Lots of very good questions and answers on the user profile service.
Question: User profile synchronization service on the “Services on Server” page continues to stay in the starting state. How can I reset it to stopped state?
Answer: Fire up powershell. Get a handle for the respective user profile service application (UPA), say $UPA. Then use the method $UPA.ResetSynchronizationMachine().
Question: I see obsolete users in the profile store, for example, on the org chart. These users are no longer in AD.
Answer: There can be two reasons for obsolete users in the profile store:
1. MySite clean up timer job is not active. The user profile synchronization job marks users deleted from the directory source to be deleted. When the MySite cleanup job runs, it looks for all users marked for deletion and deletes their profiles. Respective mysites are then assigned ownership to the deleted profile’s manager and an email is sent to the manager.
2. There were users that existed in the profile store and were not brought in by user profile sync. This can occur, for example, if a customer upgraded from previous version of SharePoint. And chose to only synchronize a sub-set of domains with 2010. You can find these users by utilizing the following commandlet:
$upa = Get-spserviceapplication –identity <UPA ID>
a) To view users and groups that’ll be deleted:
Set-SPProfileServiceApplication -Identity $upa – GetNonImportedObjects $true
b) To delete these users and groups (this action can’t be undone):
Set-SPProfileServiceApplication -Identity $upa – PurgeNonImportedObjects $true
To view or delete users only, please select users-only option in the user profile synchronization settings through central admin. Similarly, to view or delete both users and groups, please select users and groups option in the user profile synchronization settings through central admin.
Question: I know my netbios and domain name are different or I am seeing wrong samAccountnames after import. What gives?
Answer:If your NetBIOS name is different from your domain name, at least Replicate Directory Changes permission is also needed on the cn=configuration container and you must enable NetBIOS domain names on the corresponding User Profile service application. For more information about enabling NetBIOS names on a User Profile service application, see Get-SPServiceApplication.
The UPA property NetBIOSDomainNamesEnabled is used to control whether the CNC partition is included in the AD Connection or not. By default it is false (not enabled) and the CNC and associated run steps are not included in the AD Connection configuration. If it is enabled, then the CNC partition and run steps are included.
When editing a connection, the flag is ignored. If the CNC was included in the AD Connection when it was created, then it will continue to be included in the AD Connection. If the CNC was not included when the AD Connection was created then it will never be included in the AD import.
To “enable” NetBIOS domain names once a connection is created requires the connection to be deleted and a new connection created with the flag turned on (set to 1 or true). This will delete all the users which had their SAMAccountNames incorrectly formed due to the NetBIOS domain name being incorrect.
How To: Enable import of NetBIOS Domain Names
Using the 2010 SharePoint Management Shell:
Get-SPServiceApplication
<lists the Service Applications and their GUIDs>
$UPA = Get-SPServiceApplication –Id <GUID of User Profile Service Application>
$UPA.NetBIOSDomainNamesEnabled=1
$UPA.Update()
