User Profile Store

Joshua Haebets

SharePoint Solutions Architect

Evolve Information Services

Joshua Haebets SharePoint Consultant

Evolve Information Services

• Principal Consultant / Solutions Architect

• @jhaebets on Twitter

• www.linkedin.com/in/jhaebets

• Blog on the way

• www.robotsdottxt.com

Agenda • What is the User Profile Service Application

• How do you configure it

• Working with profiles

• Enhancing the profile service

People

4

Getting Profiles

Windows Identity Foundation

The Service App. Web Applications

http://sharepoint.mycompany.com

Sync Service

Social DB

Profile DB

Sync DB

User Profile Service

Sync Storage

8

ConnectorSpace (CS)

Metaverse (MV)

Staging during sync

Aggregated Data

9

AD

MV

SharePoint UPS

1. Import from Active Directory Data into AD CS

2. Import from SharePoint UPS into SP CS

3. Data is sync’d with the MV

4. Export data from CS to SharePoint UPS

5. Import and data confirmation

6. Data is sent to MV. Including Exports from UPS. And to AD CS

7. Data sent from AD CS to Active Directory

8. Data check and validated from AD to AD CS 3. Data is

sent to CS

AD

CS SP

CS

Data Stores

10

Profile Sync Social

Sync Staging DB

Profile Data and Activity Feed

Tags, Ratings, Keyword, Bookmarks and Comments

Getting it working

11

Create the User Profile Service Application

Start the User Profile Service

Start the User Profile Synchronization Service

Configure Synchronization Connections

Create MySite Host

• From Central Administration

Manage Service Applications New

User Profile Service Application

12

Create the User Profile Service Application

Powershell $ups = New-SPProfileServiceApplication -Name "User Profile

Service Application"

-ApplicationPool “User Profile Application Pool" -

MySiteHostLocation "http://sps-ups/my"

-MySiteManagedPath "my/personal" -ProfileDBName “SPS-

UPS_ProfileDB" -ProfileSyncDBName “SPS-UPS_SyncDB"

-SocialDBName “SPS-UPS_SocialDB"

New-SPProfileServiceApplicationProxy -Name "User Profile

Service Application Proxy"

-ServiceApplication $ups -DefaultProxyGroup

• From Central Administration Manage Services on Server User Profile Service Start

13

Start the User Profile Service

Powershell $upservice = get-spserviceinstance |

where($_.TypeName.Contains(“User Profile Service”)}

Start-spserviceinstance –identity $upservice

• From Central Administration

Manage Services on Server User Profile Synchronization Service Start

• Enter Farm Account Password

• Farm Account must be local admin on server to provision sync service

• Farm Account must have logon locally once service has been provisioned

• Powershell script at the end of the deck

14

Start the User Profile Synchronization Service

Powershell – a little harder than most

Configure Synchronization Connections

Active Directory Domain Services

Novell eDirectory

(LDAP)

Sun Java Directory Service (LDAP)

IBM Tivoli (LDAP)

Active Directory Permissions

• Create a service account for Active Directory read and write

16

Isolate roles

Keep domain admins happy

Manage Permissions

Replicate Directory Changes

• Delegate control on your domain and grant

Replicate Directory Changes

• This give you import

permissions

More Permissions

• Create Child Objects permissions for the User Profile Service Account

• Using ADSIEdit

• Allows you to write back to Active Directory…..almost

More sync permissions

• One more in ADSIEdit

• Advanced Find

UPS Service Account

• Write All Properties

• Create All Child

Objects

• There will be two

instances

Connecting to AD

• Auto domain

controller or

specify one

• Enter the User

Profile service

account

credentials

• Select the OU/s you want to Sync

• Say goodbye to

• LDAP Queries

21

Configure Synchronization Connections

Almost there… • Connection Filters

o Easily exclude disabled accounts from sync

22

Forefront Identity Manager

• C:\Program Files\Microsoft Office

Servers\14.0\Synchronization Service\UIShell

23

Get Permissions right or…

24

No Sync No write back to

AD

You can only do

Full Sync

Performing a Sync

Frequency.. • Hourly, Daily, Weekly, Monthly

• Server load and Directory Service Load

• Or minutes (up to 59)

26

27

Still having trouble?

28

Proxies

• Make sure you do not have any proxies in use netsh winhttp show proxy

No proxy / Direct access doesn’t mean it is so

<configuration>

<system.net>

<defaultProxy>

<bypasslist>

<add address="[a-z]+\.DOMAIN\.lan" />

<add address="192\.168\.0\.*" />

</bypasslist>

</defaultProxy>

</system.net>

</configuration>

29

Proxy Override

And where are you going to put it…

30

Proxy Override

1. C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\BIN\owstimer.exe.config

2. Web.config of you Central Administrator Web Application <system.net> <defaultProxy /> </system.net> 3. C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\UIShell\MIISClient.exe.config

4. C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\Bin\MIIServer.exe.config

Yes that makes four locations

• By default the User Profile Service Application runs

with Netbios disabled

• If you find profiles are NetBiosName\Username

• Eg. Netbios.domain.lan • Appears as Netbios\joshua.haebets

• Should be domain\joshua.haebets

• Configuration container in ADSI, replication

directory changes

31

Netbios Names

Powershell and only Powershell

$ups = get-spserviceapplication |

where{$_.displayname.contains(“User”)}

$ups.NetBIOSDomainNamesEnabled = $true

$ups.update()

$ups.NetBIOSDomainNamesEnabled

True

32

Enable Netbios

Delete and recreate the

connection to the directory

store

What does it all mean

Profile Properties • Create custom properties

• Clients / Accounts

• Previous Employer

• Footy Team

• Write back to Active Directory

• Never fear, import only by default

•

•

• 34

Managed Metadata • Create standards

• Office Locations

• Job Titles

• Products

• Customers

• Profile Properties can use Managed Metadata

35

Profile Properties

Managed Metadata

• Create a fixed term set

• Assign Profile Managers

Export to Active Directory

• Job Titles

• Office Location

• Customers

• Products

Sub Types

• Separate profiles for employee

types;

• Part-time / casual employees

• Contractors

• Consultants

37

Capture only the

information you need for

each profile type

Work days

Start and/or End Date

Vendor / Consultancy

Import or Export • Plan what you want to write back.

• One off import and managed from SharePoint?

• Can HR managed everything from SharePoint now?

38

Profile Properties

Email analysis • SharePoint reads

your emails.

Never fear, this is a good

thing

Pictures • Stored in “User Photos” at the rootweb of the MySite

site collection

• 3 versions o Large 144x144

o Medium 96x96

o Small 32x32

• Will size by longest edge

• Write back to AD and see them in Outlook

41

BCS Data Source

42

Not with User Profiles Import only

Getting data from other systems

43

Importing from LOB Systems

Data in - data out

AD to SharePoint

SharePoint to AD

LOB System to SharePoint

Data in - data out

Identity management

for the masses

Patches……they were quick

• KB983497

• http://support.microsoft.com/kb/983497

• Almost completely dedicated to the user profile issues

• Fixes issues with;

• large data stores Groups and members

• SQL locks Delays in sync

• activity feed

Summary • Following the steps and UPS will work every time

• Plan what data (properties) you need • Create the policies

• Set the permissions

• What goes back to your directory service

• What other systems have data to enrich users

profiles

•

•

•

Related Content Contact

• Joshua.haebets@evolve-is.com.au

• Slides will be here www.slideshare.net/jhaebets

• Keep an eye on www.robotsdottxt.com

• www.linkedin.com/in/jhaebets

Thanks For Listening!

Be sure to submit your feedback

if you want to be in the draw to

win the Xbox 360 and other prizes!

Sponsors

# Start the profile synchronization service on a server

function Start-ProfileSynchronizationService {

PARAM (

[string] $ProfileApplication = $(throw "You must provide a user profile service application name"),

[string] $Machine,

[string] $Password = $(throw "You must enter the password of the farm account (SharePoint timer service account)"))

$upaApp = Get-SPServiceApplication | ? {$_.name -like $ProfileApplication}

if ($Machine -eq $null -Or $Machine -eq "") {

# get the current machine

$Machine = [System.Environment]::MachineName }

$syncService = Get-SPServiceInstance | ? {$_.typeName -like "User Profile Synchronization Service" -And $_.Server.Address -like $Machine}

## get default timer service account

$serviceAccount = (Get-SPFarm).DefaultServiceAccount

Write-Output([System.String]::Format("Starting user profile sync service on machine {0} for UPA {1}; service account is {2}", $Machine, $upaApp.Name, $serviceAccount.Name))

$upaApp.SetSynchronizationMachine($Machine, $syncService.Id, $serviceAccount.Name, $Password) }

## Use the function Start-ProfileSynchronizationService to start profile synchronization service

write-output "Starting user profile sync service"

$machine = read-Host("Please enter the server on which you want to run the profile sync service (by default is current machine)")

$upa = read-Host("Please enter the UPA name the profile sync service will be associated with")

$password = read-Host("Please enter the service account (farm account) password")

start-ProfileSynchronizationService -ProfileApplication $upa -Machine $machine -Password $password

51

Start the User Profile Synchronization Service