AD Connector Profile Cleanups – The Real Story

When will I learn? After implementing SharePoint 2013 and the AD Connector for Profile Imports, things were going great. Incremental sync times were under 30 minutes, no more SyncDB corruptions, no more hassle with Services not starting, life seemed rosy.

Then I started to get calls about users that had left the company showing up in PeopleSearch. Hmmm, I wonder what’s up? Looking into the issue, when using the AD Connector and selecting the option to Filter Out disabled accounts, it really filters them out. By that I mean the Sync ignores them. Forever. And ever.

“That’s OK”, thought I, as soon as the accounts are deleted from AD, the sync will remove the profile. Right? Right?!?!

Not so fast there, it would appear that while running through test scenarios for the AD Connector and profile syncs, our buddies in Redmond missed one very important scenario. If you disable an account in AD, then delete the account, the incremental profile sync will never remove the profile. The only way to clean those up is to run a full. Kind of a pain, since you can’t schedule a full, but nonetheless, that is the fix. I mean, really, who out there actually disables accounts before they remove them? Ummm, everyone.

So, and here’s the wonky thing, if you just delete an AD account without disabling it, the incremental sync will remove the profile.
If you disable an account in AD, then re-enable the account in AD, then delete the account in AD, and run an incremental sync, the profile will be removed.

It’s only if you disabled an account in AD, then delete the account in AD will the profile never be removed (without a Full).

Thought you might like to know… I sure didn’t.

Update: Microsoft confirmed via a support call that this is indeed broken, and they are not going to fix it. The workaround is to write a PowerShell script to remove the profiles of disabled accounts, or execute a Full Sync each night to clean up the disabled profiles. Or, they said, I could use FIM. Yeah, right….

Leave a Reply

Your email address will not be published. Required fields are marked *

Post Navigation