Home » User profile synchronization: importing users and security groups in SharePoint 2010

User profile synchronization: importing users and security groups in SharePoint 2010

Problem:

The user profile service is not synchronizing security group users. You have a bunch of users in AD and have assigned them to groups. Now you want to use the User Profile Sync to import those users simply by way of checking various security groups. But importing users and security groups doesn’t work. The users in the groups are not imported.

Solution:

Change your expectations.

Background:

So you’ve correctly set up UPS as outlined here and are at the point of configuring your synchronization connections. You go to Application Management > Manage Service Applications > User Profile Service Application (or whatever you named it) > Configure Synchronization Connections (under Synchronization). It looks like this:

AD Connection example

After clicking “Populate,” the domain’s users and computers are shown.  They look like this:

Security Groups
These groups contain AD Users

Expectation:

The expectation is that by checking OUs containing security groups (which contain users), the User Profile Service will sync those groups and import all the users in the groups. But the UPS will import only users contained within an OU, as shown below, and then only information about any groups that are selected:

AD Users

This fact, if it is a fact, is not documented clearly and prominently and consistently either way. For example, the section, “Create a synchronization connection to a directory service,” in Microsoft’s Technet article on how to Configure profile synchronization (SharePoint Server 2010) says nothing about what the containers must contain,

In the Containers section, click Populate Containers, and then select the containers from the directory service that you want to synchronize.

But, the section, “Synchronizing groups,” in Technet’s Profile synchronization overview tells us in stilted language that only information about the groups and their members is imported:

If you synchronize groups in addition to users, SharePoint Server 2010 imports information about the groups that exist in the directory service containers that you are synchronizing with, as well as about which SharePoint Server 2010 users are members of these groups.

The final word, still roundabout, is embedded deep inside this Technet article on Plan for profile synchronization (SharePoint Server 2010). It contains this disclaimer:

Synchronizing a group does not create a profile for the group, and does not cause any additional user profiles to be created.

That entire section is worth reading.

Recommendation:

Choose a container of users. Use “Audiences.” Under Application Management > Manage Service Applications > User Profile Service Application (or whatever you named it) >Manage Audiences to create audiences that are mapped to AD groups.

References:

 

2 comments

  1. John says:

    Interesting article Paul. I have an installation of SharePoint 2010 which includes 150,000 users and about 7,000 groups. In attempting to synchronize them the users alone takes a few hours but when the groups are added for synchronization the whole process takes 3-4 days.

    Do you have any suggestions on what may be causing the terrible performance when importing the groups? Does the “information about” groups that is imported have some bearing on performance.

    Any help would be appreciated.

    • smallcity says:

      I confess I will probably not be able to shed more light on this.

      You’ve probably read this:

      If you synchronize groups in addition to users, SharePoint Server 2010 imports information about the groups that exist in the directory service containers that you are synchronizing with, as well as about which SharePoint Server 2010 users are members of these groups. Each time that you synchronize, SharePoint Server 2010 updates the group and membership information. Groups do not have profiles, and you cannot manipulate them by using SharePoint Server. You must manage groups and their membership in the directory service itself. Within SharePoint Server, groups are only used to create audiences (see Audience and content targeting planning (SharePoint Server 2010)) and to display which memberships a visitor has in common with the person whose My Site the person is visiting (see My Sites overview (SharePoint Server 2010)).

      In particular, “Within SharePoint Server, groups are only used to create audiences”… so I would begin looking at how your audiences are configured. Sorry not more help.

Leave a Reply

Your email address will not be published. Required fields are marked *

*