harbar.net component based software & platform hygiene

Account Deletion and SharePoint 2010 User Profile Synchronization

Print | posted on Thursday, February 10, 2011 5:14 PM

Recently I’ve been asked a number of times about what happens to accounts deleted from Active Directory with respect to SharePoint 2010 User Profiles, and the User Profile Synchronization service instance. Unfortunately this pretty much isn’t documented at all, and furthermore there is quite a lot of incorrect information and assumptions about this area. There is plenty on how SharePoint 2007 handled things of course, but as regular readers (all two of them) will know, things are mighty different in 2010. The good news is that things are pretty straightforward and this post will walk through the important details.

Let’s take a simple scenario of a single OU (SharePoint Users) which contains 55 users, this will be used by our SharePoint Synchronization Connection:

image

Once we’ve run an Incremental Synchronization, all is good we see all of these users in UPA Management and also within Manage User Profiles (there are 56 because there is also a profile for the Administrator account).

image

image

So far so good, nothing out of the ordinary. We now go ahead and delete all the test user accounts in AD (so we just have the members of the greatest band ever remaining) and run another Incremental Synchronization.

We can see that during the DS_DELTAIMPORT phase of synchronization, the deleted accounts are removed from the metaverse (Sync DB):

image

What will happen here is that during the first incremental synchronization after the accounts are deleted from AD, the user profiles will be marked for deletion in the Profile database.

This is important. There are a number of Microsoft sources (including some of mine) that state it’s the forth sync run following account deletion that will remove profiles. It is also a common misconception that a full synchronization is required. Both of these are wrong and come from how the previous version worked. Again, profiles are marked for deletion following the next incremental synchronization after the accounts are deleted.

Let’s take a look at Manage User Profiles once the sync is complete:

image

Looking good right? However, notice that the total profiles do not tally up:

image

This is because the profiles still exist in the Profile DB and are a simply marked for deletion. This aside from being confusing in the UI, can lead to problems in custom code that does something based upon the total number of profiles. It doesn’t matter how many times we run a sync, the total profiles will remain the same.

It could be up to 59 minutes from when sync is complete for the total to be correctly reported. In order to actually delete the profiles, we must run the My Site Cleanup Timer job. This job will purge the profiles marked for deletion and therefore once complete make the count tally with the number of useable profiles. It also deals with email notification for any My Sites that should be deleted, but that’s a topic for another day.

image

The My Site Cleanup Job is scheduled to run hourly by default (and I strongly recommend you do not change this, for once, entirely reasonable default). An important point to note is that this job requires a My Site Host to be configured on the UPA, even if you are not using My Sites. If there is no My Site Host configured the job will bail out and the profiles marked for deletion will never be deleted. Furthermore, the job is not associated with the User Profile Service, so you can’t use filtering within the Job Definitions page of CA to find it.

<update 20/02>

When you first create the UPA it is not required to enter a My Site Host. This is an incredibly common gotcha: even if you are not intending to deploy My Sites you still need a My Site Host. Ideally, the actions of this timer job would be decoupled, but they are not. Luckily for us in this case, the SharePoint Health Analyzer is actually useful, it will warn us if there is no My Site Host.

18-02-2011 10-20-22 

The explanation text is totally lame and doesn’t make much sense at all, but at least it’s telling us we need one, even if the reasons are not clearly articulated!

</update 20/02>

Anyway, Once we run the timer job, our total profiles tally will be correct, you can actually refresh the main UPA management screen whilst it’s running and see the number decrease:

image

That, in a nutshell, is how it works. Hopefully this post will be useful for those wondering what’s going on in the future.

Feedback

Gravatar

# re: Account Deletion and SharePoint 2010 User Profile Synchronization

Thanks for the explanation Spence, UPS has been a bit of a bane recently especially with the December CU. Clear and properly informed blog posts are a god send.

2/10/2011 5:21 PM | Paul Hunt
Gravatar

# re: Account Deletion and SharePoint 2010 User Profile Synchronization

Thanks for the info, Spence! ONe more thing to understand correctly.

2/10/2011 5:55 PM | Rick Taylor
Gravatar

# re: Account Deletion and SharePoint 2010 User Profile Synchronization

"...regular readers (all two of them)..."

There's quite a few more of us around, you know...
Thx
/LH

2/10/2011 8:03 PM | Lars Hammarberg
Gravatar

# re: Account Deletion and SharePoint 2010 User Profile Synchronization

Good article, clears up the sky! :)

2/10/2011 8:36 PM | Octavie van Haaften
Gravatar

# re: Account Deletion and SharePoint 2010 User Profile Synchronization

Thanks Spence. Great to find out under the hood how it works.

2/11/2011 4:06 AM | Chyan Yee Goh
Gravatar

# re: Account Deletion and SharePoint 2010 User Profile Synchronization

Interesting stuff.

Are Rick and Paul those two regular readers you were talking about?
It's a good thing you have a few more interested people at sharepoint events and the MCM gigs.

2/11/2011 10:54 AM | Nico
Gravatar

# re: Account Deletion and SharePoint 2010 User Profile Synchronization

Great post. That piece about the MySite Host i guarantee will be the culprit of many

2/14/2011 5:43 AM | Fabian Williams
Gravatar

# re: Account Deletion and SharePoint 2010 User Profile Synchronization

Thanks for the explanation. And your Google Analytics is misinforming you. There's more than a few!

2/16/2011 11:39 PM | Khan Saheb
Gravatar

# re: Account Deletion and SharePoint 2010 User Profile Synchronization

Great read. Very helpful. You now have 3 regular readers. : >

2/21/2011 5:37 AM | Jim Ehrenberg
Gravatar

# re: Account Deletion and SharePoint 2010 User Profile Synchronization

Great article Harbar. Does this timer job also delete the my sites for the deleted users?

3/4/2011 12:12 AM | Nuno Costa
Gravatar

# re: Account Deletion and SharePoint 2010 User Profile Synchronization

This article is very useful for me. I really like all of spencer articles. Even though I would like to request more.

3/11/2011 1:54 AM | Srini
Gravatar

# re: Account Deletion and SharePoint 2010 User Profile Synchronization

This article is simply awesome , I am breaking my head why the user profile number is not reducing even i am deleting the users from AD

10/6/2011 10:31 PM | Naga Aditya
Gravatar

# re: Account Deletion and SharePoint 2010 User Profile Synchronization

Nice article Harbar.

The way the user profiles are synchronized, Is there a timer job or any other approach for cleaning the entries of deleted sites in MYSITE Membership. Seems like a MS Bug. Any thoughts would be appreciated.

10/28/2011 7:07 AM | Amal Fernando
Gravatar

# re: Account Deletion and SharePoint 2010 User Profile Synchronization

Thanks for taking the time to explain these issues. Really great stuff, and in plain english too. I do have a question though. I can see my "MySite Cleanup" job working away (b/c when I refresh the UPA CA screen I can see the total number of users reducing), yet when I run this ..

$upa = Get-SPServiceApplication –Name "MY UPA"
Set-SPProfileServiceApplication $upa -GetNonImportedObjects $true

... I can see thousands of entries. (This is our prod environment, but I replicated all this in Dev). I am forced to run ...

Set-SPProfileServiceApplication $upa -PurgeNonImportedObjects $true

.. to actually clean it up. What is it about these 1000's of users/groups that the 'My Site Cleanup' would not 'clean up'. Yes, we did upgrade from SP2007 and there would have been 1000's of objects in there at the time of the upgrade.

Any help would be appreciated.

Anthony

12/12/2011 9:36 AM | Anthony Kasses
Gravatar

# re: Account Deletion and SharePoint 2010 User Profile Synchronization

Very Clear article on the topic and yes it clears the future!!!

3/27/2012 6:09 PM | Asif Mahmood
Gravatar

# re: Account Deletion and SharePoint 2010 User Profile Synchronization

Thanks for the writeup. Who knew that the detail doesn't add up to the cumulative number!?!?!

5/1/2012 10:42 PM | Randy Schader
Gravatar

# re: Account Deletion and SharePoint 2010 User Profile Synchronization

This article really helped my team today so I wanted to say, Thanks Spence!

6/25/2012 8:02 PM | Erica Toelle
Gravatar

# re: Account Deletion and SharePoint 2010 User Profile Synchronization

Good stuff! Thanks for the explanation!

2/13/2013 7:49 PM | James Peery
Gravatar

# re: Account Deletion and SharePoint 2010 User Profile Synchronization

I have been troubleshooting our SP sync issues for weeks now. This one post has answered ALL of my questions; especially how to have users marked for deletion removed more quickly.

Thanks!

4/7/2014 9:38 PM | Jeffrey J

Post Comment

Title  
Name  
Email
Url
Comment   
Please add 5 and 5 and type the answer here: