I ended up having to do quite a bit of cleanup on the profiles associated with a team SharePoint server, and learned a bit in the process that doesn’t seem to be on the Internet in one place, so I thought I’d share.
Note: I will touch on several related areas in this post, so I apologize if I jump all over the place. All buckled in? Let’s go!
Ideally, in SharePoint, you have profiles (and maybe My Sites) for users that actually use the site (or that you want to search). For the most part, you do not want profiles of users that are disabled in Active Directory, users who have left the company, etc.
Most of the work that y0u do with profiles as an Administrator is within the SSP, under “User Profiles and My Sites”.
By default, when setting up Profile Import, SharePoint imports all users from your current domain. This is fine as a default, but you may end up pulling profiles that are not needed and/or wanted in two cases (off the top of my head):
1) You have a bunch of user/service accounts that are disabled in Active Directory.
2) You only want accounts from a particular group or OU to be imported into your SharePoint profiles.
In either of these cases, you will have to customize the LDAP query that SharePoint does on the backend to pull users out of AD. By default, the query searches for (&(objectCategory=Person)(objectClass=User)). In other words “Pull all users”.
SharePoint does not distinguish whether they are active or not. KB 827754 gives us the modified query we need to use if only pulling active users:
If you want to import users just from a particular group or OU, the query will look something like:
(&(objectCategory=Person)(objectClass=User)(memberOf=[distinguished name of the group]))
Wayne Hall’s post here is the definitive source on how to find the Distinguished Name of the group you are looking for, and how to write the query. If you want to go completely buck-wild, you can read all about LDAP Search Query Syntax on MSDN.
All right. Now if you ran the full profile import before modifying the query, and have a bunch of disabled users in AD, or imported all AD users instead of a specific group, those extra profiles now exist in SharePoint where they are not doing a lot of good.
How can you delete them?
The answer is that you have to do a Full (not incremental) profile import. This does not delete the users, but marks them as “Profiles Missing from Import”. On the “User Profiles and Properties” page of the SSP, click on “View User Profiles”
From here, there is a drop down box that lets you choose between “Active Profiles” and “Profiles Missing from Import”
Don’t laugh at the difference between my Total number of user profiles and Number of active user profiles in the picture below. Long story, no happy ending 😉
In any case, if you select “Profiles Missing from Import”, it will show all profiles that exist in SharePoint that did NOT get pulled/updated from AD in your last full crawl. This could be because someone left the company, or because your modified query now pulls less people. In any case, once you verify that that user no longer exists (or shouldn’t have a profile on the server), check the box next to their profile/account name and hit delete.
You can also wait for SharePoint to run three full (not incremental) imports, after which it will delete the profiles on its own. *Update: Although this is how it worked in SPS 2003, it is not how it works in MOSS 2007. It is actually the “My Site Cleanup Job” that does the dirty work. Gyorgy covers how this works here: http://blogs.msdn.com/b/gyorgyh/archive/2009/11/13/how-it-works-moss-2007-automatic-user-profile-removal.aspx
A few other considerations to be aware of… If the user is no longer with the company, but somebody explicitly assigned them permissions to a site, list, or library… they will continue to have permissions if they ever come back (This is an issue at Microsoft as vendors may do work for one team and then come back some months later to do work for another team using the same AD account). Removing explicit permissions is a manual process (and is the reason why explicit user permissions should be the exception and not the rule). Use (and do not break) permission inheritance where ever possible. I usually put Active Directory groups within SharePoint groups, and assign SharePoint permissions to SharePoint groups. That way, if any given person joins or leaves the company, I assign/remove them from the appropriate AD group and their permissions accordingly come or go in SharePoint.
The other consideration is My Sites. How do you delete My Sites that belong to people that left the company? Once SharePoint no longer has a profile for a user with a My Site (see above), it will (by default) send an e-mail to that user’s Manager (assuming their profile has a manager listed) saying:
The My Site of Joe Blow is scheduled for deletion. As their manager you are now the temporary owner of their site. This temporary ownership gives you access to the site to copy any business-related information you might need. To access the site use this URL: http://servername/mysite/personal/joeblow
The manager is then added as the secondary site collection administrator for the user’s My Site, and any important documents can be copied off before the My Site is deleted. The wording of the e-mail itself is hardcoded and the wording cannot be changed. As well, this My Site cleanup is NOT part of or related to the “Site Use confirmation and deletion” feature of SharePoint. It takes place as part of the “My Site Cleanup Job” which runs hourly (you can find it under Central Administration –> Operations –> Timer Job Definitions). There were some problems with this job in RTM, but they were fixed in SP1 (in case you are still running RTM and old My Sites are still hanging around). (update to the paragraph above… commenter Chris reminded me that I was not quite right about the My Site deletion. While the e-mail itself is not related to the “Site Use confirmation and deletion” feature, sites are not actually deleted unless that feature is turned on. The e-mail to the manager is telling a fib. If the “Site Use confirmation and deletion” feature is enabled, the site is deleted due to the fact that the user never confirms the e-mail checking to see if they are still using the site; not due to the My Site Cleanup Job itself. I also came across another great resource on My Sites and disabled/deleted users from Phil Wicklund that is well worth reading: http://philwicklund.com/whitepapers/Documents/My%20Site%20Concerning%20Scenarios%20Study%20and%20Strategy.pdf)
I hope the information above helps someone if they ever end up trying to figure out how to clear out 75,000 profiles from a SharePoint server that is only used by a few hundred people (yes, I think I am the very definition of an edge case)