Exclusion Filters in User Profile Synchronization
Assuming that you have already setup a profile synchronization connection, let’s say you need to configure the service to exclude users whose accounts have been disabled in Active Directory. Or, the groups which contain the word “RAS” in them.
How would you do this? The answer is exclusion filter. A feature that enables you to exclude users (or group) during the synchronization process.
First you need to get there:
1) Browse to Central Administration Site > Manage Service Applications > User Profile Service Application.
2) On the Manage Profile Service: User Profile Service Application page, click the Configure Synchronization Connections. This will take you to a page where all the synchronization connections are already setup.
3) Select the connection you want to filter, and then from the ECB menu, click Edit Connection Filter.
The Edit Connection Filters page is where you can select a user or group property for which you want to apply a synchronization filter and configure it. The page is divided into two sections: Exclusion Filter for Users and Exclusion Filter for Groups. Titles are pretty self-explanatory!
4) In the users section, click the Attribute list drop down and select userAccountControl flag.
Adsiedit.msc displays the value of this flag in decimal for a disabled account (John Doe):
5) Select Bit on equals as the operator,and then type 2 for the filter value. Don’t forget to click Add to add the filter condition to list of existing conditions.
* Choose All apply (AND) when you need all of the conditions to be true for the exclusion filter to kick in.
* Choose Apply any (OR) when you need only one of the conditions to be true for the exclusion filter to kick in.
6) In the groups section, click the Attribute list drop down and select DisplayName.
7) Select Contains as the operator,and then type RAS for the filter value. Again, don’t forget to click Add to add the filter condition to list of existing conditions.
Your page should look like this:
.8) Click Ok where your done.
9) Start a full synchronization.
Once the synchronization is completed, the John Doe guy and all the groups containing the word “RAS” shouldn’t be imported to SharePoint.
How can i achieve the same thing using powershell?
Hi could help me in doing the same thing using powershell?
Thanks in advance…
Vijai Anand.R
Hi,
How to configure the exclution filter option in powershell or programmatically in sharepoint 2010.
this is my urgent requirement. kindly share your thougts.
Thanks..
Regards,
Karthic
I am trying to filter out the disabled users however when I do the first step (userAccountControl – Bit on equals – 2) and then full sync, I still get to see the disabled user in organisational hierarchy. Any ideas why?
@Andy
The most likely problem is that you used more than just the “Bit on = 2” and didn’t change the default operator from “and” to “or”. This limits your filters application drastically, and is normally what I find where folks having this problem slipped up (The UI sucks and makes it difficult to know what you did when looking back).
For more information on using “Bit on equals” and the gotchas with setting up filters, I’ve found NO BETTER REFERENCE than http://www.harbar.net/archive/2011/02/22/323.aspx. Good Luck!