Users, Profiles, and MySites: Managing a Changing SharePoint User population

  • 6,554 views
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
6,554
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
42
Comments
0
Likes
3

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • Stsadm –o sync –ignoreisactive 1 (Syncs All User Profiles to UserInfoTable)-excludewebapps “http://url.domain.com,...” (except Site Collections in these Web apps)Stsadm –o sync –deleteolddatabases/listolddatabases 0 (resets sync record so all fields will sync on next run)Make sure to run stsadm –o sync without switches after to actually kick off sync job.
  • Show how to allow user edit access to a propertyDemonstrate how to change visibility level or propertyEdit properties for two users in CA to simulate Profile Sync (one active one non-active=add via AD group, logged in, but never contributed) Run User Profile to SharePoint Full Synchronization manuallyActive User will sync, non-active user won’t

Transcript

  • 1. Managing a Changing SharePoint User Population
  • 2. Paul Papanek Stork • Principal Architect for BlueChip Consulting Group • http://www.bluechip-llc.com • Contributing Author • Developer’s Guide to WSS 3.0 • MOSS 2007 Best Practices • Author • MCTS: WSS 3.0 Configuration Study Guide (70-631) • Pro SharePoint 2010 Development for Office 365 • Contact Information • Email: Paul.Stork@bluechip-llc.com • Blog: http://dontPaPanic.com/blog • Twitter: @PStork
  • 3. Agenda • AD Users, Profiles, & the UserInfo table • How SharePoint Security Works • Managing Profile Property/UserInfo Changes • Filtering User Synchronization • Cleaning up MySites and Profiles
  • 4. User Profiles and UserInfo Table • Foundation and Server are different • Foundation – UserInfo table only • Server – UserInfo table and Profiles • Profiles can be imported from AD, LDAP, or BCS • Profile changes are synced to UserInfo table • Quick sync every 5 minutes (new users only) • Full sync hourly • Users not marked as active are NOT sync’d • User information not pulled from consistent location • Lists and Welcome Menu use UserInfo table • People search crawls profiles
  • 5. WebFrontEnd Profile Synchronization Service Instance Profile Service Instance Search Indexing Tags and Security Trimming Enterprise Metadata Tagging and Profile Properties WFE talks to the service and SQL, maintains Front-end cache Mid-tier cache, optimized for most- used profiles, 256 Mb default (good for 500k users on average) Social Data SyncProfiles User Profile Service
  • 6. User Profile Timer JobsName Description Timing Activity Feed Cleanup Cleans up pre-computed activities that are used in activity feeds that are older than 14 days. This job does not affect the User Profile Change Log. Daily at 3 AM Activity Feed Pre-computes activities to be shown in user activity feeds. Hourly Audience Compilation Computes memberships of defined audiences. Weekly, Sat at 1 AM My Site Suggestions Email Sends e-mail messages that contain colleague and keyword suggestions to people who do not update their profile often, prompting them to update their profiles. Monthly, 15th at 10 PM Social Data Maintenance Aggregates social tags and ratings and cleans the social data change log. Hourly, 30 min after Social Rating Synchronization Synchronize rating values between Social Database and Content database Change Cleanup Job Cleans up data that is 14 days old from User Profile Change Log. Daily at 10 PM Change Job Processes changes to user profiles Hourly, on the hour Incremental Synchronization Synchronizes user, group and group membership changes between the User Profile Application and specified directory source Daily at 1 AM Language Synchronization Job Looks for new language pack installations and makes sure that strings that related to the user profile service are localized correctly. Every minute SharePoint Full Synchronization Synchronizes user information from the user profile application to SharePoint users and synchronizes site memberships from SharePoint to the user profile application. Hourly, on the hour SharePoint Quick Synchronization Synchronizes user information from the user profile application to SharePoint users who were recently added to a site. Every 5 minutes My Site Cleanup Job When a user is deleted, sends an e-mail message to the manager containing a request to the manager to move any documents or data that the manager wants to preserve, because the site might be deleted in the future. Hourly, on the hour System Job to Manage User Profile Synchronization Manages provisioning, run steps and additional tasks related to User Profile Synchronization. (Note: Don’t Change Timing) Every minute
  • 7. SharePoint Security • SharePoint handles Authorization not Authentication • Profiles have no connection to Authorization • Authorization is the union of three things • Principal - SharePoint User or SharePoint Group • Permission Level – Named set of Permissions • Securable Object – Web site, List, or Item • Key Understandings • Inherited by default • Users, Groups, and Permission Levels are shared by all sites in a Site Collection • Three part union can be applied anywhere that Inheritance is broken • Security only goes down to the List Item level
  • 8. SharePoint Security Principals • Groups • Users Permission Level • Read • Contribute • Full Control • Etc. Securable Object • Site • List • Item • Document • Etc.
  • 9. Problems Editing User Profiles • Some profile properties are not editable • Privacy level for some properties are locked • Errors editing fields that require Managed Metadata • Ask me About MemberOf • Job Title Department • Proxy Addresses Interests • Office Location Followed #Tags • Past Projects • Skills • Schools
  • 10. Problems Synching User Information • Most UI information pulled from User Info, not Profiles • Two Sync Timer Jobs to Sync Information • Problem: Inactive Users Ignored • Inactive Users (pre-2010) • Permissions gained through AD Group Membership • Must Login to be in Userinfo Table • Must Contribute to be marked ACTIVE • An Alternative Method • Stsadm -o sync -ignoreisactive 1 • Stsadm -o sync -deleteolddatabases 0
  • 11. Additional Challenges • How to keep from Importing All users • Filter based on OU • Filter based on UserProperties • UserInfo still used in List & Library Metadata • Profile Synch Deletes User Profile but not UserInfo • If you delete User from Site Collection Metadata breaks
  • 12. Property Filter Bit On Equals Value Disabled Account 2 Account Locked Out 5 No Password Required 6 Computer Account 13 Domain controller Account 14 Non-expiring password 17 Password Expired 24 Common Profile Sync Filters • Full List available at: http://www.harbar.net/archive/2011/02/22/323.aspx
  • 13. Effect of Filtering Users • UserInfo Table Entry Remains • Disabled Users can no longer log in • Profiles will be deleted if Filtered out of Sync • Re-Sync’d Profiles have My Site Issues • Can’t Connect to existing MySite • Can’t Create a New MySite • Fix is to edit the Personal Site address property
  • 14. What’s in a MySite • Shared Locations • My Site • My Newsfeed • My Profile • Personal Locations • My Content – Personal MySite • Personalization Site Tabs • Created & Managed Centrally • Displayed as Tab in MySite
  • 15. Cleaning up MySites and Profiles 1. User’s AD account/profile is deleted 2. User Profile Service Incremental Sync runs (Not User Profile to SharePoint Sync) 3. My Site Cleanup Job runs 4. User’s Manager receives e-mail and access to User’s MySite 5. Manager retrieves Intellectual Property from MySite 6. User’s MySite is deleted
  • 16. Email Sent to Manager
  • 17. MySite Deletion • Deletes MySite after 14 days • Based on an entry in the Profile database in the MySiteDeletionStatus Table • Requires Custom Code to prevent or postpone • Not archived before deletion • Deletion Approval is not required
  • 18. Issues & Weak Points • Lots of dependencies on Manager • Defined in Active Directory • Is a SharePoint User • Has a valid email • User Profile Sync • User Deleted in AD • Disabled Users if Filtered • UserInfo Table • References not Deleted with Profile • Manual clean-up of InfoTable causes loss of history
  • 19. Avoiding Pitfalls • Name Groups based on where they will be used to avoid misuse • Don’t adjust Group membership in sub sites • Always break inheritance from the top down in the site hierarchy • Delete old MySite before re-synching to create User Profile
  • 20. Best Practice Alternatives • Ensure that all dependencies are in place • Do not remove old users from People and Groups list (UserInfo) - or - • Create a Custom Workflow for off- boarding 1. Disable AD users rather than delete them 2. Delegate Site Collection Administrator role 3. Mark profiles inactive with custom field 4. Do not remove old users from People and Groups list
  • 21. Additional Resources • Synchronize user and group profiles in SharePoint Server 2013 - Technet http://tinyurl.com/ProfileSync2013 • Rational Guide to implementing SharePoint Server 2010 User Profile Synchronization- Spence Harbar http://www.harbar.net/articles/sp2010ups.aspx • Inside the SharePoint 2010 My Site Cleanup Timer Job http://tinyurl.com/mySiteCleanup
  • 22. Contact Information Email: Paul.Stork@bluechip-llc.com Blog: http://dontPaPanic.com/blog Twitter: @PStork