Share via


Synchronize user and group profiles in SharePoint Server 2013

APPLIES TO: yes-img-132013 no-img-162016 no-img-192019 no-img-seSubscription Edition no-img-sopSharePoint in Microsoft 365

Configuring profile synchronization (or profile sync) is a process that involves many steps. This article divides the process into shorter phases, both so that you can see progress and to reduce the number of steps through which you have to backtrack if you make an error. There are four phases to configuring profile synchronization. Depending on your situation, you might not have to perform all of the phases. This article also includes Phase 0, which contains instructions for configuring the prerequisites that are required before you can configure profile synchronization.

User profiles and groups are used by SharePoint Server 2013 through server-to-server authentication to access and request resources from one another on behalf of users. For more information about server-to-server authentication, see Server-to-server authentication and user profiles in SharePoint Server.

Important

This article applies to only SharePoint Server 2013.

Before you begin

Before you begin this operation, review the following information about prerequisites:

As you configure profile synchronization, you will need information to answer questions in the user interface. You will also need accounts that have the appropriate permissions and a SharePoint Server 2013 farm that is already partly configured. The subsections within this section explain the prerequisites that you must have before you configure profile synchronization.

Gather information

Before you perform the procedures in this article, you should complete the User profile properties and profile synchronization planning worksheets for SharePoint Server 2013. You will use the information that you record in the worksheets as you perform the procedures in this article.

  • Connection planning worksheet: Contains details about each profile synchronization connection that you will create. The article Plan profile synchronization for SharePoint Server 2013 contains instructions for filling out the worksheet.

  • User profile properties worksheet: Identifies user profile properties and how the properties are mapped to external data sources. The article Plan user profiles in SharePoint Server explains how to complete most of the worksheet, and the article Plan profile synchronization for SharePoint Server 2013 contains instructions on how to add the property mapping information.

  • Profile synchronization planning worksheet: Collects the information that you must have to create the User Profile service application and its prerequisites. If your farm already contains a User Profile service application, you can omit this worksheet.

You will have to know the name of the synchronization server. The synchronization server is the server on which the User Profile synchronization service will run. The Plan for the synchronization server section of Plan profile synchronization for SharePoint Server 2013 contains guidance on how to select the synchronization server.

Grant account permissions

To configure profile synchronization you will have to know the farm account and the farm account's password, and you will need a synchronization account for each directory service that you will synchronize with. The permissions that are required for each account are described in the Plan account permissions section of Plan profile synchronization for SharePoint Server 2013. If an account does not have the appropriate permissions, you might not know that the permissions are wrong until you have progressed part of the way through the configuration procedure.

Note

Incorrect permissions are the most common cause of errors in configuring profile synchronization.

Install prerequisites

To set up profile synchronization you will need SharePoint Server 2013 installed in a farm configuration.

You must have a full installation of SQL Server, not the Express edition. Profile synchronization will not work if you have installed SharePoint Server 2013 by following the instructions in Install SharePoint 2013 on a single server with a built-in database.

Phase 0: Configure the farm

During this phase, you configure the infrastructure for synchronizing profiles.

This phase involves the following tasks:

  1. Create a web application to host My Sites

  2. Create a managed path for My Site

  3. Create a My Site Host site collection

  4. Create a User Profile service application

  5. [Enable NetBIOS domain names for user profile synchronization by using PowerShell](configure-profile-synchronization.md# Proc)

  6. Start the User Profile service

To perform the tasks in this phase, you must be a member of the Farm Administrators SharePoint group and a member of the Administrators group on the computer that is running SharePoint Server 2013.

Create a web application to host My Sites

In this procedure, you create the web application in which My Sites will reside. We recommend that My Sites be in a separate web application, although the web application may be in an application pool that is shared with other collaboration sites, or it may be in a separate application pool but in a shared IIS website. For more information about SharePoint Server 2013 sites, application pools, and IIS websites, see Architecture design for SharePoint 2013 IT pros. For more detailed instructions about how to create a web application, see Create a web application in SharePoint Server.

To create a web application

  1. Verify that the user account that is performing this procedure has the following credentials:
  • The user account that performs this procedure is a farm administrator.

  • The user account that performs this procedure is a member of the Administrators group on the computer that is running SharePoint Server 2013.

  1. In Central Administration, in the Application Management section, click Manage web applications.

  2. On the ribbon, click New.

  3. On the Create New Web Application page, in the Authentication section, select the authentication mode that will be used for this web application.

  4. In the IIS Web Site section, you can configure the settings for your new web application by selecting one of the following two options (see the Profile Synchronization Planning worksheet):

  • Click Use an existing web site, and then select the website on which to install your new web application.

  • Click Create a new IIS web site, and then type the name of the website in the Name box.

    You may also provide the port number, host header, or path for the new IIS website.

  1. In the Security Configuration section, select an authentication provider, whether to allow anonymous access, and whether to use Secure Sockets Layer (SSL).

  2. In the Application Pool section, do one of the following:

  • If the My Site application pool (see the Profile Synchronization Planning worksheet) is an existing application pool, click Use existing application pool, and then select the My Site application pool from the drop-down menu.

  • If the My Site application pool (see the Profile Synchronization Planning worksheet) is a new application pool, click Create a new application pool, type the name of the My Site application pool, and either select the account that the application pool will run under (see the Profile Synchronization Planning worksheet) or create a new managed account for the application pool to run under.

  1. In the Database Name and Authentication section, select the database server, database name, and authentication method for your new web application.

  2. If you use database mirroring, in the Failover Server section, in the Failover Database Server box, type the name of a specific failover database server that you want to associate with a content database.

  3. In the Service Application Connections section, select the service application connections that will be available to the web application.

  4. In the Customer Experience Improvement Program section, click Yes or No.

  5. Click OK to create the new web application.

  6. When the Application Created page appears, click OK.

Enter the name of the web application in the My Site web application row of the Profile Synchronization Planning worksheet. You will need this information later.

Create a managed path for My Site

If you want the My Site host and users' My Sites to be at a URL that does not already have a managed path, use the procedure in Define managed paths in SharePoint Server to create the My Site managed path in the My Site web application that you previously created. In most cases, the existing managed paths will be sufficient.

Create a My Site Host site collection

In this procedure, you create the site collection that will host users' My Sites. For more detailed instructions about how to create a site collection, see Create a site collection in SharePoint Server.

To create a My Site Host site collection

  1. Verify that the user account that is performing this procedure has the following credentials:
  • The user account that performs this procedure is a farm administrator

  • The user account that performs this procedure is a member of the Administrators group on the computer that is running SharePoint Server 2013.

  1. On Central Administration, in the Application Management section, click Create site collections.

  2. On the Create Site Collection page, in the Web Application section, select the My Site web application (see the Profile Synchronization Planning worksheet).

  3. In the Title and Description section, type the title and description for the site collection.

  4. In the Web Site Address section, select the path of the URL for the My Site host. In most cases, you can use the root directory (/).

  5. In the Template Selection section, click the Enterprise tab, and then select My Site Host.

  6. In the Primary Site Collection Administrator section, type the user name (in the form <DOMAIN>\ <user name>) for the user who will be the site collection administrator.

  7. In the Secondary Site Collection Administrator section, type the user name for the secondary administrator of the site collection.

  8. If you are using quotas to manage storage for site collections, in the Quota Template section, click a template in the Select a quota template list.

  9. Click OK.

The Top-Level Site Successfully Created page will appear when the My Site Host site collection is created. Enter this URL in the My Site Host site collection URL row of the Profile Synchronization Planning worksheet. Although you can click the link to browse to the root of the site collection, doing this results in an error because the user profile cannot be loaded. This behavior is to be expected; user profiles are not imported at this point.

Create a User Profile service application

In this procedure, you create the User Profile service application through which you will manage profile synchronization.

For more detailed instructions about how to create a User Profile service application, see Create a User Profile service application.

To create a User Profile Service application

  1. Verify that the user account that is performing this procedure has the following credentials:
  • The user account that performs this procedure is a farm administrator

  • The user account that performs this procedure is a member of the Administrators group on the computer that is running SharePoint Server 2013.

  1. On Central Administration, in the Application Management section, click Manage service applications.

  2. On the Manage Service Application page, on the ribbon, click New, and then click User Profile Service Application.

  3. In the Name section, type the User Profile service application name (see the Profile Synchronization Planning worksheet).

  4. In the Application Pool section, select the application pool that the User Profile service application will run in (if it exists), or create a new application pool. (See the Profile Synchronization Planning worksheet.)

  5. Accept the default settings for the profile database, the synchronization database, and the social tagging database (unless you want different names), and specify failover servers if you are using them.

  6. In the Profile Synchronization Instance section, select the synchronization server (see the Profile Synchronization Planning worksheet).

  7. In the My Site Host URL section, enter the My Site Host site collection URL that you created in the previous step (see the Profile Synchronization Planning worksheet).

  8. In the My Site Managed Path section, enter the part of the path which, when appended to the My Site host URL, will give the path of users' My Sites (see the Profile Synchronization Planning worksheet). For example, if the My Site host URL is http://server:12345/ and you want each user's My Site to be at http://server:12345/personal/user-name, enter /personal for the My Site managed path. The managed path that you enter is created automatically. There does not already have to be a managed path with the name that you provide.

  9. In the Site Naming Format section, select a naming scheme.

  10. In the Default Proxy Group section, select whether you want the proxy of this User Profile Service to be a part of the default proxy group on this farm.

  11. Click Create.

  12. When the Create New User Profile Service Application page displays the message Profile Service Application successfully created, click OK.

To verify that the User Profile service application was created, refresh the Manage Service Applications page. You should see two entries whose value in the Name column is the name that you provided for the User Profile service application that you previously created. The first entry is the service application itself. The second entry is a connection (that is, a "proxy") to the service application.

Enable NetBIOS domain names for user profile synchronization by using PowerShell

If the NetBIOS name of any domain with which you are synchronizing differs from its fully-qualified domain name, you must enable NetBIOS domain names on the User Profile service application. If all NetBIOS names are the same as the domain names, you may skip this procedure.

To enable NetBIOS domain names for user profile synchronization by using PowerShell

  1. Verify that you have the following memberships:
  • securityadmin fixed server role on the SQL Server instance.

  • db_owner fixed database role on all databases that are to be updated.

  • Administrators group on the server on which you are running PowerShell cmdlets.

  • You must read about_Execution_Policies.

    An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint Server 2013 cmdlets.

    Note

    If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about PowerShell permissions, see Permissions and Add-SPShellAdmin.

  1. Paste the following code into a text editor, such as Notepad:

  2. $ServiceApps = Get-SPServiceApplication
    $UserProfileServiceApp = ""
    foreach ($sa in $ServiceApps)
      {if ($sa.DisplayName -eq "<UPSAName>") 
        {$UserProfileServiceApp = $sa}
      }
    $UserProfileServiceApp.NetBIOSDomainNamesEnabled = 1
    $UserProfileServiceApp.Update()
    
  3. Replace <UPSAName> with the name of the User Profile service application.

  4. Save the file and add the .ps1 extension, such as EnableNetBIOS.ps1.

    Note

    You can use a different file name, but you must save the file as an ANSI-encoded text file whose extension is .ps1.

  5. Start the SharePoint 2013 Management Shell.

  6. Change to the directory where you saved the file.

  7. At the PowerShell command prompt, type the following command:

& .\EnableNetBIOS.ps1

Note

We recommend that you use Microsoft PowerShell when performing command-line administrative tasks. The Stsadm command-line tool has been deprecated, but is included to support compatibility with previous product versions.

Start the User Profile service

In this procedure, you start the User Profile service.

To start the User Profile service

  1. Verify that the user account that is performing this procedure has the following credentials:
  • The user account that performs this procedure is a farm administrator

  • The user account that performs this procedure is a member of the Administrators group on the computer that is running SharePoint Server 2013.

  1. On Central Administration, in the System Settings section, click Manage services on server.

  2. On the Services on Server page, in the Server box, select the synchronization server (see the Profile Synchronization Planning worksheet).

  3. Find the row whose Service column value is User Profile Service. If the value in the Status column is Stopped, click Start in the Action column.

Phase 1: Start the User Profile synchronization service

During this phase, you start the User Profile synchronization service.

This phase involves the following tasks:

  1. Start the User Profile synchronization service

  2. Remove unnecessary permissions

  3. Reset IIS

To perform the tasks in this phase, you must be a member of the Farm Administrators SharePoint group and a member of the Administrators group on the computer that is running SharePoint Server 2013.

Start the User Profile synchronization service

In this procedure, you start the User Profile synchronization service. The User Profile synchronization service interacts with Microsoft Forefront Identity Manager (FIM) to synchronize information with external systems.

To start the User Profile synchronization service

  1. Verify that the user account that is performing this procedure has the following credentials:
  • The user account that performs this procedure is a farm administrator

  • The user account that performs this procedure is a member of the Administrators group on the computer that is running SharePoint Server 2013.

  1. On Central Administration, in the System Settings section, click Manage services on server.

  2. On the Services on Server page, in the Server box, select the synchronization server.

  3. Find the row whose Service column value is User Profile Synchronization Service. If the value in the Status column is Stopped, click Start in the Action column.

  4. On the User Profile Synchronization Service page, in the Select the User Profile Application section, select the User Profile service application.

  5. In the Service Account Name and Password section, the farm account is already selected. Enter the password for the farm account in the Password box, and enter it again in the Confirm Password box.

  6. Click OK.

The Services on Server page shows that the User Profile synchronization service has a status of Starting. When you start the User Profile synchronization service, SharePoint Server 2013 provisions FIM to participate in synchronization. This may take 10 minutes. To determine whether the User Profile synchronization service has started, refresh the Services on Server page.

If the User Profile synchronization service does not start, confirm that the farm account has the necessary permissions on the synchronization server. For more information about which permissions are required, see the Plan account permissions section of the article "Plan for profile synchronization."

Remove unnecessary permissions

After you start the User Profile synchronization service, for day to day operations, the farm account is not required to be a member of the Administrators group on the computer that is running the synchronization service. To improve the security of your SharePoint Server 2013 installation, remove the farm account from the Administrators group on the computer that is running the synchronization service. However, when you perform a backup of the User Profile application, the synchronization service provisions the User Profile application again. During the course of provisioning the User Profile application, the farm account must stop and start the synchronization service. To do this, the farm account must be a member of the Administrators group on the computer that is running the synchronization service. So, before you perform a backup, add the farm account to the Administrators group on the computer that is running the synchronization service. After the backup has finished running, you can remove the farm account from the Administrators group.

To grant the farm account the Remote Enable permission to Microsoft FIM 2010

  1. On the server that is running the synchronization service, click Start.

  2. Click Run, type wmimgmt.msc, and then click OK.

  3. Right click WMI Control, and then click Properties.

  4. In the WMI Control Properties dialog, click the Security tab.

  5. Expand the Root list, and then select the Microsoft FIM 2010 namespace MicrosoftIdentityIntegrationServer.

  6. Click the Security button.

  7. Add the farm account to the list of groups and users, and then in the Permissions for Authenticated Users box, select Allow for the Remote Enable permission.

  8. Click OK to dismiss the Security for ROOT\MicrosoftIdentityIntegrationServer dialog, and then click OK to dismiss the WMI Control Properties dialog.

Reset IIS

If the SharePoint Central Administration website and the User Profile synchronization service are running on the same server, you must reset IIS after the User Profile synchronization service starts. If they are running on different servers, you may skip this procedure.

To reset IIS

  1. Verify that the user account that is performing this procedure has the following credentials:
  • The user account that performs this procedure is a farm administrator

  • The user account that performs this procedure is a member of the Administrators group on the computer that is running SharePoint Server 2013.

  1. Start a Command Prompt with elevated privileges.

  2. In the User Account Control dialog, click Yes.

  3. In the Administrator: Command Prompt window, type iisreset and then press ENTER.

  4. When the message Internet services successfully restarted is displayed, close the Administrator: Command Prompt window.

Note

After you reset IIS, pages of Central Administration will take several seconds to load.

Phase 2: Configure connections and import data from directory services

To import profiles, you must have at least one synchronization connection to a directory service. During this phase, you create a synchronization connection to each directory service that you want to import profiles from. You can synchronize after you create each connection, or you can synchronize one time, after you have created all of the connections. Synchronizing after each connection will take longer, but doing this makes it easier to troubleshoot any problems that you might encounter.

You must be a farm administrator or an administrator of the User Profile service application to perform these procedures. If you are not a farm administrator, start each procedure by using the Manage Profile Service page.

This phase involves the following tasks:

  1. Create a synchronization connection to a directory service

  2. Define exclusion filters for a synchronization connection

  3. Map user profile properties

  4. Start profile synchronization

Create a synchronization connection to a directory service

In this procedure, you create a connection to a directory service. The connection identifies the items to synchronize and contains the credentials that are used to interact with the directory service. The information that you enter comes from the Connection Planning worksheet.

To create a Profile synchronization connection to a directory service

  1. Verify that the user account that is performing this procedure has the following credentials:
  • The user account that performs this procedure is a farm administrator or an administrator of the User Profile service application.

  • The user account that performs this procedure is a member of the Administrators group on the computer that is running SharePoint Server 2013.

  1. If the user account that is performing this procedure is a farm administrator, complete these steps. Otherwise, if the user account is not a farm administrator go to the next step:

  2. On Central Administration, in the Application Management section, click Manage service applications.

  3. On the Manage Service Applications page, select the User Profile service application.

  4. On Central Administration, on the Manage Profile Service page, in the Synchronization section, click Configure Synchronization Connections.

  5. On the Synchronizations Connections page, click Create New Connection.

  6. On the Add new synchronization connection page, type the synchronization connection name in the Connection Name box.

  7. From the Type list, select the type of directory service to which you want to connect.

  8. Fill in the Connection Settings section according to the directory service to which you are creating a connection.

    For Active Directory Domain Services (AD DS), follow these steps:

  9. In the Forest name box, type the name of the forest.

  10. Do one of the following:

  • If there is only one domain controller in the forest, click Auto discover domain controller.

  • If there are multiple domain controllers in the forest, click Specify a domain controller and type the domain controller name in the Domain controller name box.

  1. In the Authentication Provider Type box, select the type of authentication provider.

  2. If you select Forms Authentication or Trusted Claims Provider Authentication, select an authentication provider from the Authentication Provider Instance box.

    The Authentication Provider Instance box lists only the authentication providers that are currently used by a web application.

    Tip

    You may have to select Trusted Claims Provider Authentication and then select Forms authentication in the Authentication Provider Type box before the list of authentication providers is displayed.

  3. In the Account name box, type the synchronization account.

  4. In the Password box, type the password for the synchronization account.

  5. In the Confirm Password box, type the password for the synchronization account again.

  6. In the Port box, enter the connection port.

  7. If a Secure Sockets Layer (SSL) connection is required to connect to the directory service, select Use SSL-secured connection.

    Important

    If you use an SSL connection, you must export the certificate of the domain controller from the Active Directory server and import the certificate into the synchronization server.

    For Novell eDirectory, Sun Java System Directory Server, or IBM Tivoli Directory Server (ITDS), follow these steps:

  8. In the Directory Service Server Name box, type the name of the directory service server.

  9. In the Authentication Provider Type box, select the type of authentication provider.

  10. In the Authentication Provider Instance box, select the authentication provider.

    The Authentication Provider Instance box lists only the authentication providers that are currently used by a web application.

    Tip

    You may have to select Trusted Claims Provider Authentication and then select Forms authentication in the Authentication Provider Type box before the list of authentication providers is displayed.

  11. In the Account name box, type the synchronization account in LDAP format, for example, uid=username,ou=ouname,dc=yourcompany,dc=Com.

  12. In the Password box, type the password for the synchronization account.

  13. In the Confirm Password box, type the password for the synchronization account again.

  14. In the Port box, enter the connection port.

  15. Verify that the Use SSL-secured connection check box is not selected. SSL connections are not supported for these directory services.

  16. In the Username attribute box, type the name of the attribute in the directory service that serves as the unique identifier of each profile.

  17. In the Containers section, click Populate Containers, and then select the containers from the directory service that you want to synchronize.

  18. Click OK.

Define exclusion filters for a synchronization connection

In this procedure, you define filters for the connection to indicate which user profiles and which groups to exclude from synchronization. The information that you enter comes from the Connection Planning worksheet.

To define connection filters

  1. Verify that the user account that is performing this procedure has the following credentials:
  • The user account that performs this procedure is a farm administrator or an administrator of the User Profile service application.

  • The user account that performs this procedure is a member of the Administrators group on the computer that is running SharePoint Server 2013.

  1. If the user account that is performing this procedure is a farm administrator, complete these steps. Otherwise, if the user account is not a farm administrator go to the next step:

  2. On Central Administration, in the Application Management section, click Manage service applications.

  3. On the Manage Service Applications page, select the User Profile service application.

  4. On Central Administration, on the Manage Profile Service page, in the Synchronization section, click Configure Synchronization Connections.

  5. On the Synchronization Connections page, right-click the connection for which you want to configure User Profile synchronization connection filters, and then click Edit Connection Filters.

  6. On the Edit connection filters page, in the Exclusion Filters for Users section, select the operator to use to join the clauses of the filter.

  • To specify that all of the clauses of the filter must be true, select All apply (AND).

  • To specify that at least one of the clauses of the filter must be true, select Any apply (OR).

  1. In the Attributes list, select the directory service attribute to compare.

  2. In the Operator list, select the comparison operator to use.

    Note

    The operators that are available depend on the data type of the attribute that you selected. For a list of which operators are available for each data type, see Connection filter data types and operators in SharePoint Server 2013.

  3. In the Filter box, type the value to which you want to compare the attribute.

  4. Click Add.

    The clause that you added is displayed in the Exclusion Filter for Users area.

  5. To add clauses to the filter, repeat steps 5 through 9.

  6. To filter which groups are synchronized, repeat steps 5 through 9, using the Exclusion Filters for Groups section of the page.

  7. When you have finished adding connection filters, click OK.

Map user profile properties

In this procedure, you determine how the properties of SharePoint Server 2013 user profiles map to the user information that is retrieved from the directory service. You should have identified how you will map user profile properties on the User profile properties data sheet in the User Profile Properties worksheet.

You will come back to this procedure in later phases to map user profile properties to information that is retrieved from business systems and to map how user profile properties in SharePoint Server 2013 can be used to write information back to the directory service. If you have not yet reached these phases, ignore the parts of the procedure that deal with business systems and exporting data.

To map user profile properties

  1. Verify that the user account that is performing this procedure has the following credentials:
  • The user account that performs this procedure is a farm administrator or an administrator of the User Profile service application.

  • The user account that performs this procedure is a member of the Administrators group on the computer that is running SharePoint Server 2013.

  1. If the user account that is performing this procedure is a farm administrator, complete these steps. Otherwise, if the user account is not a farm administrator go to the next step:

  2. On Central Administration, in the Application Management section, click Manage service applications.

  3. On the Manage Service Applications page, select the User Profile service application.

  4. On Central Administration, on the Manage Profile Service page, in the People section, click Manage User Properties.

  5. On the Manage User Properties page, right-click the SharePoint Server 2013 property that you want to map to a directory service property, and then click Edit.

  6. To remove an existing mapping, in the Property Mapping for Synchronization section, select the mapping that you want to remove, and then click Remove.

  7. To add a new mapping, do the following:

  8. In the Add New Mapping section, in the Source Data Connection list, select the data connection that represents the external system to which you want to map the SharePoint Server 2013 property.

  9. In the Attribute list, select the name of the attribute in the external system to which you want to map the property.

    Tip

    You can only map a user profile property to an attribute of an external system if the data types are compatible. If an attribute that you want to map to a user profile is not listed when you try to create a new mapping, it might be due to a data type mismatch between the user profile property and the attribute. For more information about which data types are compatible, see User profile property data types in SharePoint Server 2013.

  10. In the Direction list, select the mapping direction.

    A direction of Import means that the value of the attribute in the external system will be imported into SharePoint Server 2013 and used to set the value of the SharePoint Server 2013 property. A direction of Export means that the value of the property in SharePoint Server 2013 will be exported to the external system and used to set the value of the attribute in the external system.

    Note

    You cannot edit a mapping. To change the direction of a mapping, you must first remove the mapping with the old direction, and then create a mapping in the new direction and add the mapping.

  11. Click Add.

  12. Click OK.

  13. Repeat steps 4 through 7 to map additional properties.

Start profile synchronization

Use this procedure to synchronize profile information between SharePoint Server 2013 and external systems such as directory services or business systems.

To start profile synchronization

  1. Verify that the user account that is performing this procedure has the following credentials:
  • The user account that performs this procedure is a farm administrator or an administrator of the User Profile service application.

  • The user account that performs this procedure is a member of the Administrators group on the computer that is running SharePoint Server 2013.

  1. If you have already imported users or created My Sites, and you have enabled NetBIOS domain names, you must disable the My Site cleanup timer job before you start profile synchronization.

Note

For information about this timer job, please see the Default timer jobs in SharePoint Server 2013. For information about the PowerShell cmdlets that you use to enable and disable this timer job, see SharePoint Server cmdlet reference.

  1. If the user account that is performing this procedure is a farm administrator, complete these steps. Otherwise, if the user account is not a farm administrator go to the next step:

  2. On Central Administration, in the Application Management section, click Manage service applications.

  3. On the Manage Service Applications page, select the User Profile service application.

  4. On Central Administration, on the Manage Profile Service page, in the Synchronization section, click Start Profile Synchronization.

  5. On the Start Profile Synchronization page, select Start Full Synchronization if this is the first time that you are synchronizing or if you have added or changed any synchronization connections or property mappings since the last time that you synchronized. Select Start Incremental Synchronization to synchronize only information that has changed since the last time that you synchronized.

  6. Click OK.

    The Manage Profile Service page is displayed.

  7. If you intend to enable the My Site cleanup timer job, complete these additional steps before you enable the job:

  8. Run profile synchronization again as described in this section.

  9. After the second profile synchronization has finished running, on Central Administration, in the Application Management section, click Manage service applications.

  10. Click the User Profile Service Application name, and then click Manage User Profiles.

  11. On the Manage Profile Service page, in the People section, click Manage User Profiles.

  12. Next to View, select Profiles Missing from Import.

  13. In the Find Profiles box, type the domain for the profiles, and then click Find.

  14. For each profile that is returned, check the originating directory service, such as Active Directory, for the status of that profile. If the status of any of the returned profiles in the directory is not disabled or is not deleted, do not enable the My Site cleanup timer job. Contact Microsoft support for more assistance. Otherwise, enable the My Site cleanup timer job. For information about the PowerShell cmdlets that you use to enable and disable this timer job, see the SharePoint Server cmdlet reference.

A full synchronization can take a long time. If you refresh the Manage Profile Service page, the right side of the page displays the progress of the synchronization job. Be aware that profile synchronization consists of several stages, and the profiles will not be imported immediately. The Manage Profile Service page is not refreshed automatically as synchronization progresses.

Phase 3: Configure connections and import data from business systems

You can import data from a business system, such as a personnel system or a financial system, and use that data to add properties to existing user profiles. You should already have created an external content type that brings the information from the external system into SharePoint Server 2013. For more information about how to create an external content type to synchronize with a business system, see Plan profile synchronization for SharePoint Server 2013.

This phase is optional.

You must be a farm administrator, or an administrator of both the User Profile service application and the Business Data Connectivity service application, to perform these procedures. If you are not a farm administrator, start each procedure at the Manage Profile Service page.

This phase involves the following tasks:

  1. Give the User Profile service application permission to use the external content type

  2. Configure a Business Data Connectivity synchronization connection

  3. Add or edit user profile properties

  4. Import data

Give the User Profile service application permission to use the external content type

Use this procedure to give the farm account permission to execute operations on the external content type. For more information about how to set permissions on an external content type, see Set permissions on an external content type.

Note

Business Connectivity Services uses the permissions on the external content type and the permissions on the business system to determine authorization rules. You must make sure that the farm account also has permission to access the business system. For more information about authentication and permissions, see Overview of Business Connectivity Services security tasks in SharePoint Server.

To give the User Profile service application permission to use the external content type

  1. Verify that the user account that is performing this procedure has the following credentials:
  • The user account that performs this procedure is a farm administrator or an administrator of the Business Data Connectivity service application.

  • The user account that performs this procedure has Set Permissions permission on the external content type with which you are synchronizing.

  1. If the user account that is performing this procedure is a farm administrator, complete this step. Otherwise, if the user account is not a farm administrator go to the next step:
  • On the SharePoint Central Administration website, in the Application Management section, click Manage service applications.
  1. On Central Administration, on the Manage Service Applications page, select the Business Data Connectivity service application.

  2. Select the check box of the external content type that represents the information with which you want to synchronize.

  3. In the Permissions group, click Set Object Permissions.

  4. In the box, type the farm account, and then click Add.

  5. In the Permissions for <account> box, select Execute.

    Note

    If the farm account is the only account that is listed in the Permissions for <account> box, you must also give the farm account Set Permissions to the external content type. At least one user, group, or claim in the external content type's access control list must have the Set Permissions permission.

  6. Click OK.

  7. Verify that the Propagate permissions to all methods of this external content type. Doing so will overwrite existing permissions. check box is selected.

  8. Repeat these steps to set permissions on additional external content types.

Configure a Business Data Connectivity synchronization connection

In this procedure, you create a connection for each external content type. The connection specifies how the business system data relates to the profile properties. The information that you enter comes from the Connection Planning worksheet.

To create a User Profile synchronization connection

  1. Verify that the user account that is performing this procedure has the following credentials:
  • The user account that performs this procedure is a farm administrator or administrator of both the User Profile service application and the Business Data Connectivity service application.
  1. If the user account that is performing this procedure is a farm administrator, complete these steps. Otherwise, if the user account is not a farm administrator go to the next step:

  2. On Central Administration, in the Application Management section, click Manage service applications.

  3. On the Manage Service Applications page, select the User Profile service application.

  4. On Central Administration, on the Manage Profile Service page, in the Synchronization section, click Configure Synchronization Connections.

  5. On the Synchronizations Connections page, click Create New Connection.

  6. On the Add new synchronization connection page, type a name for the synchronization connection in the Connection Name box.

  7. From the Type list, select Business Data Connectivity.

  8. In the Business Data Connectivity Entity box, type the name of the external content type.

    Tip

    If you do not know the name of the external content type, click the Select External Content Type button to see all external content types. Select the external content type from the list, and then click OK.

  9. If each user profile maps to only one external content type instance, do the following:

  10. Click Connect User Profile Store to Business Data Connectivity Entity as a 1:1 mapping.

  11. In the Return items identified by this profile property list, select the user profile property that is used to match user profiles to external content type instances. The user profile property and the external content type identifier define the 1:1 relationship between the user profiles and the external content type, and are used to make sure that that the imported properties are applied to the correct user profile.

    Tip

    The Return items identified by this profile property list returns all user profile properties that have a similar data type to the external content type identifier.

  12. If a user profile can map to multiple external content type instances, do the following:

  13. Click Connect User Profile Store to Business Data Connectivity Entity as a 1:many mapping.

  14. In the Filter items by list, select the filter that is used to find the set of external content type instances that apply to a user profile.

    Note

    The Filter items by list displays all filters that are defined in the external content type.

  15. In the Use this profile property as the filter value list, select the user profile property that is used to match user profiles to external content type instances.

  16. Click OK.

  17. Repeat steps 4 through 10 to add more connections.

Add or edit user profile properties

Before you can import the business system data, you must specify how the business system data maps to the user profile properties. The User profile properties data sheet in the User profile properties worksheet lists the business system properties that you want to import and how those properties map to the profile properties in the SharePoint Server 2013 profile store.

Follow the procedure in the Map user profile properties section to map additional user profile properties. If the data maps to an existing user profile property, edit the property and add a new mapping. If the data does not map to an existing user profile property, add a new custom property and then map the property.

Import data

To import data from the business system, you must perform a full synchronization. Follow the procedure in the Start profile synchronization section to start a full synchronization.

Phase 4: Configure connections and export data to directory services

In previous phases, you configured the profile synchronization connections that that you must have. To write profile information back to a directory service, you map the profile properties to attributes in the directory service by using a mapping direction of Export. The next time that profile synchronization runs, properties will be imported and exported according to the mappings that you configured.

Note

Although you can import profile data from business systems by using the Business Connectivity Service, you cannot export profile data to business systems.

This phase is optional.

You must be a farm administrator or an administrator of the User Profile service application to perform these procedures. If you are not a farm administrator, start each procedure by using the Manage Profile Service page.

Do not create a new synchronization connection to export properties. To export properties to a directory service, use the same synchronization connection that you created to import properties from the directory service. You cannot use a synchronization connection only to export properties.

Follow the procedure to Map user profile properties again, this time selecting Export for the mapping direction. The properties that you map will be exported from SharePoint Server 2013 to the directory service whose connection you select.

Follow the procedure to Start profile synchronization again, this time selecting to do an incremental synchronization. The values of any SharePoint Server 2013 profile properties that were mapped to be exported to directory service attributes will be updated.

Note

For certain directory services, additional permissions may be required to write data back to the directory service. Review the information in the Plan account permissions section of the "Plan for profile synchronization" article, and make sure that that the synchronization account has the necessary permissions.

Acknowledgements

The SharePoint Server 2013 Content Publishing team thanks Spencer Harbar, Enterprise Architect, for contributing to this article. His blog can be found at http://www.harbar.net.

See also

Concepts

Manage user profile synchronization in SharePoint Server

Schedule profile synchronization in SharePoint Server

Plan profile synchronization for SharePoint Server 2013