Testing and tweaking the LDAP filter for your profile import connections

Note: This post got a lot longer than I anticipated – even without screenshots – and because I don’t want to lose you before you get to what I consider the good stuff, I have it labeled as such below and you can jump right to it if you want.  In order to provide what I consider a more complete story however, I feel obligated to provide a little foundation first for those that are interested.  🙂

The background / foundation:
As part of setting up a SharePoint (MOSS) environment, administrators need to configure the Profile Import in SSP in order to get user accounts from Active Directory into the SharePoint Profile database.  By default, SharePoint will import all users from the Current domain – which is not always the desired list of accounts. 

To change the accounts that are being imported, you can do the following:

  1. From the Shared Services home page, select User profiles and properties
  2. Select View import connections
  3. Hover over the name of your connection and select Edit
  4. The Search Settings section of the Edit Connections page will display the Search base and the User filter values. 
  5. If users from a particular directory node is desired, you can make changes in the Search base field.
  6. We’re currently talking about tweaking the values in the User filter field. Default value:
    (&(objectCategory=Person)(objectClass=User))Minimum change you should use per the MS article (below) to remove disabled accounts:
    (&(objectCategory=person)(objectClass=user)( !(userAccountControl:1.2.840.113556.1.4.803:=2)))

The default User filter will likely import more accounts than you are intending for use in SharePoint.  Remember, the accounts that are imported will also be crawled by the search indexer and will be available as search results from the People Search scope.  Because of this, we want to keep the accounts imported to a minimum so that the search results aren’t cluttered up with non-useful information. 

There are a number of good references out there for help with creating a specific LDAP filter for your import, including one by MS:  http://support.microsoft.com/kb/827754  

The good stuff:
There are a lot of queries and filters available, depending on what you’re looking to filter.  Regardless, what IS irritating is having to change your filter, Start full import and then View user profiles over and over until you get the list of accounts that you like.  So, what I’ve really been building up to is to use the following as a way to shortcut that process and test your LDAP filter before using it for your SSP import.    

  1. Go to Run -> mmc  (This is the Microsoft Management Console)
  2. Once the application starts, select File -> Add/Remove Snap-in…
  3. Select Add
  4. Select Active Directory Users and Computers.  Select Add, then Close
  5. Select OK
  6. Active Directory Users and Computers should now be on the Console
  7. Expand Active Directory Users and Computers and the current domain should be visible
  8. Select the current domain, and the accounts, etc should be visible in the right pane
  9. Right click on the current domain in the left pane, and select Find
  10. In the Find dropdown, select Custom Search
  11. Select the Advanced tab

You should now be able to enter an LDAP query string and test it to see if you are getting the approximate number of users that you’d expect in your SSP Profile Import.  For starters, you could cut and paste the default value of the User Filter and see what users are returned by pressing the Find Now button.  A list of accounts and a count should be returned by the tool. 

Now, a few more notes for after you’ve found the filter value you want.  Once you’ve entered your new filter value and re-run the full import, you may notice that the Number of user profiles number reported on the User Profiles and Properties page hasn’t changed.  The page you want to check View User Profiles.  This page will show you both the total number of user profiles, as well as the list of active user profiles, which is likely a lower number and hopefully matches the number that the mmc tool reported during your testing of the query. 

Now what you need to do, and why you should tweak your import query before your first import, is remove all the accounts you don’t want.  On the View User Profile page, change the View dropdown from Active Profiles to Profiles missing from import.  You need to select each account, or each screen-full of accounts and delete them.  (I hope you don’t have a lot, because that will be a pain.) 

Once you’ve got all the junk cleaned out, start a full crawl on your profile database and your index should also be updated. 

Thanks to Brian for showing me this a few months ago… I’ve used it a bunch of times and have since passed it on to a number of co-workers and clients alike.  Hopefully you’ll find it handy as well.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.