If you’ve ever tried to setup SharePoint 2007 to import user profiles via LDAP you’ll like this post. The setup of the SSP to import profiles is a fairly simple task, but what is not that easy is applying the right LDAP user filter to import only the accounts that you desire from Active Directory. I’d like to share with you my experience with applying user filters and some of the excellent user filter examples I have found.
Instructions for creating a new connection and applying an LDAP user filter to limit the profiles imported by your Shared Service Provider:
1. Log in to your SharePoint Central Administration site.
2. Select your Shared Service Provider and click on “User profiles and properties” under the “User Profiles and My Sites” column.
3. Click on the link, “Manage Connections”.
4. Click on “Create New Connection”.
5. Give the connection a meaningful name.
6. In the Directory service server name text box, enter the server name or IP address of your LDAP server.
7. Enter the LDAP user filter of your choice (see below for examples) .
Now you are ready to import your LDAP users into the profile database. Go back a screen and start a full import. Once the import starts enumerating you should see user profiles being imported into SharePoint. When the import is complete, click “View Profiles” to see what profiles were imported.
I’ve compiled a fairly good set of user filters below, feel free to submit a comment if you have others to add to the list.
Example LDAP User Filters
Default user filter:
(&(objectCategory=Person)(objectClass=User))
Exclude accounts with no email address:
(&(objectCategory=Person)(objectClass=User)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(mail=*))
Exclude disabled accounts:
(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))
Exclude accounts with passwords set to expire:
(&(objectCategory=person)(objectClass=user)(!userAccountControl=65536))
Include only the accounts with valid email addresses
(&(objectCategory=Person)(objectClass=User)(mail=*com)
Include only the accounts that are part of the Branch1 organizational unit
(&(objectCategory=Person)(objectClass=User)(memberof:1.2.840.113556.1.4.1941:=(CN=Authenticated Users,OU=Branch1,DC=domain,DC=local)))
Exclude accounts that don’t have a first name
(&(objectCategory=Person)(objectClass=User)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(!givenName=*)))
Other Resources
Wayne Hall – Importing only a specific group into sharepoint profile database (via LDAP)
MSDN – Active Directory Search Filter Syntax
LDAP Documentation – LDAP Attribute List
Filed under: Active Directory, MOSS 2007, Share Service Provider, SharePoint 2007
Has anyone had problems with trying to filter out disabled AD accounts? I can not get the WSS profile import to filter out disabled Ad accounts…I have tried for two months now and tried every solution that I can find on every form, blog and discussion board.
any help?
This should do the trick:
(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))
Might be worth checking in AD if the user is actually disabled.
However I noticed that the following:
(&(objectCategory=Person)(objectClass=User)(memberof:1.2.840.113556.1.4.1941:=(CN=Authenticated Users,OU=Branch1,DC=domain,DC=local)))
should include only the accounts that are part of the Branch1 organizational unit.
This is not the case the previous filter actually only filters out on users who are as it says member of that group. So even if someone is in the OU if they are not a member of this OU they will not be returned. Hope this helps.
I haven’t found a way to exclude or include users in an OU yet using LDAP filters. I’ve found that you can add a profile property, add a managed path and then filter out the People scope adding the rule to exclude users from the OU.
Hope that helps.