none
Pull ALL active directory users into SharePoint 2010

    Dotaz

  • Hello,

    I have a SharePoint 2010 farm with a User Profile Service (UPS) configured.  It reaches into my AD Forest and pulls out exactly 24 users.  There are about 150 users in my company's Active Directory.  I have determined that all of the users it has retrieved are ones that have personally logged into the SharePoint farm at some point.  Why is it not pulling everyone?  I am not an AD guru and my AD gurus do not know anything about SharePoint so it is hard to find enough common ground to say to them "this needs to happen" in order to get the stuff imported.

    Does anybody have any experience or wisdom they can share with this issue?

    Thanks,

    - Matt


    Matt Olson, MS Content Development Specialist MCITP, MCTS

    13. března 2012 18:17

Odpovědi

  • Hi Matt,

    My first thought is are all those users in the same OU, or different OUs? In the Synchronization connections in the User Profile service, do you have any Connection filters set? Under the Edit part of the Sync connections to your AD, under the Populate Containers, what OUs are chosen there? Do they contain all your users?

    Also, how are you determining which users are retrieved? In our environment, a user's MySite is not created until they click on MySite to create it, but the users are present under the profile sync. It is also possible that the account name that is specified in the connection setting doesn't have the appropriate rights as so:

    Connection
    Settings

    For the
    Active Directory directory service server, type in Forest name and
    Domain controller name.
    For Active Directory
    connections to work, this account must have directory sync rights.
    13. března 2012 21:57
  • BTW, this is the permission that your UPS service account needs in your AD:

    Grant Active Directory Domain Services permissions for profile synchronization (SharePoint Server 2010)
    http://technet.microsoft.com/en-us/library/hh296982.aspx

    (Contrary to what most people think, this permission is a read only permission, it allows the UPS to read a replication attribute so that it knows what is new and what is replicated allready.)

    Good luck.

    Regards


    Thomas Balkeståhl - Technical Specialist - SharePoint - http://blog.blksthl.com
    Download the SharePoint Branding Project here

    13. března 2012 22:34
  • Hi Matt.

    I have to agree with Donia, that you are probably lacking some permission in AD or other that prevents userdata to be imported. The 24 you have data on, could be from their mysite or their profile in SP.
    If you manually trigger an import in your USer Profile Service Application, does it synchronise exactly 24 users or 0?

    If the synch is working then the number of users imported can be depending on the OU or OU's you have selected to import. You can always select everything and see if all users gets imported then? Maybe you have for example the Users OU selected but most users reside elsewehere?

    Hope this helps

    Regards


    Thomas Balkeståhl - Technical Specialist - SharePoint - http://blog.blksthl.com
    Download the SharePoint Branding Project here

    13. března 2012 22:31

Všechny reakce

  • Hi Matt,

    My first thought is are all those users in the same OU, or different OUs? In the Synchronization connections in the User Profile service, do you have any Connection filters set? Under the Edit part of the Sync connections to your AD, under the Populate Containers, what OUs are chosen there? Do they contain all your users?

    Also, how are you determining which users are retrieved? In our environment, a user's MySite is not created until they click on MySite to create it, but the users are present under the profile sync. It is also possible that the account name that is specified in the connection setting doesn't have the appropriate rights as so:

    Connection
    Settings

    For the
    Active Directory directory service server, type in Forest name and
    Domain controller name.
    For Active Directory
    connections to work, this account must have directory sync rights.
    13. března 2012 21:57
  • Hi Matt.

    I have to agree with Donia, that you are probably lacking some permission in AD or other that prevents userdata to be imported. The 24 you have data on, could be from their mysite or their profile in SP.
    If you manually trigger an import in your USer Profile Service Application, does it synchronise exactly 24 users or 0?

    If the synch is working then the number of users imported can be depending on the OU or OU's you have selected to import. You can always select everything and see if all users gets imported then? Maybe you have for example the Users OU selected but most users reside elsewehere?

    Hope this helps

    Regards


    Thomas Balkeståhl - Technical Specialist - SharePoint - http://blog.blksthl.com
    Download the SharePoint Branding Project here

    13. března 2012 22:31
  • BTW, this is the permission that your UPS service account needs in your AD:

    Grant Active Directory Domain Services permissions for profile synchronization (SharePoint Server 2010)
    http://technet.microsoft.com/en-us/library/hh296982.aspx

    (Contrary to what most people think, this permission is a read only permission, it allows the UPS to read a replication attribute so that it knows what is new and what is replicated allready.)

    Good luck.

    Regards


    Thomas Balkeståhl - Technical Specialist - SharePoint - http://blog.blksthl.com
    Download the SharePoint Branding Project here

    13. března 2012 22:34
  • Yes, I believe you were right that there were permission issues.  I completely rebuilt the Connection with a new user IT created for this purpose (like the recommendation in the guide).

    Now I have a new problem - in FIM I get this status during the DS_FULLSYNC stage: stopped-extension-dll-no-implementation

    Event viewer shows this:  The management agent "MOSSAD-Midland Active Directory" failed on run profile "DS_FULLSYNC" because the extension "Microsoft.Office.Server.UserProfiles.ManagementAgent.dll" does not contain a class implementing the required (IMVSynchronization or IMASynchronization) interface in the assembly

    There are no custom classes or anything in my UPS so I have no earthly clue why this is happening.  Everything should work OOB, right?  Nothing in the guides say I have to write my own classes in order to do this.  That would seem like a fatal flaw in an enterprise level application, especially in cases where a client has no developers available that could write such a class.


    Matt Olson, MS Content Development Specialist MCITP, MCTS

    16. března 2012 17:44
  • Hey Matt,

    No, you don't have to write your own classes. What CU version of SharePoint are you at? The June CU caused User Profiles Syncs to fail. The latest version is Feb 2012. I'm running December's Cumulative updates in my own environment.

    Spence Harbar has a great section on user profile errors on his blog:

    http://www.harbar.net/articles/sp2010ups2.aspx#ups18

    Let us know what CU you are at, and thanks!

    16. března 2012 18:21
  • 14.0.6114.5 is the highest build for the "Microsoft User profiles" and a couple other components.  Therefore I must be at December's CU.

    Looking at the details of the February patch, however, I think I might just put that one on because it is describing a problem that is exactly like the one I am having.  I will do this and let  you know how that goes.


    Matt Olson, MS Content Development Specialist MCITP, MCTS

    16. března 2012 18:29
  • Did Feb 12 CU solved your problem?

    Thanks

    9. dubna 2012 10:27
  • Did Feb 12 CU solved your problem?

    Thanks

    Honestly, no.  It was the permission issue mentioned by Donia and Thomas that finally fixed me.  There were two active directory permissions (replicate directory and replicate configuration partition) that were required and this was not strictly obvious in the documentation, apparently.  So, after a little leg twisting I got them to give my user the permission and got it running.

    I will grant there is some minor possibility that applying the Feb 12 CU helped in some way but I cannot prove anything because the permission issue was holding me back.

    - Matt


    Matt Olson, MS Content Development Specialist MCITP, MCTS

    9. dubna 2012 15:23
  • Thank you for your fast reply.

    I have the same issue in FIM stopped-extension-dll-no-implementation and the message in Application Event Viewer is the same:

    The management agent "MOSSAD-Midland Active Directory" failed on run profile "DS_FULLSYNC" because the extension "Microsoft.Office.Server.UserProfiles.ManagementAgent.dll" does not contain a class implementing the required (IMVSynchronization or IMASynchronization) interface in the assembly.

    Not sure from your answer if this issue is also solved after giving the permissions and apply FEB 12 CU.

    Regards

    10. dubna 2012 7:51
  • Ovidiu,

    I would say make sure you have the latest patch and both of the AD replication permissions on your profile synchronization account, and you should be good to go.  Like I said in my previous answer, I do not really know if the FEB CU made any difference but it definitely didn't hurt anything.

    - Matt


    Matt Olson, MS Content Development Specialist MCITP, MCTS

    10. dubna 2012 15:52
  • Hi again,

    unfortunately for me even if I gave the replication permissions on the profile synchronization account + FEB 12 CU I still get this error

    The management agent "MOSSAD-Midland Active Directory" failed on run profile "DS_FULLSYNC" because the extension "Microsoft.Office.Server.UserProfiles.ManagementAgent.dll" does not contain a class implementing the required (IMVSynchronization or IMASynchronization) interface in the assembly.

    and profiles are not sync'ed.

    Thank you!

    12. dubna 2012 6:41
  • You added both the replication permission and the configuration partition permission in AD for the "special" account for running the actual synchronization?  Did you check all the things on this article?


    Matt Olson, MS Content Development Specialist MCITP, MCTS

    12. dubna 2012 13:49
  • Yes I have all the necessary permissions and I checked also the 2 config files for lines about .net 4.0 and FEB12Cu is installed.

    However another farm (same build) has no problem in getting user profiles from the same AD.

    13. dubna 2012 5:31