Logo 
Search:

MOSS Forum

Ask Question   UnAnswered
Home » Forum » MOSS       RSS Feeds

Omitting non-user accounts from user profile generation

  Asked By: Coty    Date: Sep 03    Category: MOSS    Views: 1381

Our MOSS environment builds user profiles by pulling from a single AD
domain. We would like to eliminate non-user (system, admin, etc.)
accounts from the user profiles for both efficiency and security
reasons. In the past we tried to do this by filtering for specific OUs,
but SP didn't allow that. We have thought that we'd have to do it via
AD security groups but my AD expert tells me that's a bizarre and
resource-intensive way to do it. I seem to recall that SP1 addressed
the OU issue in some capacity. Has anyone got more information about
that or test results? Anyone have any additional suggestions for me?
This is a fairly big issue for us and I've been unable to make any
progress (it's preventing us from deploying people search and My Sites).

Share: 

 

3 Answers Found

 
Answer #1    Answered By: Katelynn Donovan     Answered On: Sep 03

We do this and it works nicely... you can build custom LDAP
filters/query to define WHICH AD user  account objects are included in
the profile  import.

With this, you can use additional  criteria (attributes) to per-se "tag"
the accounts  as belonging to a human rather than a "system type account"

In our company, a separate process pulls data from our HR database and
imports it into Active Directory. We use the "employee number" as the
key field for this transactions. When this sync process is executed,
records in AD and HR db with a matching "employee number" are keyed and
then other information  from HR (such as phone#, title, department,
business center, country, location, etc) is imported directly into
Active Directory.

Then when the SharePoint profile database sync job runs, we use LDAP
filters to keep out the system  accounts. For example, only AD user
objects with a "Job Title" and an "employee number" present are synched
to the SharePoint Profile dB. If an employee number is missing from the
AD object, then the sync is not performed.

 
Answer #2    Answered By: Geraldine Slater     Answered On: Sep 03

We pull in our profiles  via four custom profile  imports based on AD.
We have OU's for each of our locations with a Users OU in each of
those four locations. So the search  base text looks somethink like
this:

OU=Users,OU=Location1,DC=ourdomain,DC=net

We had origianlly tried using the LDAP query against AD but didn't
like the results  it returned

 
Answer #3    Answered By: Gail Richmond     Answered On: Sep 03

Our AD db is built manually without a unique identifier such
as an HR employee number (I know, I know). But if it's just a matter of
designating something in our AD profile  that indicates the account is an
active employee account and not an administrative one, shouldn't we
still be able to do that? Can you tell me more about how you set the
filtering up from within the user  profile import settings in SharePoint?

 
Didn't find what you were looking for? Find more on Omitting non-user accounts from user profile generation Or get search suggestion and latest updates.




Tagged: