Managing a Changing SharePoint
User Population
Paul Papanek Stork
• Principal Architect for BlueChip Consulting
Group
• http://www.bluechip-llc.com
• Contributing Author...
Agenda
• AD Users, Profiles, & the UserInfo table
• How SharePoint Security Works
• Managing Profile Property/UserInfo
Cha...
User Profiles and UserInfo Table
• Foundation and Server are different
• Foundation – UserInfo table only
• Server – UserI...
WebFrontEnd
Profile
Synchronization
Service
Instance
Profile Service
Instance
Search
Indexing Tags and Security Trimming
E...
User Profile Timer JobsName Description Timing
Activity Feed Cleanup Cleans up pre-computed activities that are used in ac...
SharePoint Security
• SharePoint handles Authorization not
Authentication
• Profiles have no connection to Authorization
•...
SharePoint Security
Principals
• Groups
• Users
Permission Level
• Read
• Contribute
• Full Control
• Etc.
Securable Objec...
Problems Editing User Profiles
• Some profile properties are not editable
• Privacy level for some properties are
locked
•...
Problems Synching User
Information
• Most UI information pulled from User Info,
not Profiles
• Two Sync Timer Jobs to Sync...
Additional Challenges
• How to keep from Importing All users
• Filter based on OU
• Filter based on UserProperties
• UserI...
Property Filter Bit On Equals Value
Disabled Account 2
Account Locked Out 5
No Password Required 6
Computer Account 13
Dom...
Effect of Filtering Users
• UserInfo Table Entry Remains
• Disabled Users can no longer log in
• Profiles will be deleted ...
What’s in a MySite
• Shared Locations
• My Site
• My Newsfeed
• My Profile
• Personal Locations
• My Content – Personal My...
Cleaning up MySites and Profiles
1. User’s AD account/profile is deleted
2. User Profile Service Incremental Sync
runs
(No...
Email Sent to Manager
MySite Deletion
• Deletes MySite after 14 days
• Based on an entry in the Profile database in the
MySiteDeletionStatus Tab...
Issues & Weak Points
• Lots of dependencies on Manager
• Defined in Active Directory
• Is a SharePoint User
• Has a valid ...
Avoiding Pitfalls
• Name Groups based on where they
will be used to avoid misuse
• Don’t adjust Group membership in
sub si...
Best Practice Alternatives
• Ensure that all dependencies are in place
• Do not remove old users from People and
Groups li...
Additional Resources
• Synchronize user and group profiles in
SharePoint Server 2013 - Technet
http://tinyurl.com/ProfileS...
Contact Information
Email: Paul.Stork@bluechip-llc.com
Blog: http://dontPaPanic.com/blog
Twitter: @PStork
Users, Profiles, and MySites: Managing a Changing SharePoint User population
Users, Profiles, and MySites: Managing a Changing SharePoint User population
Users, Profiles, and MySites: Managing a Changing SharePoint User population
Users, Profiles, and MySites: Managing a Changing SharePoint User population
Upcoming SlideShare
Loading in...5
×

Users, Profiles, and MySites: Managing a Changing SharePoint User population

8,251

Published on

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
8,251
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
42
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide
  • Stsadm –o sync –ignoreisactive 1 (Syncs All User Profiles to UserInfoTable)-excludewebapps “http://url.domain.com,...” (except Site Collections in these Web apps)Stsadm –o sync –deleteolddatabases/listolddatabases 0 (resets sync record so all fields will sync on next run)Make sure to run stsadm –o sync without switches after to actually kick off sync job.
  • Show how to allow user edit access to a propertyDemonstrate how to change visibility level or propertyEdit properties for two users in CA to simulate Profile Sync (one active one non-active=add via AD group, logged in, but never contributed) Run User Profile to SharePoint Full Synchronization manuallyActive User will sync, non-active user won’t
  • Users, Profiles, and MySites: Managing a Changing SharePoint User population

    1. 1. Managing a Changing SharePoint User Population
    2. 2. Paul Papanek Stork • Principal Architect for BlueChip Consulting Group • http://www.bluechip-llc.com • Contributing Author • Developer’s Guide to WSS 3.0 • MOSS 2007 Best Practices • Author • MCTS: WSS 3.0 Configuration Study Guide (70-631) • Pro SharePoint 2010 Development for Office 365 • Contact Information • Email: Paul.Stork@bluechip-llc.com • Blog: http://dontPaPanic.com/blog • Twitter: @PStork
    3. 3. Agenda • AD Users, Profiles, & the UserInfo table • How SharePoint Security Works • Managing Profile Property/UserInfo Changes • Filtering User Synchronization • Cleaning up MySites and Profiles
    4. 4. User Profiles and UserInfo Table • Foundation and Server are different • Foundation – UserInfo table only • Server – UserInfo table and Profiles • Profiles can be imported from AD, LDAP, or BCS • Profile changes are synced to UserInfo table • Quick sync every 5 minutes (new users only) • Full sync hourly • Users not marked as active are NOT sync’d • User information not pulled from consistent location • Lists and Welcome Menu use UserInfo table • People search crawls profiles
    5. 5. WebFrontEnd Profile Synchronization Service Instance Profile Service Instance Search Indexing Tags and Security Trimming Enterprise Metadata Tagging and Profile Properties WFE talks to the service and SQL, maintains Front-end cache Mid-tier cache, optimized for most- used profiles, 256 Mb default (good for 500k users on average) Social Data SyncProfiles User Profile Service
    6. 6. User Profile Timer JobsName Description Timing Activity Feed Cleanup Cleans up pre-computed activities that are used in activity feeds that are older than 14 days. This job does not affect the User Profile Change Log. Daily at 3 AM Activity Feed Pre-computes activities to be shown in user activity feeds. Hourly Audience Compilation Computes memberships of defined audiences. Weekly, Sat at 1 AM My Site Suggestions Email Sends e-mail messages that contain colleague and keyword suggestions to people who do not update their profile often, prompting them to update their profiles. Monthly, 15th at 10 PM Social Data Maintenance Aggregates social tags and ratings and cleans the social data change log. Hourly, 30 min after Social Rating Synchronization Synchronize rating values between Social Database and Content database Change Cleanup Job Cleans up data that is 14 days old from User Profile Change Log. Daily at 10 PM Change Job Processes changes to user profiles Hourly, on the hour Incremental Synchronization Synchronizes user, group and group membership changes between the User Profile Application and specified directory source Daily at 1 AM Language Synchronization Job Looks for new language pack installations and makes sure that strings that related to the user profile service are localized correctly. Every minute SharePoint Full Synchronization Synchronizes user information from the user profile application to SharePoint users and synchronizes site memberships from SharePoint to the user profile application. Hourly, on the hour SharePoint Quick Synchronization Synchronizes user information from the user profile application to SharePoint users who were recently added to a site. Every 5 minutes My Site Cleanup Job When a user is deleted, sends an e-mail message to the manager containing a request to the manager to move any documents or data that the manager wants to preserve, because the site might be deleted in the future. Hourly, on the hour System Job to Manage User Profile Synchronization Manages provisioning, run steps and additional tasks related to User Profile Synchronization. (Note: Don’t Change Timing) Every minute
    7. 7. SharePoint Security • SharePoint handles Authorization not Authentication • Profiles have no connection to Authorization • Authorization is the union of three things • Principal - SharePoint User or SharePoint Group • Permission Level – Named set of Permissions • Securable Object – Web site, List, or Item • Key Understandings • Inherited by default • Users, Groups, and Permission Levels are shared by all sites in a Site Collection • Three part union can be applied anywhere that Inheritance is broken • Security only goes down to the List Item level
    8. 8. SharePoint Security Principals • Groups • Users Permission Level • Read • Contribute • Full Control • Etc. Securable Object • Site • List • Item • Document • Etc.
    9. 9. Problems Editing User Profiles • Some profile properties are not editable • Privacy level for some properties are locked • Errors editing fields that require Managed Metadata • Ask me About MemberOf • Job Title Department • Proxy Addresses Interests • Office Location Followed #Tags • Past Projects • Skills • Schools
    10. 10. Problems Synching User Information • Most UI information pulled from User Info, not Profiles • Two Sync Timer Jobs to Sync Information • Problem: Inactive Users Ignored • Inactive Users (pre-2010) • Permissions gained through AD Group Membership • Must Login to be in Userinfo Table • Must Contribute to be marked ACTIVE • An Alternative Method • Stsadm -o sync -ignoreisactive 1 • Stsadm -o sync -deleteolddatabases 0
    11. 11. Additional Challenges • How to keep from Importing All users • Filter based on OU • Filter based on UserProperties • UserInfo still used in List & Library Metadata • Profile Synch Deletes User Profile but not UserInfo • If you delete User from Site Collection Metadata breaks
    12. 12. Property Filter Bit On Equals Value Disabled Account 2 Account Locked Out 5 No Password Required 6 Computer Account 13 Domain controller Account 14 Non-expiring password 17 Password Expired 24 Common Profile Sync Filters • Full List available at: http://www.harbar.net/archive/2011/02/22/323.aspx
    13. 13. Effect of Filtering Users • UserInfo Table Entry Remains • Disabled Users can no longer log in • Profiles will be deleted if Filtered out of Sync • Re-Sync’d Profiles have My Site Issues • Can’t Connect to existing MySite • Can’t Create a New MySite • Fix is to edit the Personal Site address property
    14. 14. What’s in a MySite • Shared Locations • My Site • My Newsfeed • My Profile • Personal Locations • My Content – Personal MySite • Personalization Site Tabs • Created & Managed Centrally • Displayed as Tab in MySite
    15. 15. Cleaning up MySites and Profiles 1. User’s AD account/profile is deleted 2. User Profile Service Incremental Sync runs (Not User Profile to SharePoint Sync) 3. My Site Cleanup Job runs 4. User’s Manager receives e-mail and access to User’s MySite 5. Manager retrieves Intellectual Property from MySite 6. User’s MySite is deleted
    16. 16. Email Sent to Manager
    17. 17. MySite Deletion • Deletes MySite after 14 days • Based on an entry in the Profile database in the MySiteDeletionStatus Table • Requires Custom Code to prevent or postpone • Not archived before deletion • Deletion Approval is not required
    18. 18. Issues & Weak Points • Lots of dependencies on Manager • Defined in Active Directory • Is a SharePoint User • Has a valid email • User Profile Sync • User Deleted in AD • Disabled Users if Filtered • UserInfo Table • References not Deleted with Profile • Manual clean-up of InfoTable causes loss of history
    19. 19. Avoiding Pitfalls • Name Groups based on where they will be used to avoid misuse • Don’t adjust Group membership in sub sites • Always break inheritance from the top down in the site hierarchy • Delete old MySite before re-synching to create User Profile
    20. 20. Best Practice Alternatives • Ensure that all dependencies are in place • Do not remove old users from People and Groups list (UserInfo) - or - • Create a Custom Workflow for off- boarding 1. Disable AD users rather than delete them 2. Delegate Site Collection Administrator role 3. Mark profiles inactive with custom field 4. Do not remove old users from People and Groups list
    21. 21. Additional Resources • Synchronize user and group profiles in SharePoint Server 2013 - Technet http://tinyurl.com/ProfileSync2013 • Rational Guide to implementing SharePoint Server 2010 User Profile Synchronization- Spence Harbar http://www.harbar.net/articles/sp2010ups.aspx • Inside the SharePoint 2010 My Site Cleanup Timer Job http://tinyurl.com/mySiteCleanup
    22. 22. Contact Information Email: Paul.Stork@bluechip-llc.com Blog: http://dontPaPanic.com/blog Twitter: @PStork

    ×