Print | posted on Thursday, February 10, 2011 5:14 PM
Recently I’ve been asked a number of times about what happens to accounts deleted from Active Directory with respect to SharePoint 2010 User Profiles, and the User Profile Synchronization service instance. Unfortunately this pretty much isn’t documented at all, and furthermore there is quite a lot of incorrect information and assumptions about this area. There is plenty on how SharePoint 2007 handled things of course, but as regular readers (all two of them) will know, things are mighty different in 2010. The good news is that things are pretty straightforward and this post will walk through the important details.
Let’s take a simple scenario of a single OU (SharePoint Users) which contains 55 users, this will be used by our SharePoint Synchronization Connection:
Once we’ve run an Incremental Synchronization, all is good we see all of these users in UPA Management and also within Manage User Profiles (there are 56 because there is also a profile for the Administrator account).
So far so good, nothing out of the ordinary. We now go ahead and delete all the test user accounts in AD (so we just have the members of the greatest band ever remaining) and run another Incremental Synchronization.
We can see that during the DS_DELTAIMPORT phase of synchronization, the deleted accounts are removed from the metaverse (Sync DB):
What will happen here is that during the first incremental synchronization after the accounts are deleted from AD, the user profiles will be marked for deletion in the Profile database.
This is important. There are a number of Microsoft sources (including some of mine) that state it’s the forth sync run following account deletion that will remove profiles. It is also a common misconception that a full synchronization is required. Both of these are wrong and come from how the previous version worked. Again, profiles are marked for deletion following the next incremental synchronization after the accounts are deleted.
Let’s take a look at Manage User Profiles once the sync is complete:
Looking good right? However, notice that the total profiles do not tally up:
This is because the profiles still exist in the Profile DB and are a simply marked for deletion. This aside from being confusing in the UI, can lead to problems in custom code that does something based upon the total number of profiles. It doesn’t matter how many times we run a sync, the total profiles will remain the same.
It could be up to 59 minutes from when sync is complete for the total to be correctly reported. In order to actually delete the profiles, we must run the My Site Cleanup Timer job. This job will purge the profiles marked for deletion and therefore once complete make the count tally with the number of useable profiles. It also deals with email notification for any My Sites that should be deleted, but that’s a topic for another day.
The My Site Cleanup Job is scheduled to run hourly by default (and I strongly recommend you do not change this, for once, entirely reasonable default). An important point to note is that this job requires a My Site Host to be configured on the UPA, even if you are not using My Sites. If there is no My Site Host configured the job will bail out and the profiles marked for deletion will never be deleted. Furthermore, the job is not associated with the User Profile Service, so you can’t use filtering within the Job Definitions page of CA to find it.
<update 20/02>
When you first create the UPA it is not required to enter a My Site Host. This is an incredibly common gotcha: even if you are not intending to deploy My Sites you still need a My Site Host. Ideally, the actions of this timer job would be decoupled, but they are not. Luckily for us in this case, the SharePoint Health Analyzer is actually useful, it will warn us if there is no My Site Host.
The explanation text is totally lame and doesn’t make much sense at all, but at least it’s telling us we need one, even if the reasons are not clearly articulated!
</update 20/02>
Anyway, Once we run the timer job, our total profiles tally will be correct, you can actually refresh the main UPA management screen whilst it’s running and see the number decrease:
That, in a nutshell, is how it works. Hopefully this post will be useful for those wondering what’s going on in the future.