Create Profile Sync connection with Powershell

Yesterday, a good fellow (Zsolt Illes) notified me about the new cmdlets, introduced by SharePoint 2010 SP1 and that this information is available and published on Spencer Harbar’s blog with more details.
Here’s just a short “cut out” for your convenience,  by courtesy of Zsolt and in acknowledgement of Spencers post:

***  UPDATE 2011-10-12 *** 
From a recent discussion internally, it turned out, that this commandlet is NOT SUPPORTED for “on Premise” SharePoint 2010 environments!!
The cmdlet introduced with SP1 is only for  use on “SharePoint online” to be executed by Support engineers only! 

So be aware, that the usage of this post is “AS-IS” with no warranties or support!
Since we do not have a public documentation of the cmdlet on official TechNet/MSDN, it is considered not supported!

So please call Microsoft support and open a case whenever you have a reasonable purpose to use this cmdlets! 
During this support case, an engineer then needs to ask the product group by a special process for an explicit approval of usage on your single case!
If you don’t have a case raised and have been approved to use it, supportability of your UPA setup might be lost
and you will be asked to rollback and recreate manually via UI etc. and recreate eventually your whole UPA service app!

Be warned and notified that using this cmdlet in an “on Premise” environment currently IS NOT SUPPORTED!

As this is still an “ongoing discussion”, ayn changes or updates will be posted asap as available. If customers raise enough cases to clarify
with the PG, maybe the support statement could be changed, so stay tuned!
*** End UPDATE 2011-10-12 ***


“how to create a User Profile Synchronization Connection from PowerShell in case you have timeout issues on the UI. With SP1 there’s an option to do it.“

The cmdlet to use:   Add-SPProfileSyncConnection


Parameter name





Service Application pipeline binding to the User Profile Service Application.

Here you can either use ID of the UPA, or a Service Application object.



The FQDN of the forest you are connecting to.



The NETBIOS name of the domain you are connecting to.



Username used for the synchronization connection.

the format is: username@domain



Secure string format of the password of the account used for directory connection.



The top level OU that you would like to synchronize.

If you do not specify this parameter and there’s an existing connection for the domain, the cmdlet will only update the ConnectionUserName and ConnectionPassword parameters.



The port used to connect to the directory service. Default port is 389.



Boolean value if the connection to the directory service must be over SSL.



Naming Context of the Directory Information Tree to connect to.



Name of the Domain Controller to connect to.










Example script

$PWord = ConvertTo-SecureString -AsPlainText -String “Pa55word” -Force
$UPA = Get-SPServiceApplication | Where {$_.DisplayName -eq “User Profile Service Application”}
Add-SPProfileSyncConnection -ProfileServiceApplication $UPA -ConnectionForestName “” -ConnectionDomain “CONTOSO” -ConnectionUserName -ConnectionPassword $PWord -ConnectionServerName “contoso-dc”


  • The account running the PowerShell window must be added as an administrator for the UPA.
    • If you do not have this permission, the error message is: “MOSS MA Not Found
  • There’s no DisplayName parameter, so you can add only one connection per domain. The name of the connection will be the NETBIOS name of the domain.
    • This is the recommendation anyway, but it might be unconvenient for some.
  • Since you have to specify the ConnectionDomain parameter, there’s no option to create more than one connection per forest.
    • This is against our recommendation to have more than one connection per forest anyway.
  • If you specify the same ConnectionDomain parameter, the system will overwrite the ConnectionSynchronizationOU, ConnectionUserName and ConnectionPassword parameters.
  • If the connection cannot be created due to a FIM error, you get no error message back.
    • To check if the connection was created OK, use the UI or the miisclient.exe tool.


Thanks to Spence and Zsolt for sharing Winking smile

Comments (2)

  1. This cmdlet is not supported for on premises deployments. This is O365 exclusive



  2. Steve [MSFT] says:

    Hi Alex, you're right, I inserted an "Update", please see above my changes.

    As soon as a customer has raised a case to get a clear statement from PG, the status could be altered.

    cheers, Steve

Skip to main content