Wednesday, 29 August 2007

Choosing members of an existing group for user profile import

I needed to set up a User Profile import connection to include members of a specific group rather than the whole directory (can be quite useful for preventing lots of useless account appearing, such as service accounts). This is what I did:

- Go to Site Settings > Manage profile database > Configure profile import.

- Select “Custom Source“. This will let you create import connections

By the way, this is also how you can configure to import from multiple domains in a forest without having to specify the entire forest

Also, this is how you get the “Manage connections“ link on the Manage Profile Database screen

- It should ask you for the connection settings

- Fill in User Filter

Format:
(&(objectCategory=Person)(objectClass=User)(memberOf=[distinguised name of the group]))

Example 1 - This LDAP query selects any account from members of the specified group in AD:
(&(objectCategory=Person)(objectClass=User)(memberOf=CN=Group1,OU=Domain Distribution Groups,DC=domain,DC=co,DC=uk))

Example 2 - This LDAP query selects only enabled accounts from members of two groups in AD:
(&(objectCategory=Person)(objectClass=User)(!userAccountControl:1.2.840.113556.1.4.803:=2)((memberOf=CN=Group1,OU=Domain Distribution Groups,DC=domain,DC=co,DC=uk)(memberOf=CN=Group2,OU=Domain Distribution Groups,DC=domain,DC=co,DC=uk)))
Posted by Phil Childs at 18:48
Labels: ,

3 comments:

Subscribe to: Post Comments (Atom)