FAQ | Mai Omar Desouki

Tags

FAQs, SharePoint 2010, User Profile, User Profile Sync

Question: Why are replicate-directory-changes permissions needed to synchronize with AD and on what in AD?
Answer:In order to interrogate AD about “what has changed since time xyz”, we need the replicate-directory-changes permissions on partitions being synchronized, for example the domain partition being synchronized.These permissions are needed in particular to be able to read data within the deleted objects container of the partition. Standard users do not have permissions to read the content of this container, and we cannot simply grant rights over that container to the synchronization account.

In RC we also require these permissions on the cn=configuration container, in order to access the netbios information for the domain (we are working to fix this for RTM, so this container permissions will be required only if your netbios name is different than your domain name)

Question: Do the replicate-directory-change permissions allow the holder to modify AD?
Answer:Holder cannot modify AD using these permissions

Question: What additional privileges are granted (beyond the ability to read and inquire of delta changes) with replicate-directory-changes permissions?
Answer:Holder can read all AD data for the domain, except passwords. Note that most of the directory information is by default readable by everyone, including data in the configuration partition.

Question: I have very sensitive information in AD, such as pay-levels and now I am worried that these permissions will expose that information
Answer:The replicate-directory-changes permissions will only expose sensitive data if explicitly mapped and imported into SharePoint. SharePoint out-of-the-box mappings do not expose custom AD data. This account cannot use LDAP querying to access information otherwise not available for read; it has to specifically use replication interfaces of the system to trigger sync in order to access the data.

Question: Why do I need the Replicate-directory-changes permissions at all if I am only doing a full sync?
Answer:Replicate-directory-changes permissions can also be used to do a full import as well, to get consistent read, for the respective delta-imports. SharePoint admin must explicitly map a property for export, there is no out-of-the-box mapping to export to AD . Even if the SharePoint admin creates a mapping, there will be no export of the data unless additional AD permissions allow so. Replicate-directory-changes do not allow for creation, modification or deletion of data in AD.

Question: Is there a local box admin requirement for provisioning user profile synchronization service?
Answer:When provisioning sync (hitting start on the user profile sync service in the central admin services on server page), you must be logged in as a farm “account” who is also the local box admin on the box you are provisioning the sync service. This requirement exists because sync process needs to make some changes in the local groups and modify registry entries on the machine. This is typically done at the early install time, but with sync SP2010 follows a two-phased provisioning process which necessitates this for provision time of the sync service. Note that this requirement exists only during provisioning (moving to another machine or starting for the first time). This requirement will remain for SP2010 RTM.

Question: User profile synchronization service on the “Services on Server” page continues to stay in the starting state. How can I reset it to stopped state?
Answer:Fire up powershell. Get a handle for the respective user profile service application (UPA), say $UPA. Then use the method $UPA.ResetSynchronizationMachine().

Question: I see obsolete users in the profile store, for example, on the org chart. These users are no longer in AD.
Answer:There can be two reasons for obsolete users in the profile store:

1. MySite clean up timer job is not active. The user profile synchronization job marks users deleted from the directory source to be deleted. When the MySite cleanup job runs, it looks for all users marked for deletion and deletes their profiles. Respective mysites are then assigned ownership to the deleted profile’s manager and an email is sent to the manager.

2. There were users that existed in the profile store and were not brought in by user profile sync. This can occur, for example, if a customer upgraded from previous version of SharePoint. And chose to only synchronize a sub-set of domains with 2010. You can find these users by utilizing the following commandlet:
$upa = Get-spserviceapplication –identity <UPA ID>
a) To view users and groups that’ll be deleted:
Set-SPProfileServiceApplication -Identity $upa – GetNonImportedObjects $true

b) To delete these users and groups (this action can’t be undone):
Set-SPProfileServiceApplication -Identity $upa – PurgeNonImportedObjects $true
To view or delete users only, please select users-only option in the user profile synchronization settings through central admin. Similarly, to view or delete both users and groups, please select users and groups option in the user profile synchronization settings through central admin.

Question: I know my netbios and domain name are different or I am seeing wrong samAccountnames after import. What gives?
Answer:If your NetBIOS name is different from your domain name, at least Replicate Directory Changes permission is also needed on the cn=configuration container and you must enable NetBIOS domain names on the corresponding User Profile service application. For more information about enabling NetBIOS names on a User Profile service application, see Get-SPServiceApplication.

The UPA property NetBIOSDomainNamesEnabled is used to control whether the CNC partition is included in the AD Connection or not. By default it is false (not enabled) and the CNC and associated run steps are not included in the AD Connection configuration. If it is enabled, then the CNC partition and run steps are included.

When editing a connection, the flag is ignored. If the CNC was included in the AD Connection when it was created, then it will continue to be included in the AD Connection. If the CNC was not included when the AD Connection was created then it will never be included in the AD import.

To “enable” NetBIOS domain names once a connection is created requires the connection to be deleted and a new connection created with the flag turned on (set to 1 or true). This will delete all the users which had their SAMAccountNames incorrectly formed due to the NetBIOS domain name being incorrect.

How To: Enable import of NetBIOS Domain Names

Using the 2010 SharePoint Management Shell:

Get-SPServiceApplication
<lists the Service Applications and their GUIDs>
$UPA = Get-SPServiceApplication –Id <GUID of User Profile Service Application>
$UPA.NetBIOSDomainNamesEnabled=1
$UPA.Update()

Question: For whatever reason, I’d like to reprovision the sync service from scratch. How can I reset sync and will resetting harm my user profile data?
Answer:User profile sync serves as a staging area for data, and the data in profile store and social databases is the data consumed by the user profile service. So if the right steps are followed, you should be able to reset the sync service and related databases, without harming the user profile data. Here are a set of suggested steps:

1) Login as farm account

2) Backup the User Profile DB and the User Profile Sync DB

3) Stop the SharePoint 2010 Timer service:
PS D:\> net stop sptimerv4

4) Delete the data in the Sync DB using the following PowerShell script:
PS D:\> Get-SPDatabase

5) Copy the GUID associated with the User Profile Sync DB in the command line below
PS D:\> $syncdb=Get-SPDatabase -Id <GUID of User Profile Sync DB>

6) Execute these commands, in exactly the following order. This is not a script. So please cut and paste each of these commands one by one.
PS D:\> $syncdb.Unprovision()
PS D:\> $syncdb.Status=’Offline’
PS D:\> Get-SPServiceApplication
#Copy the GUID associated with the User Profile Service and paste it after “Id” in the next command:
PS D:\> $upa=Get-SPServiceApplication -Id <GUID of User Profile Service
PS D:\> $upa.ResetSynchronizationMachine()
PS D:\> $upa.ResetSynchronizationDatabase()

7) Provision the Sync DB:
PS D:\> $syncdb.Provision()

8) Add the User Profile Synchronization service account (farm account) as the dbowner on the Sync DB (using SQL Server Management Studio).

9) Start the SharePoint 2010 Timer service
PS D:\> net start sptimerv4

10) Start the User Profile Synchronization Service in the Central Administration UI.

11) After the User Profile Synchronization Service is started, reset IIS.
PS D:\> iisreset

12) Create connections to data sources in the Central Administration UI.

13) Run full user profile synchronization.

Tags

FAQs, My Site, SharePoint 2010

MY SITES

Question: I don’t want all my users to create mysites and/or use social features. How can I accomplish this?
Answer: The “Manage User Permissions” link (under “People” category) in the User Profile Service Application’s Central Admin page provides ACLs to accomplish this.
Question: How can I delete a tag or note from the system?
Answer: If someone leaves you a note on your profile, you can directly delete it from the profile page itself. For a noteboard on a team site, a user with full control permissions can delete notes directly. A user profile admin can also delete tags and notes from the user profile service application’s central admin page, by using the link “Manage Social Tags and Notes” at the bottom of the page.
Question: I’d like to create different profiles, for example for a full time employee vs interns. How can I accomplish this.
Answer: 2010 has a new concept of ‘sub-types’. These sub-types can be used to selectively use existing or custom properties for different types of user profiles.

Question: Why is there nothing showing in anyone’s Newsfeed?
Answer: By default, the timer jobs which fill in this information are disabled. You need to enable the Activity Feed Job and the Activity Feed Cleanup Job for data to appear here. Please refer to the planning documentation for complete information about this.

Question: I did what you said earlier, but now there’s no Tags or Notes in the Newsfeed. What’s happening?
Answer: Tags and Notes (as well as a few other things) are Security Trimmed in the Newsfeed. This relies on Search, so if Search has not run recently you will not get the right data. After completing a Search Crawl, people will be able to see Tags and Notes in the Newsfeed.

Question: A user’s name has changed in AD and in their User Profile, but it is still the old one in the Welcome menu on sites. Why?
Answer: You need to run the User Profile to SharePoint Full Synchronization timer job to bring data from a user’s User Profile into the sites that they visit.

Question: My users get “there was an error creating your personal site” and no further details when I try to create a My Site, what happened?
Answer: Check whether there is a root site collection on your Web App. You need this in order for Self Service Site Creation to function properly.

Question: I have two web apps, one legacy and one using Claims, and the My Site Host is on the legacy web app. Can Claims users use My Sites?
Answer: Not in this configuration. If you have multiple auth modes, in order for all users to use the same My Site Host you need to have it on a multi-auth Web App.

Question: How can I customize the My Network page?
Answer: As an end user, you can’t. This page exists on the My Site Host, which is shared with all users, and as a result individual users are unable to edit it. You are the owner of your My Site (under the My Content link) and you have full control over that page.

Question: People’s pictures look weird in the noteboard and other places, what is going on?
Answer: After upgrading you need to run the update-spprofilephotostore cmdlet. This will convert users’ photos to three thumbnails that are the correct size for the various web parts and controls. It is also possible for users of 14 to set their pictures through the OM to pictures that are the wrong size. This situation can be solved with the same cmdlet.

Question: I had a theme on my My Site, but after upgrade it’s gone. What happened?
Answer: Themes do not upgrade from 2007 to 2010. There are many themes available in Site Settings.

Question: I chose to use Visual Upgrade and leave all my sites with their old Look and Feel, but the My Sites changed their Look and Feel anyway. Why?
Answer: Due to deep changes in the My Sites for 2010, My Sites and My Site Hosts will upgrade to the new Look and Feel no matter what.

M	T	W	T	F	S	S
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30

Mai Omar Desouki

~ PFE @ Microsoft

Category Archives: FAQ

User Profile Synchronization

SharePoint 2010 Communities FAQ

Share this:

Like this:

Share this:

Like this: