Quick Answer
This will help you if you already know LDAP and how to configure sharepoint's profile import settings.
Create a custom connection source in profile import and specify the following in the User Filter field:
(&(objectCategory=Person)(objectClass=User)(memberOf=[distinguised name of the group]))
Overview
If your org is like ours, you might have a *ton* of accounts in Active Directory, and less than half of them are active employees that need to have a profile in sharepoint. Sometimes you might have a lot of service accounts, disabled accounts, test accounts, or you might like keeping accounts of old employees around because of legal or ease-of-restore needs. Or maybe you're just too busy to delete old accounts. Or, um, maybe you're lazy? :)
Either way, when you set up Sharepoint the first time and you do the import, you might realize... “whoa! we gotta lotta accounts!” Then you realize that not only are you taking up space in sharepoint (really, not that much compared to everything else), but if ever you want to enumerate the list and display it somewhere, you'd have some heavy filtering to do. Wouldn't it be cleaner if just active employees had profiles in Sharepoint? And what about CAL's? If you're paying by the CAL, it might be easier to justify 500 CAL purchase even though you have 1500 accounts in A/D when you limit the profile database to 500 or 600.
So I recently started looking for a way to limit this in the profile import. In our organization, all active employees are a member of a specific corporate mailing list / security group. This group in A/D is a Universal Security group that's mail-enabled, so we use it for granting reader rights on calendars, we use it as a filter for who gets imported into other corporate apps such as “Track-IT!” from Intuit, and I really wanted to use it to determine who to import into the portal profile database. For this example. let's call it “Corporate List“.
I saw a couple of posts here and there, but nothing solid or anything that could be construed as a how-to. Here's what I had found before tackling it with a consultant we had onsite (I hear he's soon moving to mindsharpblogs, right Todd? :) ).
http://www.sharepointwatch.com/top/ng/group~1/~1722~__Import-user-profile-from-Active-Directory-group/index.aspx
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/adsi/search_filter_syntax.asp
http://www.computerperformance.co.uk/Logon/LDAP_attributes_active_directory.htm
But none of them really answered the question.
So here it is. First the background then the solution.
Background:
- You configure profile imports by going to Site Settings > Manage profile database > Configure profile import.
- By default, Sharepoint is smart enough to know your domain and can just select users from the one current domain. This is good for most organizations, and it's easy to do for quick out-of-the-box implementations.
- Behind the scenes, what sharepoint is doing is an LDAP query to the first domain controller it can find and specifies the following as a filter on the LDAP query:
(&(objectCategory=Person)(objectClass=User))
- If you've not been exposed to LDAP yet, here's your chance. There's a neat utility Microsoft makes called LDIFDE that lets you import and export content to and from Active Directory. It can be dangerous if you use import mode (-i) without knowing what you're doing. However, it can also shed light (like ADSIEdit, another dangerous tool in the hands of the foolhardy, but an amazingly useful tool to learn the innards) and be immensely helpful in troubleshooting)
- You can see what sharepoint is doing by running the following command (say, on a domain controller)
C:\> ldifde -f usersindomain.txt -r “(&(objectCategory=Person)(objectClass=User))“
Connecting to "[domain controller].[domain]"
Logging in as current user using SSPI
Exporting directory to file usersindomain.txt
Searching for entries...
Writing out entries.............................................................
................................................................................
................................................................................
[snip] ...........
792 entries exported
The command has completed successfully
This writes the results into a file called usersindomain.txt.
You can also do some basic wildcarding -- so for example let's say I wanted just to get the records that had a CN (common name) that started with “Wayne“. I would run:
C:\>ldifde -f usersindomain.txt -r "(&(objectCategory=Person)(objectClass=User)(cn=Wayne*))
Connecting to "[domain controller].[domain]"
Logging in as current user using SSPI
Exporting directory to file usersindomain.txt
Searching for entries...
Writing out entries..
2 entries exported
The command has completed successfully
Never mind the fact that I just overwrote my file :)
What you learn from this is that you can “AND“ together arguments. In the first example, we're saying “pull the objects that are in the “Person“ category AND give me only the ones that are in the “User“ class.“. In the second example, we're also specifying that CN needs to start with “Wayne“.
- If you take a look at the resulting file, you can start getting a headache, but after that passes, you get an idea of what's in the directory. What I care about, though, is... how do I specify group membership? I mean, this file has a HUGE amount of information in it (some of it pretty cool, actually), but I just want to limit by group.
- So look in the resulting file and look for the group you care about. It will have an entry like the following:
memberOf:
CN=Corporate List,OU=Administrative,OU=Distribution Lists,OU=Domain,DC=domain,DC=local
This second line starting with CN is called the “Distinguished name“ of the group. With this label, you should be able to uniquely identify this object. You may also notice that there's an entry for every group that the user is a member of. What's neat about this is that Active Directory is attaching multiple properties to the object so that you don't have to search through a list of groups and find a match for yours. You can just say “if memberof equals this distinguished name, return it in the list“.
- So it stands to reason that we should be able to use this as one of our “AND“ statements in the LDIFDE test. So we add it in there to find out:
C:\>ldifde -f output2.ldf -r "(&(objectCategory=Person)(objectClass=User)(memberOf=CN=Corporate List,OU=Administrative,OU=Distribution Lists,OU=Domain,DC=domain,DC=local))
Connecting to "[domain controller].[domain]"
Logging in as current user using SSPI
Exporting directory to file output2.ldf
Searching for entries...
Writing out entries.............................................................
................................................................................
................................................................................
..................................................
271 entries exported
The command has completed successfully
Cool. Let's say that number matches how many people should be in the list, and now we have a construct for importing just the right people into the portal.
- [optional] If you wanted to specify additional groups, you could use the OR clause, implemented by a PIPE ( | ) symbol. However, be warned that LDAP prepends the operator to the arguments. So if you're used to perl or C or something that processes the operator BETWEEN arguments, you might get confused.
Do you remember how we AND'ed arguments together by doing (&(argument1)(argument2)) ? Well OR is the same way. Here's an example from above page
(&(objectClass=user) | (cn=andy*)(cn=steve*)(cn=margaret*))
gets all user entries with a common name that starts with andy, steve or margaret. Notice the OR comes before the arguments. If you wanted to select people of multiple groups... say you have three groups called “Corporate East,“ “Corporate West“ and “Corporate EMEA“, AND they're all in different OU's in your domain, AND you don't have a group that houses all of those people, BUT you want to import them all....
You can use the OR operator on the memberof property. It would probably look something like this:
(I'll try to show different colors to differentiate the clauses. note that this is not tested, just my hand-typed estimate)
(&(objectCategory=Person)(objectClass=User) | (memberOf=CN=Corporate East,OU=Administrative,OU=Distribution Lists,OU=East,DC=domain,DC=local)(memberOf=CN=Corporate West,OU=Administrative,OU=Distribution Lists,OU=West,DC=domain,DC=local)(memberOf=CN=Corporate EMEA,OU=Administrative,OU=Distribution Lists,OU=EMEA,DC=domain,DC=local))
Answer:
- Go to Site Settings > Manage profile database > Configure profile import.
- Select “Custom Source“. This will let you create import connections
- By the way, this is also how you can configure to import from multiple domains in a forest without having to specify the entire forest
- Also, this is how you get the “Manage connections“ link on the Manage Profile Database screen
- It should ask you for the connection settings
- Fill in User Filter -- For our purposes, we put in the parameter that we used in ldifde with the -r option (see Background above)
Format:
(&(objectCategory=Person)(objectClass=User)(memberOf=[distinguised name of the group]))
Example:
(&(objectCategory=Person)(objectClass=User)(memberOf=CN=Corporate List,OU=Administrative,OU=Distribution Lists,OU=Domain,DC=domain,DC=local))
- You could also modify Search base to specify an OU, but I haven't tested that.
- I didn't change any other settings. My settings have
- Auto discover domain controller
- Port: 389
- Timeout: 120 seconds
- Scope: Subtree
- Page size: 10
- Page timeout: 120 seconds
Hope this helps!