SharePoint SaturdayDayton, Ohio

June 30, 2012

Wrangling The User Profile Service

James GrizzleSenior Consultant – Cardinal

Solutions

General Information

• Tweet it Out!!– Hashtag for this event: #SPSDayton– Follow us: @SPSDayton– Include your presenters

• Check out SPTV – Tweets will display throughout the day

on the screens.– Footage will be shown at http://mysp.tv

Overview

• Setting up the User Profile Service• Debugging the UPS (and sync)• Advanced UPS Features and

Customizations

Assumptions

– No Farm Config Wizard– Using Active Directory– Domain Accounts– NetBIOS name is the same as the FQDN– Users in AD

Permissions

• Farm Account– Log on Locally (Set first)– Administrator (Only during Provisioning)

• Sync Account– Replicating Directory Changes

Permissions

• Content Access Account• User Profile Service Account

Demo

• Add NETWORK-SERVICE to WSS_WPG group

Errors

Plan Sync

• Plan Profile Properties• Plan OUs to Sync• Plan Sync Connection Filters• Sync Back?

AD to SharePoint Property MappingProperty Display Name

Property Name Value

Custom PropCustom AD Prop

Mapped To (AD Property)

Originally Mapped To

Shows on Profile Page

Replicable to Sites

Corp ID CorpID Yes No employeeID   Yes Yes

Name PreferredName No No cn displayName Yes Yes

Work phone WorkPhone No Yes otherTelephone telephoneNumber

Yes Yes

Fax Fax No NofacsimileTelephoneNumber

  Yes Yes

Address Address Yes No streetAddress   No No

Building Building Yes No Street   No No

City City Yes No l   No No

State State Yes No st   No No

Zip Code ZipCode Yes No postalCode   No No

Division Division Yes No division   Yes Yes

Advanced Sync Topics

• Map custom AD attributes• User Profile sub-types• Create advanced profile import filters–Multiple And / OR– CANNOT GO BACK TO CA UI!!!!

• FIM• Global Audiences

Demo

Diagnosing Common Issues

• FIM• 99% of the time, permissions are the issue– Farm Account must be local admin during the

sync– Farm Account must have “Allow Log on Locally”– Sync Account needs “Replicating Directory

Changes” permission in AD

• IISRESET, Logon / Logoff, and Restart SharePoint Timer Service before starting the UPSA

• IISRESET after starting the UPSA

• FIM• Status –

Stopped-connectivity

• Connection Status – Failed search

• Replicating Directory Changes Permissions

Sync Issues – Domain Permissions

FIM - Connection Log

Tips

• Add a link to the User Profile Service and Search Service on the resources list on the homepage and on possibly the Top Link bar

• Install SP1 and the August 2011 CU at least– April CU refresh offers even better UPS

goodies

Gotchas• Oct 2011 CU breaks profile photos.• Sync Database size

– Fixed in April CU (be careful of the version of April CU since it was rescinded by Microsoft – new v .5006)

– Also can be handled by deleting the Sync DB and reprovisioning UPA. • Remember the Sync DB is only a staging environment• Keep the social and profile DBs!

• Politics– Who owns the identities, does the data come from

multiple teams, how will the connections work, if you do write-back, who becomes the authoritative source?

Resources• Rational Guide to implementing UPS

http://www.harbar.net/articles/sp2010ups.aspx

• Stuck on Starting – Common Sync Issueshttp://www.harbar.net/articles/sp2010ups2.aspx

• Creating User Profile Sync Filtershttp://www.harbar.net/archive/2011/02/22/323.aspx

• Mapping User Profile Properties to LDAP attributeshttp://blogs.msdn.com/b/tehnoonr/archive/2010/11/22/mapping-user-profile-properties-in-sharepoint-2010-to-ldap-attributes.aspx

• User Profile Sub Typeshttps://www.nothingbutsharepoint.com/sites/eusp/Pages/Applied-SharePoint-2010-Governance-Part-3-User-Profile-Sub-Types.aspx

Questions and Evals…

• Fill out your evaluations to receive– Parking Pass– SPS Dayton T-Shirt

Brixx Ice Co.500 East First St., Dayton

SharePoint Saturday Dayton has been made possible because of generous sponsorship from the following friends…