Monday, April 29, 2013

Upgrade to SP2013, part 5: Setup the User Profile Service Application

One thing that is introduced (or has come back actually) in SP2013 is: AD import. The big benefit of using ADI is that it is fast and easy to setup. Also, the filters are ready so you can just check a box to filter out disabled accounts!! Great! Not much can go wrong there.

But, if you want to fully use the UPS and maybe import extra attributes from the AD like user profile pictures, employee information etc then you must setup the User Profile Synchronization import. And I want to do that, especially import the photos, since I have a profile picture of the user up in the right corner of our intranet. This means a bit more work, but it is still quite easy to configure and setup:

Start with creating the User Profile Service Application in "Manage service applications" and map it to a new application pool (which I add the farm account to). You need to have that user in the local admin group on your server also. And yes, you will have a message about this in the Health Analyzer but just ignore that.

When that is done, go to the Services on Server and launch the two services “User Profile Service” and “User Profile Synchronization Service”. Enter the farm admin password on the page where you launch the second service. Now the last one will take some time to start, just leave it for 5-10 minutes and it will be started. One important thing I learned at the SPEVO13 conference, at a session by Spencer Harbar, was that the field where you enter the farm account password is actually not validated so if you enter an incorrect password there you might run into the famous “hang” when starting this service. So be sure you enter the correct password! I tried it and it does hang AND it did lockout my account until it finally stopped trying (new account policy for some admin accounts at my company) but it really does not tell you that the password is incorrect when you press OK on this page. Bad!!

Anyway, when you have the services started like this you can make an IISRESET:


I always do that, because I know this can give you errors or trouble otherwise when you want to create the AD connection and I am always better safe than sorry.

Now, go back to your User Profile service application and make sure the “Configure synchronization settings” are set to “Use SharePoint Profile Synchronization” and (optional) deselect the “Include existing BCS Connections for synchronization” for now since we don’t use that yet.

To setup the connection to your AD, go to “Configure synchronization connections”. When that is done, we need to setup the connection filters, in the most complicated and non logical way you can think of… to filter out the disabled accounts. Do this:
On your new AD connection, hover it and select “Connection filters”:





Make sure you have the “All apply (AND)” checked
Select “userAccountControl” in the list and wait for it to update the page!
Select operator “Bit on equals” and set the Filter to “2”
Click on “Add”:















If this is enough filters, just click OK to apply.

Now go back to your User Profile Service Application using the breadcrumb…. Hahaha NOT. Spencer made that joke at the SPEVO conference, not sure how many got that… I was laughing anyway!

So go all the way back to your UPS and start the synchronization, and yes it has to be a Full the first time.

Optional: before you start the import you can import some extra attributes from the AD. I want to add the user profile pictures:

Go to the “Manage User properties” and find the one called Picture. Change the settings to “Do not allow users to edit” if you don’t want your users to upload their own pictures (can result in everything from pics of cats, beers, strange positions etc if you allow this!) and then select the “thumbnailPhoto” from the attributes list. “Direction” should be “import” and click on Add:


 



Now start the full import and the time it takes to import of course depends on how many users you import and how many extra attributes. For me it took about 7 minutes to import 1700 users.

One last thing I do, is to select the User Profiles service app (go to "Manage service applications" view), select the UPS and click on “Administrators”. I add the Search account and set it to “Retrieve People Data for Search Crawlers” so I know that the People search will work also.

2 comments:

Squiggle said...
This comment has been removed by the author.
Squiggle said...

If you wish to upgrade the UPS, Microsoft's Technet articles miss out some important steps ...

I can C&P my scripts if anyone's interested ... As watching the Sync Service fail to start can often cause tears.