SharePoint: The complete guide to user profile cleanup – Part 2 – 2010

This is part 2 in a series. You can find other parts here:

SharePoint: The complete guide to user profile cleanup – Part1

SharePoint: The complete guide to user profile cleanup – Part 3 – 2013

SharePoint: The complete guide to user profile cleanup – Part 4 – 2016

 

Sync Options:

Profile Synchronization (AKA: "FIM Sync")

In SharePoint 2010, you really only have one option, and that's to use "SharePoint Profile Synchronization" AKA: "FIM Sync". This is where we use a custom build of Forefront Identity Manager 2010 (FIM) built into SharePoint 2010 to sync user profiles.

There is a radio button in the UPA for "Enable External Identity Provider", but I'm not sure that was ever used, or ever really worked.

 

 

Step 1: Determine if the profile is already marked for deletion.

Run this SQL query against the Profile database:

Select * from userprofile_full where bDeleted = 1

 

If your target profiles are in the results, that means they are already marked for deletion. All you should need to do is run the My Site Cleanup Job.

Note: Managed profiles marked for deletion should also show in Central Admin | Your UPA | Manage User Profiles | Profiles Missing from Import.

 

 

Step 2: Determine if the profile is managed or unmanaged.

Run the following PowerShell to get a list of all your unmanaged profiles:

$upa = Get-spserviceapplication | ?{$_.typename -match "profile"}

Set-SPProfileServiceApplication $upa -GetNonImportedObjects $true | out-file c:\temp\NonImportedProfiles.txt

 

If the target profiles show up in the "NonImportedProfiles.txt" file, then you need to manually mark them for deletion with PowerShell:

$upa = Get-spserviceapplication | ?{$_.typename -match "profile"}

Set-SPProfileServiceApplication $upa -PurgeNonImportedObjects $true

 

If the target profiles are managed profiles and not marked for deletion, then you need to look into why the Sync is not marking them for deletion.

Document your Sync connection filters and selected OUs / containers and check your target profiles against them.

Take a look a the FIM Client (miiscleint.exe) on the server running the Synchronization service. Detailing exactly what to look for in the FIM client is beyond the scope of this blog post, but generally speaking, if you have entire Sync steps that are failing, that's likely the problem.

 

Step 3: Run a Full Sync.

If you've made recent changes to your Sync connection filters or AD container selection, it takes a Full Sync to apply those changes to all profiles. Also, an Incremental Sync only gets one shot at updating a profile. If something went wrong during the Incremental that ran right after the user fell out-of-scope (deleted from AD, etc), that change is missed. If the user object in AD does not change again, the Incremental will not attempt to pull that user in again. Therefore, a failure during a single run of the Sync could cause the profile to never be processed. For this reason, we recommend that you run a Full Sync on some type of recurring schedule. The interval is up to you, but something between once a week and once a month should work. There is no way to schedule a Full Sync in the UI, but you can accomplish the same thing with a Windows Scheduled Task and this PowerShell:

$siteUrl="https://yourCentralAdminSiteHere/" #Any site associated with target UPA

$site= New-Object Microsoft.SharePoint.SPSite($siteUrl)

$serviceContext = [Microsoft.SharePoint.SPServiceContext]::GetContext($site)

$configManager = New-Object Microsoft.Office.Server.UserProfiles.UserProfileConfigManager($serviceContext)

$configManager.StartSynchronization($true)

 

If the target profiles have been deleted in Active Directory, but the Sync is not marking them for deletion, the Active Directory Recycle bin may be in play as documented here: https://blogs.technet.microsoft.com/spjr/2018/03/07/sharepoint-2010-2013-fim-sync-does-not-remove-profiles-for-users-that-were-deleted-from-ad/

 

 

Step 4: My Site Cleanup Job

While the Sync marks out-of-scope profiles for deletion, it doesn't actually delete anything. That's left to the My Site Cleanup Job.

Check Central Administration | Monitoring | Timer Jobs | Review Job Definitions | My Site Cleanup Job. Make sure it's set to run at least once per day (default in SharePoint 2010 is hourly).

If the target user profiles are marked for deletion (bDeleted =1), and the Mysite Cleanup timer job is running, but the profiles are not being deleted, then there is some problem with the timer job. You should review the SharePoint ULS logs from the server that ran the job, covering the timeframe when the job ran.