Friday, August 9, 2013

Suggestions to leverage new SharePoint 2013 Active Directory Import feature for SharePoint User Profile Service Application



SharePoint 2010 User Profile Service is using FIM to sync AD and we have experienced not only performance issues but also stability issues caused by window security patches. SharePoint 2013, there are now three methods. Active Directory Import is one of the new features in SharePoint 2013 allowing you to import users from active directory into your SharePoint User Profile Service Application as described in the following picture.





There are many benefit when you use Active Directory Import feature.

  • No dependency on FIM so will not vulnerable to Window security patches
  • Extremely fast performance in comparison to the FIM approach
  • No need to configure User Profile Synchronization Service
  • get up and running quickly and easily, especially to enable key “social” scenarios in SharePoint 2013
  • Windows, FBA and claims are all supported
  • Other benefits are listed in harbar.net

 
You could follow the procedure published by Microsoft to configure SharePoint 2013 Active Directory Import feature for SharePoint User Profile Service Application. Before you start to leverage this new feature, you would need to understand the limitation listed here.

  • Does not process links across forests via the AD contact object
  • Mapping multi value to single value or vice versa is not supported
  • Mapping to system SharePoint properties is not supported - those that begin with “SPS-”
  • Mapping two different AD attributes to the same SharePoint property is not supported
  • It does not support importing additional user properties from BDC
  • Cannot import from any other user repository than AD (no LDAP support)


At this time, one showstopper for us is we are not able to import thumbnailPhoto from AD to SharePoint using Active Directory Import feature. This is similar to issue reported by others. This is as deigned by Microsoft and you need to find different ways to syn pictures.You could leverage the exchange picture and sync the pictures to SharePoint as described in different blog.

As a result, my suggestion is you should leverage new SharePoint 2013 Active Directory Import feature if you do not need to import pictures or have different process to import pictures. Otherwise, you should still need to use SharePoint User Profile Service Application through FIM to sync AD as in SharePoint 2010. We are switching to SharePoint 2013 Active Directory Import and sync the pictures from exchange.

There is an issue that AD import does not clean up the deleted users/groups. This has been reported by Microsoft support. The workaround is to run powershell commands to purge deleted users and groups.

Another tip is you could verify the synced users in UPS_Profile database table UserProfile_Full and groups from table MemberGroup.

You may add filter to filter out computers and system accounts like.

(&(|(objectclass=user)(objectclass=group))(!cn=HealthMailbox*)(!cn=SQLAgent*)(!objectclass=computer))

There are some issue on the selection of the AD from UI. You would need to close and reopen the AD selection session to verify whether the selection is persist.



2 comments:

  1. Hi Harry,

    Has Microsoft gotten back to you about the AD import of thumbnailPhoto issue yet?

    ReplyDelete
  2. Ditto, any word on the AD Import and thumbnailPhoto import issue being resolved?

    ReplyDelete