have been deleted from the directory source. When the My Site cleanup job runs, it looks for all users marked for deletion and deletes their profiles. Respective My Sites are then assigned to the manager for the deleted user and an e-mail message notifies the manager of this deletion.

  • Obsolete users and groups: Users and groups that were not imported by Profile Synchronization exist in the user profile store. This can occur, for example, if you upgraded from an earlier version of SharePoint Server and chose to only synchronize a subset of domains with SharePoint Server 2013.

To find and remove obsolete users and groups by using Windows PowerShell
  1. Verify that you have the following memberships:

    • securityadmin fixed server role on the SQL Server instance.

    • db_owner fixed database role on all databases that are to be updated.

    • Administrators group on the server on which you are running the Windows PowerShell cmdlets.

    • Execute permission on the ImportExport_GetNonimportedObjects and the ImportExport_PurgeNonimportedObjects stored procedures in the profile database.

    An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint 2013 cmdlets. You can use SQL Management Studio or Transact-SQL to grant database permissions. For more information, see GRANT Object Permissions (Transact-SQL) .

    NoteNote:
    If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about Windows PowerShell permissions, see Add-SPShellAdmin.
  2. Start the SharePoint 2013 Management Shell.

    • For Windows Server 2008 R2:

      • On the Start menu, click All Programs, click Microsoft SharePoint 2013 Products, and then click SharePoint 2013 Management Shell.

    • For Windows Server 2012:

      1. On the Start screen, click SharePoint 2013 Management Shell.

        If SharePoint 2013 Management Shell is not on the Start screen:

      2. Right-click Computer, click All apps, and then click SharePoint 2013 Management Shell.

    For more information about how to interact with Windows Server 2012, see Common Management Tasks and Navigation in Windows Server 2012 R2 and Windows Server 2012.

  3. At the Windows PowerShell command prompt, do the following:

    1. To get the User Profile Service application object, type the following command:

      $upa = Get-spserviceapplication <identity>
      

      Where <identity> is the GUID of the User Profile synchronization service application.

    2. To view the users and groups to delete, type the following command:

      Set-SPProfileServiceApplication $upa -GetNonImportedObjects $true
      
    3. To delete the obsolete users and groups, type the following command:

      WarningWarning:
      This action cannot be undone.
      Set-SPProfileServiceApplication $upa -PurgeNonImportedObjects $true
      

For more information, see Get-SPServiceApplication and Set-SPProfileServiceApplication.

NoteNote:
We recommend that you use Windows PowerShell when performing command-line administrative tasks. The Stsadm command-line tool has been deprecated, but is included to support compatibility with previous product versions.

Profile schema changes include things such as adding a new user profile property, changing a user profile property mapping, or changing a Profile Synchronization connection filter. When the profile schema changes, you must first perform a full nonrecurring synchronization before scheduling recurring profile synchronization. For the steps that are needed to perform full nonrecurring profile synchronization, see Start profile synchronization manually in SharePoint Server 2013.

Use the following procedure to rename a profile synchronization server.

To rename a server that is running the User Profile synchronization service by using Windows PowerShell
  1. Verify that you have the following memberships:

    • securityadmin fixed server role on the SQL Server instance.

    • db_owner fixed database role on all databases that are to be updated.

    • Administrators group on the server on which you are running the Windows PowerShell cmdlets.

    An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint 2013 cmdlets.

    NoteNote:
    If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about Windows PowerShell permissions, see Add-SPShellAdmin.
  2. Start the SharePoint 2013 Management Shell.

    • For Windows Server 2008 R2:

      • On the Start menu, click All Programs, click Microsoft SharePoint 2013 Products, and then click SharePoint 2013 Management Shell.

    • For Windows Server 2012:

      1. On the Start screen, click SharePoint 2013 Management Shell.

        If SharePoint 2013 Management Shell is not on the Start screen:

      2. Right-click Computer, click All apps, and then click SharePoint 2013 Management Shell.

    For more information about how to interact with Windows Server 2012, see Common Management Tasks and Navigation in Windows Server 2012.

  3. At the Windows PowerShell command prompt, type the following command:

    Rename-SPServer <Identity> -Name <newName>
    

    Where:

    • Identity is the old name of the server.

    • newName is the new name for the server.

For more information about renaming a server by using Windows PowerShell, see Rename-SPServer.

NoteNote:
We recommend that you use Windows PowerShell when performing command-line administrative tasks. The Stsadm command-line tool has been deprecated, but is included to support compatibility with previous product versions.

Use the following procedure to move the User Profile Synchronization service to a new server.

To move the User Profile Synchronization service to a new server by using Central Administration
  1. Verify that the user account that is performing this procedure has the following credentials:

    • The user account that performs this procedure is a member of the Farm Administrators group on the computer that is running the SharePoint Central Administration website.

    • The user account that performs this procedure is a member of the Administrators group on the computer on which you installed the User Profile synchronization service. This is required to start the User Profile Synchronization service. After the User Profile Synchronization service is started you can remove the farm account from the Administrators group.

  2. On the server that is currently running the User Profile synchronization service, on the SharePoint Central Administration website, in the System Settings section, click Manage services on Server.

  3. Next to the User Profile Synchronization Service, click Stop to stop the User Profile Synchronization service.

  4. On the new User Profile synchronization server, on the SharePoint Central Administration website, in the System Settings section, click Manage services on Server.

  5. Next to the User Profile Synchronization Service, click Start to start the User Profile synchronization service.

  6. On the new User Profile synchronization server, on the SharePoint Central Administration website, in the Application Management section, click Manage service applications.

  7. On the Service Applications page, click the link for the name of the appropriate User Profile service application.

  8. On the User Profile Service Application page, in the Synchronization section, click Start Profile Synchronization.

  9. On the Start Profile Synchronization page, select Start Full Synchronization, and then click OK.

The User Profile synchronization database serves as a staging area for User Profile information. User Profile information that is stored in the profile store and synchronization database is consumed by the User Profile service. By following these steps, you can safely reset a User Profile Synchronization database without losing information in the profile store.

To reset User Profile synchronization by using Windows PowerShell and Central Administration
  1. Verify that the user account that is performing this procedure has the following credentials:

    • The user account that performs this procedure is a member of the Farm Administrators group on the computer that is running the SharePoint Central Administration website.

    • The user account that performs this procedure is a member of the Administrators group on the computer on which you installed the User Profile synchronization service. This is required to start the User Profile Synchronization service. After the User Profile Synchronization service is started you can remove the farm account from the Administrators group.

  2. As a precaution, back up the User Profile service application. For more information, see Back up service applications in SharePoint 2013.

  3. If you are using the My Site cleanup timer job, you must disable it before you reset the synchronization database. Otherwise, the job will delete all user profiles and My Sites from the farm. For information about this timer job, see the Timer job reference (SharePoint 2013). For information about the Windows PowerShell cmdlets that you use to enable and disable this timer job, see Use Windows PowerShell cmdlets to manage timer jobs in SharePoint 2013.

  4. Disable the User Profile Incremental Synchronization timer job:

    1. On Central Administration, click Monitoring.

    2. Click Review job definitions.

    3. Click User Profile Service Application Name-User Profile Incremental Synchronization.

      Where User Profile Service Application Name is the name of the User Profile service application.

    4. Click Disable.

  5. On the Start menu, click All Programs.

  6. Click Microsoft SharePoint 2013 Products.

  7. Right-click SharePoint 2013 Management Shell and then click Run as administrator.

  8. In the User Account Control dialog box, click Yes.

  9. At the Windows PowerShell command prompt, type the following command to stop the SharePoint 2013 Timer service:

    net stop sptimerv4
    
  10. Copy the following code and paste it into a text editor, such as Notepad:

    $syncdb=Get-SPDatabase <SyncDBGUID>
    $syncdb.Unprovision()
    $syncdb.Status='Offline'
    $upa=Get-SPServiceApplication <UPSAppGUID>
    $upa.ResetSynchronizationMachine()
    $upa.ResetSynchronizationDatabase()
    $syncdb.Provision()
    
  11. Replace the following placeholders with values where:

    • <SyncDBGUID> is the GUID of the synchronization database.

    • <UPSAppGUID> is the GUID of the User Profile Service application.

    For more information, see Get-SPDatabase.

  12. Save the file as an ANSI-encoded text file and name the file ResetSyncDB.ps1.

  13. At the Windows PowerShell change to the directory where you saved the file.

  14. Type the following command:

    ./ResetSyncDB.ps1
    
  15. Using SQL Server Management Studio, create a login in SQL Server for the User Profile synchronization service account (that is, the farm account). Then, in the synchronization database, create a database user who maps to the login and grant it access to the db_owner database role. For more information, see How to: Create a SQL Server Login, How to: Create a Database User, and Database-Level Roles.

  16. At the Windows PowerShell command prompt, type the following command to start the SharePoint 2013 Timer service:

    net start sptimerv4
    
  17. Start the User Profile synchronization service. For more information, see the Start the User Profile Synchronization service section of the "Configure profile synchronization" topic.

  18. Reset IIS. For more information about how to reset IIS, see the Reset IIS section of the "Configure profile synchronization" topic.

  19. Create connections to the data sources. For more information, see Restore service applications in SharePoint 2013.

  20. If you do not intend to use the My Site cleanup timer job, run profile synchronization. For more information about how to run profile synchronization, see Start profile synchronization manually in SharePoint Server 2013. If you intend to enable the My Site cleanup timer job, complete these additional steps before you enable the job:

    1. Run two full profile synchronizations.

    2. After the second profile synchronization is finished, on Central Administration, in the Application Management section, click Manage service applications.

    3. Click the User Profile service application name, and then click Manage User Profiles.

    4. On the Manage Profile Service page, in the People section, click Manage User Profiles.

    5. Next to View, select Profiles Missing from Import.

    6. In the Find Profiles box, type the domain for the profiles and then click Find.

    7. For each profile that is returned, check the originating directory service, such as Active Directory, for the status of that profile. If the status of any of the returned profiles in the directory is not disabled or is not deleted, do not enable the My Site cleanup timer job. Contact Microsoft support for more assistance. Otherwise, enable the My Site cleanup timer job. For information about the Windows PowerShell cmdlets that you use to enable and disable this timer job, see Use Windows PowerShell cmdlets to manage timer jobs in SharePoint 2013.

  21. Enable the User Profile Incremental Synchronization timer job:

    1. On Central Administration, click Monitoring.

    2. Click Review Job Definitions.

    3. Click User Profile Service Application Name-User Profile Incremental Synchronization.

      Where User Profile Service Application Name is the name of the User Profile service application.

    4. Click Enable.

Use the following procedure to restrict profile synchronization communication to a specific domain controller.

To restrict User Profile synchronization communication to a specific domain controller by using Windows PowerShell
  1. Verify that you have the following memberships:

    • securityadmin fixed server role on the SQL Server instance.

    • db_owner fixed database role on all databases that are to be updated.

    • Administrators group on the server on which you are running the Windows PowerShell cmdlets.

    An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint 2013 cmdlets.

    NoteNote:
    If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about Windows PowerShell permissions, see Add-SPShellAdmin.
  2. On the Start menu, click All Programs.

  3. Click Microsoft SharePoint 2013 Products.

  4. Click SharePoint 2013 Management Shell.

  5. To get the User Profile service application object, type the following command:

    $upa=Get-SPServiceApplication <GUID>
    

    Where <GUID> is the GUID of the User Profile Synchronization Service application.

  6. To restrict profile synchronization communication to a specific domain controller, type the following command:

    Set-SPProfileServiceApplication $upa -UseOnlyPreferredDomainControllers $true
    
    NoteNote:
    It may take five minutes for the changed property value to propagate to the SharePoint Central Administration website. Resetting IIS on the Central Administration server will force the new value to be loaded immediately. For more information about resetting IIS, see IIS Reset Activity.

For more information, see Get-SPServiceApplication and Set-SPProfileServiceApplication.

A time-out can occur on the following occasions:

  • When trying to connect to the directory service server on the Add/Edit a synchronization connection page in Central Administration.

  • When trying to populate the list of containers on the Add/Edit a synchronization connection page in Central Administration. This will occur as a JavaScript time-out error in the status bar.

  • When clicking OK on the Add/Edit a synchronization connection page in Central Administration. This causes the following error message and occurs because of a time-out by the Forefront Identity Manager web service when creating or updating a User Profile synchronization connection:

    "The request channel timed out while waiting for a reply after 00:01:29.9062626. Increase the timeout value passed to the call to Request or increase the SendTimeout value on the Binding. The time allocated to this operation may have been a part of a longer timeout."
To adjust User Profile synchronization timeouts by using Windows PowerShell
  1. Verify that you have the following memberships:

    • securityadmin fixed server role on the SQL Server instance.

    • db_owner fixed database role on all databases that are to be updated.

    • Administrators group on the server on which you are running the Windows PowerShell cmdlets.

    An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint 2013 cmdlets.

    NoteNote:
    If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about Windows PowerShell permissions, see Add-SPShellAdmin.
  2. If you want to change the time-out value for connecting to the directory server, do the following:

    1. Paste the following code into a text editor, such as Notepad:

      $upsAppProxy = Get-SPServiceApplicationProxy <UPSAppProxyGUID>
      $upsAppProxy.LDAPConnectionTimeout = <NewTimeout>
      $upsAppProxy.Update()
      
    2. Replace <UPSAppProxyGUID> with the GUID of the User Profile service application proxy and <NewTimeout> with the new time-out value in seconds. The default time-out is 120 seconds.

    3. Save the file as an ANSI-encoded text file whose extension is .ps1.

  3. If you want to change the time-out value for the Populate Containers control, do the following:

    1. Paste the following code into a text editor, such as Notepad:

      $upsAppProxy = Get-SPServiceApplicationProxy <UPSAppProxyGUID>
      $upsAppProxy.ImportConnAsyncTimeout = <NewTimeout>
      $upsAppProxy.Update()
      
    2. If you want to change the time-out value for calls into the Forefront Identity Manager web service, do the following:

      Replace <UPSAppProxyGUID> with the GUID of the User Profile service application proxy and <NewTimeout> with the new time-out value in seconds. The default time-out is 1,000 seconds (approximately 17 minutes).

    3. Paste the following code into a text editor, such as Notepad:

      $upsApp = Get-SPServiceApplication 
      <UPSAppGUID>
      $upsApp.FIMWebClientTimeOut = 
      <NewTimeout>
      $upsApp.Update()
      
    4. Replace <UPSAppGUID> with the GUID of the User Profile service application and <NewTimeout> with the new time-out value in milliseconds. The default time-out is 300,000 milliseconds (5 minutes).

    5. Save the file as an ANSI-encoded text file whose extension is .ps1, such as AdjustProfileSyncTimeouts.ps1.

  4. On the Start menu, click All Programs.

  5. Click Microsoft SharePoint 2013 Products.

  6. Click SharePoint 2013 Management Shell.

  7. Change to the directory where you saved the file.

  8. At the Windows PowerShell command prompt, type the following command to execute a script file:

    ./<file name>.ps1
    

    Where <file name> is the name of the file to execute.

For more information, see Get-SPServiceApplicationProxy and Get-SPServiceApplication.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft