The user profile service is not synchronizing security group users. You have a bunch of users in AD and have assigned them to groups. Now you want to use the User Profile Sync to import those users simply by way of checking various security groups. But importing users and security groups doesn’t work. The users in the groups are not imported.
Change your expectations.
So you’ve correctly set up UPS as outlined here and are at the point of configuring your synchronization connections. You go to Application Management > Manage Service Applications > User Profile Service Application (or whatever you named it) > Configure Synchronization Connections (under Synchronization). It looks like this:
After clicking “Populate,” the domain’s users and computers are shown. They look like this:
The expectation is that by checking OUs containing security groups (which contain users), the User Profile Service will sync those groups and import all the users in the groups. But the UPS will import only users contained within an OU, as shown below, and then only information about any groups that are selected:
This fact, if it is a fact, is not documented clearly and prominently and consistently either way. For example, the section, “Create a synchronization connection to a directory service,” in Microsoft’s Technet article on how to Configure profile synchronization (SharePoint Server 2010) says nothing about what the containers must contain,
In the Containers section, click Populate Containers, and then select the containers from the directory service that you want to synchronize.
But, the section, “Synchronizing groups,” in Technet’s Profile synchronization overview tells us in stilted language that only information about the groups and their members is imported:
If you synchronize groups in addition to users, SharePoint Server 2010 imports information about the groups that exist in the directory service containers that you are synchronizing with, as well as about which SharePoint Server 2010 users are members of these groups.
The final word, still roundabout, is embedded deep inside this Technet article on Plan for profile synchronization (SharePoint Server 2010). It contains this disclaimer:
Synchronizing a group does not create a profile for the group, and does not cause any additional user profiles to be created.
That entire section is worth reading.
Choose a container of users. Use “Audiences.” Under Application Management > Manage Service Applications > User Profile Service Application (or whatever you named it) >Manage Audiences to create audiences that are mapped to AD groups.
- Profile synchronization overview
- Configure profile synchronization (SharePoint Server 2010)
- Plan for profile synchronization (SharePoint Server 2010)
- This video (which also kind of contributes to the false expectation: “In this demonstration, I’m only synchronizing users, not groups, so I’ll only use the top half of the page” — 3:46)