This is just a quick article on how to create an AD Import Synchronization Connection for the User Profile Service (UPS) in SharePoint 2013. The actual configuration of the UPS with Powershell is a more complicated topic which I may cover another time.
The profile synchronization in the UPS application is way for SharePoint 2013 to synchronize groups and user profile information from active directory (AD) with what is stored in the SharePoint profile database.
I will post the code that I have used to configure an active directory import profile sync and try to explain the important parts of the code.
$importUserName = "SP.UserSync" $importDomain = "splab1" $importpw = ConvertTo-SecureString -String "P@$$w0rd" -AsPlainText -Force $serviceName="User Profile Service" $importOU="OU=SharePoint Users,DC=SPALB1,DC=MSFT" $forestName="splab1.msft" #Set User Profile Service to AD import $UPA=Get-SPServiceApplication -Name "User Profile Service" $UPA.NoILMUsed=$true $UPA.Update() $UPS = $UPA.id Add-SPProfileSyncConnection -ProfileServiceApplication $UPS -ConnectionForestName $forestName -ConnectionDomain $importDomain -ConnectionUserName $importUserName -ConnectionPassword $importpw -ConnectionSynchronizationOU $importOU -ConnectionUseDisabledFilter $true
An important note on the service account being used is that it needs specific permission on the active directory domain from which you will be importing the user accounts. The service account needs the “Replicate Directory Changes” permission on the domain. The steps to complete this change are documented here.
On the following lines I’m simply setting the username and domain for the service account that I will be using to do the import from active directory.
$importUserName = "SP.UserSync" $importDomain = "splab1" $importpw = ConvertTo-SecureString -String "P@$$w0rd" -AsPlainText -Force
If you weren’t looking to completely automate this configuration and wanted the password to be more secure you could replace these lines with the following:
$creds = Get-Credential $importAccount = ($creds.username).split("\") $importUserName= $importAccount $importDomain = $importAccount $importpw = $creds.password
This would display a popup screen for you to enter the account and password you wanted to use for the configuration and then properly grab and parse that information.
By default the synchronization settings are setup to use SharePoint Profile Synchronization. Since we want to use Active Directory Import we have to make those changes with the following code.
$serviceName="User Profile Service" $importOU="OU=SharePoint Users,DC=SPALB1,DC=MSFT" $forestName="splab1.msft" $UPA=Get-SPServiceApplication -Name $serviceName $UPA.NoILMUsed=$true $UPA.Update()
The first three lines are simply setting up variable that match your environment. On the first line we assigning whatever the name of the User Profile Service is to the $serviceName variable.
Line 2 is the actual container we want to import the user accounts from. You may only include on container per command. If another container is needed you will need to run the Add-SPProfileSyncConnection again with the new container and it will add it to the existing connection.
Line 3 is the fully qualified domain name of the forest you are connecting to.
Line 5 is grabbing the User Profile Service Application object and storing in the $UPA variable.
Line 6 is the toggle that changes the User Profile Service from using SharePoint Profile Synchronization to using SharePoint Active Directory Import. It is the same as going into the Configuration Synchronization Settings in CA and selecting the radio button.
The final line commits that change.
Add Sync Connection
$UPS = (get-SPServiceApplication -Name $serviceName).id Add-SPProfileSyncConnection -ProfileServiceApplication $UPS -ConnectionForestName $forestName -ConnectionDomain $importDomain -ConnectionUserName $importUserName -ConnectionPassword $importpw -ConnectionSynchronizationOU $importOU -ConnectionUseDisabledFilter $true
Here we are at the actual execution and creation of the Profile Sync Connection. The first line here grabs the ID of the User Profile Service that the Add-SPProfileSyncConnection needs to reference the service.
The final line of the script actually adds the sync connection to the profile service using all the variables we have just created and assigned earlier in the script. The -ConnectionUseDisabledFilter tells the AD Import Sync to ignore disabled accounts in Active Directory and not import them.