If you have been working with SharePoint you likely have also been dealing with user profiles and trying to get that user information from your Active Directory into your SharePoint data store so it can be searched, indexed and used. While working with getting this information into SharePoint from AD you may have also discovered that you end up with profile data you really didn’t want or need. If you simply configure your profile connection to pull from the Active Directory domain, you end up with all of your user accounts being imported. This includes service accounts, disabled accounts, and users you just don’t need to have cluttering up your profiles. In an earlier post, Filter those User Profile Imports, I show you how to create filters to only import the accounts you want into your SharePoint deployment. However, filters can be complicated and time consuming to construct. What if you already have your Active Directory setup with the user objects you want located in various Organizational Units. Why not just create different import connections to these OUs and grab just those users?
Well, as I mentioned, if you’ve been working with SharePoint you may have already discovered that it’s not quite that easy. First of all, SharePoint will only allow you to create a single connection to any given Active Directory name space. Now there is a little work around for this that will actually let you create a second connection to the same AD. If you create your first connection using the DNS name of the domain, you can create a second connection using the NetBIOS name. SharePoint will then create the connections and not complain. For example, if your Active Directory is trainsbydave.com with the NetBIOS name of TRAINSBYDAVE, you could create one connection for the name space using TRAINSBYDAVE and a second connection using trainsbydave.com.
This is fine, if all of your users are in one of two OU hierarchies. But what if you have a truly diverse Active Directory and need to connect to several OUs within your organization in order to grab all of your SharePoint users? Welcome to today’s topic. Let’s look at our sample AD – we start with a single OU that contains all of the users we want imported into SharePoint.
The connection for this would look something like the following,
And the results would be,
So how do you make those other connections? The first thing you need to remember is that AD is, at it’s heart, an LDAP directory. SharePoint allows you to create connections to other LDAP directories to import data. So why not just connect to your AD as LDAP? Bingo. In order to create an LDAP connection to Active Directory, you need to provide a few pieces of data. In this example I’m going to use a second OU in the Trainsbydave AD called Corporate from which to import additional users into SharePoint.
Here you can see that there are a few users in the Corporate OU that we want to import into SharePoint. To begin, you need to create a new import connection. You create your import connections from the User Profile and Properties page of your Farms Shared Services Provider application. Under the Profile and Import Settings section select the View import connections link.
Next you’ll select the Create New Connection link.
On the properties for your new connection you can see that there are actually several options for the type of connection that can be configured. Since we have already setup a connection to the Active Directory namespace, let’s use the LDAP Directory option to connect to our other OU.
To create this connection you are now going to need to provide some information to define the properties of the new connection. The Connection name is simply to identify what it is you are connecting to as seen in the Import Connections list. This name can be whatever you would like it to be, but make sure it is descriptive of the connection you are creating. In the directory service server name you’ll want to provide the Fully Qualified Domain Name (FQDN) of one of your AD domain controllers, leaving the port set to 389. For the provider name simply enter “LDAP” and change the username attribute to read “distinguishedname”. For the search base you’ll want to enter the Distinguished Name (DN) of the OU you are importing the users from. Looking back at our AD structure for the Corporate OU the DN for this object would be “ou=Corporate,dc=trainsbydave,dc=com”.
One of the tricks is to be sure and change the user filter. As seen below it is currently set to (&(objectClass=inetorgperson)).
To grab your user objects this filter needs to be changed to the correct object string. For Active Directory this would be the user class of the person object category, so the filter would be formatted as (&(objectCategory=Person)(objectClass=user)). Of course, you can always format the filter as needed to pull only the specific user objects from the OU as needed. For more information on these filters please check out my earlier post Filter those User Profile Imports as mentioned earlier in this blog. The remainder of the connection settings can be adjusted as needed, but the defaults should be fine in most cases. When you finish, your connection settings should look something like this,
Once you have the connection configured, save your settings. This will return you to the Import Connections screen where you will see your new connection.
Now you simply need to perform an Import and grab your additional users. You’ll notice that the number of profiles has increased from 15 to 19, having added the four additional users from the Corporate OU.
Using this method you can create any number of connections to the same Active Directory domain name space and have greater flexibility in your User Profile Imports. I hope that you find the above information useful and if you have any questions, please leave me a note. Until next time….