Home > SharePoint 2010 > Exclusion Filters in User Profile Synchronization

Exclusion Filters in User Profile Synchronization

Assuming that you have already setup a profile synchronization connection, let’s say you need to configure the service to exclude users whose accounts have been disabled in Active Directory. Or, the groups which contain the word “RAS” in them.

How would you do this? The answer is exclusion filter.  A feature that enables you to exclude users (or group) during the synchronization process.

First you need to get there:

1) Browse to Central Administration Site > Manage Service Applications > User Profile Service Application.
2) On the Manage Profile Service: User Profile Service Application  page, click the  Configure Synchronization Connections. This will take you to a page where all the synchronization connections are already setup.


3) Select the connection you want to filter, and then from the ECB menu, click Edit Connection Filter.

The Edit Connection Filters page is where you can select a user or group property for which you want to apply a synchronization filter and configure it. The page is divided into two sections: Exclusion Filter for Users and Exclusion Filter for Groups. Titles are pretty self-explanatory!

4) In the users section, click the Attribute list drop down and select userAccountControl flag.

Adsiedit.msc displays the value of this flag in decimal for a disabled account (John Doe):

5) Select Bit on equals as the operator,and then type 2 for the filter value. Don’t forget to click Add to add the filter condition to list of existing conditions.

* Choose All apply (AND) when you need all of the conditions to be true for the exclusion filter to kick in.
* Choose Apply any (OR) when you need only one of the conditions to be true for the exclusion filter to kick in.

6) In the groups section, click the Attribute list drop down and select DisplayName.
7) Select Contains as the operator,and then type RAS for the filter value. Again, don’t forget to click Add to add the filter condition to list of existing conditions.

Your page should look like this:

.8) Click Ok where your done.
9) Start a full synchronization.

Once the synchronization is completed, the John Doe guy and all the groups containing the word “RAS” shouldn’t be imported to SharePoint.

Categories: SharePoint 2010 Tags:
  1. vijai
    December 21st, 2010 at 08:55 | #1

    How can i achieve the same thing using powershell?

  2. Vijai Anand
    December 22nd, 2010 at 08:24 | #2

    Hi could help me in doing the same thing using powershell?

    Thanks in advance…

    Vijai Anand.R

  3. December 28th, 2010 at 17:46 | #3

    Hi,

    How to configure the exclution filter option in powershell or programmatically in sharepoint 2010.

    this is my urgent requirement. kindly share your thougts.

    Thanks..

    Regards,
    Karthic

  4. Andy
    April 18th, 2011 at 23:48 | #4

    I am trying to filter out the disabled users however when I do the first step (userAccountControl – Bit on equals – 2) and then full sync, I still get to see the disabled user in organisational hierarchy. Any ideas why?

  5. rkirk2k
    July 20th, 2012 at 14:06 | #5

    Andy :I am trying to filter out the disabled users however when I do the first step (userAccountControl – Bit on equals – 2) and then full sync, I still get to see the disabled user in organisational hierarchy. Any ideas why?

    @Andy
    The most likely problem is that you used more than just the “Bit on = 2” and didn’t change the default operator from “and” to “or”. This limits your filters application drastically, and is normally what I find where folks having this problem slipped up (The UI sucks and makes it difficult to know what you did when looking back).
    For more information on using “Bit on equals” and the gotchas with setting up filters, I’ve found NO BETTER REFERENCE than http://www.harbar.net/archive/2011/02/22/323.aspx. Good Luck!