SharePoint Foundation - User Profile Synchronization

Project Description

The objective of this project is to provide a simple and effective way to synchronize the properties of a SharePoint user with the properties of their domain account.

Indeed, in foundation version of SharePoint, information in the UserInformation list only syncs with AD when the user is first added or logs in the first time. No synchronization properties is provided in this release, it is only available with the service application "User Profile" available in the paid version (SharePoint Server).

However, there is a native ability to synchronize accounts with the cmdlet "Set-SPUser" and the parameter "SyncFromAD". However, it only updates the name (Name / Display name) and email address (E-mail / Work E-mail).

To go further, it is necessary to directly update the list "User Information List" with the attributes of the accounts. The account attributes are easily retrievable via cmdlets "Get-ADUser" provided in the "Active Directory for Windows PowerShell module" feature available with Windows 2008 R2 or higher.

Audience

The script was written for sharePoint administrators who want to synchronize SharePoint User Profile of SharePoint Foundation farm with Active Directory information.

Features

I designed a script that allows you to:

• Treat all users of all site collections in each of the web applications (Basic and claim account)
• Check the availability of the domain of the user
• Possiblity to add forest name and credential if the account is from a different forest than farm
• Sync user with native cmdlet (Set-SPUser with SyncFromAD parameter)
• Check if the user is in the domain and if it has been modified or recreated
• Update the user in SharePoint if it has been modified or recreated (Move-SPUser with IgnoreSID parameter)
• Synchronize Job title, Department, IPPhone, Mobile Phone and Title attributes (Only with Windows 2008 R2 or higher)
• Check if the attributes have been changed
• Delete accounts that are not found or in an unreachable domain (Only if the number of deleted accounts is less than 30% of accounts synchronized)
• Logging all actions performed
• Send a detailed report by email

This script has been tested successfully with :

• Windows 2008, Powershell V2 and a SharePoint Foundation 2010 farm with several hundred users froma same domain as SharePoint farm
• Windows 2008 R2, Powershell V2 and a SharePoint Foundation 2010 farm with several thousand users from several domain in the same forest as SharePoint farm
• Windows 2012 R2, Powershell V4 and a SharePoint Foundation 2013 farm with several hundred users from same domain as SharePoint farm and several domain in the another forest (One-way trust)

Of course, this script is not perfect and it could be better written, do not hesitate to send me your feedback.

Prerequisites

The script must be run on the SharePoint Server (2010/2013).

The script is fully functional by installing "Active Directory for Windows PowerShell module" feature available as part of the Remote Server Administration Tools (RSAT) feature on a Windows Server 2008 R2 server or higher.

Your Active Directory accounts must be up to date to not replace the information entered by users with information that is outdated.

Edit Variable configuration on the top of the script before running it.

If you want to test synchronization on a single web application or site collection, you can change the 1278 line of the script by replacing $sites = Get-SPSite -Limit ALL with $sites = Get-SPSite http://yoursiteurl

References

Updating SharePoint 2010 User Information

Sharepoint Foundation 2010 MAJ avec AD

Account SID’s

Set-SPUser

Move-SPUser

Get-ADUser

Active Directory: Get-ADUser Default and Extended Properties

Known errors

Move-SPUser Failed with error "The site with the id "GUID" could not be found :

http://wscheema.com/blog/Lists/Posts/Post.aspx?ID=31