Tuesday 1 December 2009

Remove Inactive Accounts from MOSS

A common problem which we regularly encounter in MOSS Intra-Net websites. "Importing the profiles from Corporate Active Directory". As the people move in and out, the active directory will be updated and modified continuously so as MOSS Profiles. And when we search for the people using MOSS search, it looks awkward if we are still showing inactive accounts ie, details of the people who have moved out of our organisations. So in order to get the active users from LDAP, we need to configure the following filter

(&(objectCategory=person)(objectClass=user)( !(userAccountControl:1.2.840.113556.1.4.803:=2)))

Steps for this:
1) Log into Central Administration --Shared Services Provider Application.

2) Click on Userprofiles and properties.

3) Click on View Import Connections to edit them (http://[SharedServices:Port]/ssp/admin/_layouts/EditDSServer.aspx?dn=xxxx)

4) Locate user Filter text field and then enter the following line:
(&(objectCategory=person)(objectClass=user)( !(userAccountControl:1.2.840.113556.1.4.803:=2)))

Now let us see what is the userAccountControl


userAccountControl:1.2.840.113556.1.4.803 specifies the user control to be queried against LDAP objects to get the field values which has value of 2 (bit value)-- means Disabled Accounts. As we are specifying ! (not) before, means Do not get the Inactive accounts.
Ampersand & before the variables means we are joining the different conditions with AND clause.
To specify more UserAccountControl values, refer this Link : http://msdn.microsoft.com/en-us/library/aa772300(VS.85).aspx;

5)Click on Start Full Import

6)As we have included the filter for not importing Inactive Accounts, we can see the total count of Inactive profiles and Active Profiles in http://[SSP:Port]/ssp/admin/_layouts/ProfMngr.aspx?ConsoleView=Active

7) Select the Inactive Profiles in the drop down and then select all of them (if they are any), and delete them from that View.(or doing a full import 3 times would delete inactive profiles)

8)Try to import again and see that this time no Inactive profiles are shown.

9)we can even delete these profiles from MOSS databases, but I would prefer to comply with MOSS strict recommendation of NOT TOUCHING DB.

10)After confirming the profiles, navigate to search administration in SSP

11)Timer jobs would have quick synchronisation jobs running to sync the profile details to portal.

12)Reset the crawled content and perform a full search.

I will add more for specifying more attributes to this LDAP filter. As the requirements are unique for each corporate.


Adding more attributes is more interesting thing for this LDAP Filters.
1) (&(K1)(K2)(K3)) -- this means join the conditions in brackets with AND operator
2) (|(K1)(K2)(K3)) --- obviously joining with OR operator.
3) Now the combination of them
(|(&(K1)(K2)(K3))(&(K4)(K5)))
means (K1 AND K2 AND K3) OR (K4 AND K5)

More information on this is available at MSDN Location

Details of available LDAP Attributes