Wednesday, April 22, 2015

Powershell cmdlets to compare user's AD attributes with SharePoint user profile

When trouble shooting SharePoint user identity related issues such as UPN and SID values, it will be extremely helpful to compare the values from SharePoint with AD since SharePoint will synchronize users’ AD attributes through user profile services.  One example is some users changed their AD UPN from to and we are not sure whether this will have any impact to SharePoint. In this blog, we will provide the Powershell to query both AD and SharePoint user profile.

You could use Active Directory Explorer to view user’s AD attributes and it would be easy is to use Active Directory Cmdlets in Windows PowerShell for automation. If you have never used Active Directory Cmdlets, you should verify whether you have the feature installed by the following powershell.

Get-WindowsFeature | where displayname –like “*active dir*”

Get-WindowsFeature  rsat-AD-powershell

You could follow the instruction here to enable the AD remote powershell feature or use the powershell command to enable it.
Add--WindowsFeature  rsat-AD-powershell

This is simple example to get AD user through user CN. Please note, this will NOT work if you have multiple AD domains.

import-module activedirectory
get-module -listavailable
$wUser = "userid"

$aduser = Get-ADUser -Identity $wUser


This is simple example to get AD user through user CN and it will work on multiple AD domains. This will also include the deleted users.
$usercn= "userid"

$ldapfilter= "(&(objectclass=user)(!objectclass=computer)(cn=" + $usercn  + "))"

$users = Get-adobject -ldapfilter $ldapfilter -server "ADController:portnumber" -IncludeDeletedObjects -properties DisplayName, userPrincipalName, cn


In order to get SharePoint user’s atttributes, you would need to configure the UPS and complete the full sync. You could use the following powershell to retrieve user’s UPN.


$ca = Get-spwebapplication -includecentraladministration | where {$_.IsAdministrationWebApplication}
$spsite = $ca.url 
$site = Get-SPSite $spsite
$context = Get-SPServiceContext $site
$upsa = New-Object Microsoft.Office.Server.UserProfiles.UserProfileManager($context)
$profile = $upsa.GetEnumerator() |Where-Object {$_.AccountName -eq $userID}

If you found the UPN values are different after it changed form AD, you would need to run UPS full sync to sync the changes to SharePoint.