SharePoint Saturday
Dayton, Ohio
June 30, 2012
Wrangling The User Profile Service
James Grizzle
Senior Consultant – Cardinal Solutions
General Information
• Tweet it Out!!
– Hashtag for this event: #SPSDayton
– Follow us: @SPSDayton
– Include your presenters
• Check out SPTV
– Tweets will display throughout the day on the
screens.
– Footage will be shown at http://mysp.tv
Overview
• Setting up the User Profile Service
• Debugging the UPS (and sync)
• Advanced UPS Features and
Customizations
Assumptions
– No Farm Config Wizard
– Using Active Directory
– Domain Accounts
– NetBIOS name is the same as the FQDN
– Users in AD
Permissions
• Farm Account
– Log on Locally (Set first)
– Administrator (Only during Provisioning)
• Sync Account
– Replicating Directory Changes Permissions
• Content Access Account
• User Profile Service Account
Demo
Errors
• Add NETWORKSERVICE to
WSS_WPG
group
Plan Sync
•
•
•
•
Plan Profile Properties
Plan OUs to Sync
Plan Sync Connection Filters
Sync Back?
AD to SharePoint Property Mapping
Property
Display Name
Property Name
Value
Custom Prop
Custom AD
Prop
Mapped To (AD
Property)
Originally
Mapped To
Shows on
Profile Page
Replicable
to Sites
Corp ID
CorpID
Yes
No
employeeID
Yes
Yes
Name
PreferredName
No
No
cn
displayName
Yes
Yes
Work phone
WorkPhone
No
Yes
otherTelephone
telephoneNumb
Yes
er
Yes
Fax
Fax
No
No
facsimileTelephone
Number
Yes
Yes
Address
Address
Yes
No
streetAddress
No
No
Building
Building
Yes
No
Street
No
No
City
City
Yes
No
l
No
No
State
State
Yes
No
st
No
No
Zip Code
ZipCode
Yes
No
postalCode
No
No
Division
Division
Yes
No
division
Yes
Yes
Advanced Sync Topics
• Map custom AD attributes
• User Profile sub-types
• Create advanced profile import filters
– Multiple And / OR
– CANNOT GO BACK TO CA UI!!!!
• FIM
• Global Audiences
Demo
Diagnosing Common Issues
• FIM
• 99% of the time, permissions are the issue
– Farm Account must be local admin during the
sync
– Farm Account must have “Allow Log on Locally”
– Sync Account needs “Replicating Directory
Changes” permission in AD
• IISRESET, Logon / Logoff, and Restart
SharePoint Timer Service before starting the
UPSA
• IISRESET after starting the UPSA
Sync Issues – Domain Permissions
• FIM
• Status –
Stoppedconnectivity
• Connection
Status –
Failed search
• Replicating
Directory
Changes
Permissions
FIM - Connection Log
Tips
• Add a link to the User Profile Service and
Search Service on the resources list on the
homepage and on possibly the Top Link
bar
• Install SP1 and the August 2011 CU at
least
– April CU refresh offers even better UPS
goodies
Gotchas
• Oct 2011 CU breaks profile photos.
• Sync Database size
– Fixed in April CU (be careful of the version of April CU
since it was rescinded by Microsoft – new v .5006)
– Also can be handled by deleting the Sync DB and
reprovisioning UPA.
• Remember the Sync DB is only a staging environment
• Keep the social and profile DBs!
• Politics
– Who owns the identities, does the data come from
multiple teams, how will the connections work, if you
do write-back, who becomes the authoritative source?
Resources
• Rational Guide to implementing UPS
http://www.harbar.net/articles/sp2010ups.aspx
• Stuck on Starting – Common Sync Issues
http://www.harbar.net/articles/sp2010ups2.aspx
• Creating User Profile Sync Filters
http://www.harbar.net/archive/2011/02/22/323.aspx
• Mapping User Profile Properties to LDAP attributes
http://blogs.msdn.com/b/tehnoonr/archive/2010/11/22
/mapping-user-profile-properties-in-sharepoint-2010to-ldap-attributes.aspx
• User Profile Sub Types
https://www.nothingbutsharepoint.com/sites/eusp/Page
s/Applied-SharePoint-2010-Governance-Part-3-UserProfile-Sub-Types.aspx
Questions and Evals…
• Fill out your evaluations to receive
– Parking Pass
– SPS Dayton T-Shirt
Brixx Ice Co.
500 East First St., Dayton
SharePoint Saturday Dayton has been made possible because
of generous sponsorship from the following friends…