I wrote about User Profile Service Application some time ago, you can find it here. With final release of SharePoint 2019, I wanted to see if anything changed or new in 2019. So here is a quick over view of UPSA and synchronization process in SharePoint and how it works.
- Not much have changed from the previous versions of SharePoint.
- OOB uses SharePoint Active Directory Import. You can configure MIM server for more advanced sync options.
Configuration for synchronization connection is same as in previous version, default sync time is 5 minutes. However, sync account used in connection must have Replicate Directory permissions as mentioned here otherwise users will not be imported from AD and following will show up in ULS. If all permissions are set and you still see these in your logs go back in to your AD connection and reenter the password for sync account.
Failed to decrypt connection password for ConnectionForectName ‘MRk.com’, ConnectionSynchronizationOU ‘DC=MRK,DC=com’, ConnectionUserName ‘MRK\SPUPSSync’. Please refresh connection credentials.
UserProfileADImportJob.ImportDC: exception: Microsoft.Office.Server.UserProfiles.UserProfileException: Failed to decrypt connection password for ConnectionForectName ‘MRk.com’, ConnectionUserName ‘MRK\SPUPSSync’. Please refresh connection credentials. Microsoft.Office.Server.UserProfiles.UserProfileException: Failed to decrypt connection password for ConnectionForectName ‘MRk.com’, ConnectionUserName ‘MRK\SPUPSSync’. Please refresh connection credentials.
at Microsoft.Office.Server.UserProfiles.ADImport.UserProfileADImportMappingCollection.Decrypt(UserProfileApplication upa, UserProfileADImportMapping mapping, Byte encrypted, Boolean fThrow) –
UserProfileADImportJob:ImportDC — Data Import from DC ‘MRk.com’ at RootOU ‘DC=MRK,DC=com’ for UPA ‘1ca94844-87a7-4e3a-a8e7-748471d12b07’ is ‘incomplete’.
On successful synchronization you can see the number of user profiles on Manage Profile Service page and in SQL table called “UserProfile_Full” in Profile database.
What happens when a new accont is added in AD.
Any new account added in to AD will sync after 5 min or whenever next sync job is scheduled to run. You will see addition on the user profile page.
What happens when an account is deleted from AD.
- After an account is deleted from the AD
- Number of user profile on the user profile settings page will not change right away.
In SharePoint user name will not show up on manage user profile page when search for it, in this case I deleted TestUser05.
In SharePoint from “Manage User Profile” page account will show as marked for deletion as shown below. make sure you have set the view as “Profile Missing from Import”
In SQL, in “UserProfile_Full” table account will be marked as deleted in “NTName” column and value in “bDeleted” will be set to 1 as shown below.
In addition to this a new item will be created in a table name “UserProfilesScheduledForRemoval” with “SceduleState” set to 1 and date it was scheduled in “DateScheduled” column
Just like previous version, SharePoint timer job called “My Site Cleanup Job” scheduled to run once a day is responsible to clean up these entries marked with deletion. At the next run of “My Site Cleanup Job” you will not see any change from the SharePoint page but in SQL in table “UserProfilesScheduledForRemoval” value for “ScheduleState” will be set to 2 (from 1) as shown below.
Once the value for “ScheduleState” is set to 2 in “UserProfilesScheduledForRemoval” , deleted account will remain in this table for 30days , I still need to verify this but this is my understanding as of now.
What happens when an account is disabled in AD.
- After account is disabled in AD, account remains in user profile database and is not moved and marked for deletion as in the case of when account is deleted from AD.
Disabled account will not be available to add or grant permissions in SharePoint after it is disabled.