HOME       BLOG      CONTACT

 

shutterstock_184473665.jpg

Summit 7 Team Blogs

Configuring the UPA Sync Connection with PowerShell

Recently I was faced with a challenge setting up the user profile service for a customers SharePoint 2016 farm. In this particular case the team that had set up Active Directory has dispersed their user population through a large number of organization units (OUs) and sub-OUs.

For those of you that have ever worked setting up the synchronization connection you know how painful it can be to have to scroll all the way back down to the OU you were just looking at. Now imagine that action with approximately 1400 OUs to synchronize.

You can see my problem.

So what to do? I’m not that good with PowerShell but desperation facilitates ingenuity and I managed to cobble together something that was close to what I was trying to do when I got hung up. A little help from my co-worker Brian Laws (who has far superior scripting skills than I’ll likely ever have) and I was off and running.

What I came up with was a combination of actions using PowerShell and Excel to automate the process of selecting each individual OU. First, I broke out PowerShell and started looking at how I could get a list of all of the OUs from Active Directory. A little Google and I came up with the following one-line script that exported all of the OUs and sub-OUs from AD along with the DistinguishedName and CanonicalName into a text file.

Get-ADOrganizationalUnit -Filter * -Properties DistinguishedName, CanonicalName | Select-Object -Property DistinguishedName, CanonicalName | Out-File "c:\scripts\OU-Export.txt"

We need the DN for the script that will be used to select our OUs for the synchronization connection. Running the following in PowerShell will generate a text file that contains two columns, one with the DistinguishedName of the OU and the other containing the corresponding CanonicalName.

DistinguishedName: OU=ExecutiveUsers,DC=spmechanic,DC=com

CanonicalName: spmechanic.com/ExecutiveUsers

The next step was preparing the spreadsheet. I’m not going to go into this, suffice it to say that once the exported text file was imported into Excel it was around 8,000 lines. I went through it using the filtering capabilities of Excel to delete large groups of OUs (Computer related for example) until I had it whittled down to the 1400 OUs I wanted to synchronize. At that point I completely deleted the column containing the CanonicalNames, I just use that as an easy way to distinguish between OUs.

In order to select the OUs we want we are going to read from the text file I’ve created that holds the list of DistinguishedNames of the OUs I want to synchronize.

I’ll start by setting variables for the scripts.

$importUserName = "SP_ProfileSync"

$importDomain = "spmechanic"

$importpw = ConvertTo-SecureString -String "P@ssw0rd1" -AsPlainText -Force

 

$serviceName="User Profile Service 01"

$importOU = Get-Content "c:\ou-import.txt"

 

$forestName="spmechanic.com"

The $ImportUserName variable will be the user account that I am using to do the synchronization, the $ImportDomain will be my spmechanic domain, and we’ll convert the password to a secure-string and pass it to SharePoint as a part of the script. We’ll assign the name of the service application to the $serviceName variable, the $forestname variable to spmechnaic.com and finally we’ll tell the $ImportOU variable to get the list of OUs from my text file.

In the next step I’ll set the User Profile Service to use an AD Import rather than a synchronization. It is important to note in this specific command the UPA is updated to use the NoILM switch.

#Set User Profile Service to AD import

$UPA=Get-SPServiceApplication -Name "User Profile Service Application 01"

$UPA.NoILMUsed=$true

$UPA.Update()

 

$UPS = $UPA.id

In the very last step I’ll tell SharePoint to loop through my list of OUs and select each one in the list for import. I’ll use a foreach loop along with the Add-SPProfileSyncConnection command to select my OUs for import.

foreach($ou in $importOU)

{

Add-SPProfileSyncConnection -ProfileServiceApplication $UPS -ConnectionForestName $forestName -ConnectionDomain $importDomain -ConnectionUserName $importUserName -ConnectionPassword $importPW -ConnectionSynchronizationOU $ou.trim() -ConnectionUseDisabledFilter $true

}

To pull it all together.

$importUserName = "SP_ProfileSync"

$importDomain = "spmechanic"

$importpw = ConvertTo-SecureString -String "P@ssw0rd1" -AsPlainText -Force

 

$serviceName="User Profile Service"

$importOU = Get-Content "c:\ou-import.txt"

 

$forestName="spmechanic.com"

 

#Set User Profile Service to AD import

$UPA=Get-SPServiceApplication -Name "User Profile Service Application 01"

$UPA.NoILMUsed=$true

$UPA.Update()

 

$UPS = $UPA.id

 

foreach($ou in $importOU)

{

Add-SPProfileSyncConnection -ProfileServiceApplication $UPS -ConnectionForestName $forestName -ConnectionDomain $importDomain -ConnectionUserName $importUserName -ConnectionPassword $importPW -ConnectionSynchronizationOU $ou.trim() -ConnectionUseDisabledFilter $true

}

Hope you’ve found this helpful, as always scripts are provided with no guarantees implied or otherwise and you are using them at your own risk. Always test first!

SHARE THIS STORY | |