View
16
Download
0
Category
Preview:
Citation preview
User Profile Store
Joshua Haebets
SharePoint Solutions Architect
Evolve Information Services
Joshua Haebets SharePoint Consultant
Evolve Information Services
• Principal Consultant / Solutions Architect
• @jhaebets on Twitter
• www.linkedin.com/in/jhaebets
• Blog on the way
• www.robotsdottxt.com
Agenda • What is the User Profile Service Application
• How do you configure it
• Working with profiles
• Enhancing the profile service
People
4
Getting Profiles
Windows Identity Foundation
The Service App. Web Applications
http://sharepoint.mycompany.com
Sync Service
Social DB
Profile DB
Sync DB
User Profile Service
Sync Storage
8
ConnectorSpace (CS)
Metaverse (MV)
Staging during sync
Aggregated Data
9
AD
MV
SharePoint UPS
1. Import from Active Directory Data into AD CS
2. Import from SharePoint UPS into SP CS
3. Data is sync’d with the MV
4. Export data from CS to SharePoint UPS
5. Import and data confirmation
6. Data is sent to MV. Including Exports from UPS. And to AD CS
7. Data sent from AD CS to Active Directory
8. Data check and validated from AD to AD CS 3. Data is
sent to CS
AD
CS SP
CS
Data Stores
10
Profile Sync Social
Sync Staging DB
Profile Data and Activity Feed
Tags, Ratings, Keyword, Bookmarks and Comments
Getting it working
11
Create the User Profile Service Application
Start the User Profile Service
Start the User Profile Synchronization Service
Configure Synchronization Connections
Create MySite Host
• From Central Administration
Manage Service Applications New
User Profile Service Application
12
Create the User Profile Service Application
Powershell $ups = New-SPProfileServiceApplication -Name "User Profile
Service Application"
-ApplicationPool “User Profile Application Pool" -
MySiteHostLocation "http://sps-ups/my"
-MySiteManagedPath "my/personal" -ProfileDBName “SPS-
UPS_ProfileDB" -ProfileSyncDBName “SPS-UPS_SyncDB"
-SocialDBName “SPS-UPS_SocialDB"
New-SPProfileServiceApplicationProxy -Name "User Profile
Service Application Proxy"
-ServiceApplication $ups -DefaultProxyGroup
• From Central Administration Manage Services on Server User Profile Service Start
13
Start the User Profile Service
Powershell $upservice = get-spserviceinstance |
where($_.TypeName.Contains(“User Profile Service”)}
Start-spserviceinstance –identity $upservice
• From Central Administration
Manage Services on Server User Profile Synchronization Service Start
• Enter Farm Account Password
• Farm Account must be local admin on server to provision sync service
• Farm Account must have logon locally once service has been provisioned
• Powershell script at the end of the deck
14
Start the User Profile Synchronization Service
Powershell – a little harder than most
Configure Synchronization Connections
Active Directory Domain Services
Novell eDirectory
(LDAP)
Sun Java Directory Service (LDAP)
IBM Tivoli (LDAP)
Active Directory Permissions
• Create a service account for Active Directory read and write
16
Isolate roles
Keep domain admins happy
Manage Permissions
Replicate Directory Changes
• Delegate control on your domain and grant
Replicate Directory Changes
• This give you import
permissions
More Permissions
• Create Child Objects permissions for the User Profile Service Account
• Using ADSIEdit
• Allows you to write back to Active Directory…..almost
More sync permissions
• One more in ADSIEdit
• Advanced Find
UPS Service Account
• Write All Properties
• Create All Child
Objects
• There will be two
instances
Connecting to AD
• Auto domain
controller or
specify one
• Enter the User
Profile service
account
credentials
• Select the OU/s you want to Sync
• Say goodbye to
• LDAP Queries
21
Configure Synchronization Connections
Almost there… • Connection Filters
o Easily exclude disabled accounts from sync
22
Forefront Identity Manager
• C:\Program Files\Microsoft Office
Servers\14.0\Synchronization Service\UIShell
23
Get Permissions right or…
24
No Sync No write back to
AD
You can only do
Full Sync
Performing a Sync
Frequency.. • Hourly, Daily, Weekly, Monthly
• Server load and Directory Service Load
• Or minutes (up to 59)
26
27
Still having trouble?
28
Proxies
• Make sure you do not have any proxies in use netsh winhttp show proxy
No proxy / Direct access doesn’t mean it is so
<configuration>
<system.net>
<defaultProxy>
<bypasslist>
<add address="[a-z]+\.DOMAIN\.lan" />
<add address="192\.168\.0\.*" />
</bypasslist>
</defaultProxy>
</system.net>
</configuration>
29
Proxy Override
And where are you going to put it…
30
Proxy Override
1. C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\BIN\owstimer.exe.config
2. Web.config of you Central Administrator Web Application <system.net> <defaultProxy /> </system.net> 3. C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\UIShell\MIISClient.exe.config
4. C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\Bin\MIIServer.exe.config
Yes that makes four locations
• By default the User Profile Service Application runs
with Netbios disabled
• If you find profiles are NetBiosName\Username
• Eg. Netbios.domain.lan • Appears as Netbios\joshua.haebets
• Should be domain\joshua.haebets
• Configuration container in ADSI, replication
directory changes
31
Netbios Names
Powershell and only Powershell
$ups = get-spserviceapplication |
where{$_.displayname.contains(“User”)}
$ups.NetBIOSDomainNamesEnabled = $true
$ups.update()
$ups.NetBIOSDomainNamesEnabled
True
32
Enable Netbios
Delete and recreate the
connection to the directory
store
What does it all mean
Profile Properties • Create custom properties
• Clients / Accounts
• Previous Employer
• Footy Team
• Write back to Active Directory
• Never fear, import only by default
•
•
• 34
Managed Metadata • Create standards
• Office Locations
• Job Titles
• Products
• Customers
• Profile Properties can use Managed Metadata
35
Profile Properties
Managed Metadata
• Create a fixed term set
• Assign Profile Managers
Export to Active Directory
• Job Titles
• Office Location
• Customers
• Products
Sub Types
• Separate profiles for employee
types;
• Part-time / casual employees
• Contractors
• Consultants
37
Capture only the
information you need for
each profile type
Work days
Start and/or End Date
Vendor / Consultancy
Import or Export • Plan what you want to write back.
• One off import and managed from SharePoint?
• Can HR managed everything from SharePoint now?
38
Profile Properties
Email analysis • SharePoint reads
your emails.
Never fear, this is a good
thing
Pictures • Stored in “User Photos” at the rootweb of the MySite
site collection
• 3 versions o Large 144x144
o Medium 96x96
o Small 32x32
• Will size by longest edge
• Write back to AD and see them in Outlook
41
BCS Data Source
42
Not with User Profiles Import only
Getting data from other systems
43
Importing from LOB Systems
Data in - data out
AD to SharePoint
SharePoint to AD
LOB System to SharePoint
Data in - data out
Identity management
for the masses
Patches……they were quick
• KB983497
• http://support.microsoft.com/kb/983497
• Almost completely dedicated to the user profile issues
• Fixes issues with;
• large data stores Groups and members
• SQL locks Delays in sync
• activity feed
Summary • Following the steps and UPS will work every time
• Plan what data (properties) you need • Create the policies
• Set the permissions
• What goes back to your directory service
• What other systems have data to enrich users
profiles
•
•
•
Related Content Contact
• Joshua.haebets@evolve-is.com.au
• Slides will be here www.slideshare.net/jhaebets
• Keep an eye on www.robotsdottxt.com
• www.linkedin.com/in/jhaebets
Thanks For Listening!
Be sure to submit your feedback
if you want to be in the draw to
win the Xbox 360 and other prizes!
Sponsors
# Start the profile synchronization service on a server
function Start-ProfileSynchronizationService {
PARAM (
[string] $ProfileApplication = $(throw "You must provide a user profile service application name"),
[string] $Machine,
[string] $Password = $(throw "You must enter the password of the farm account (SharePoint timer service account)"))
$upaApp = Get-SPServiceApplication | ? {$_.name -like $ProfileApplication}
if ($Machine -eq $null -Or $Machine -eq "") {
# get the current machine
$Machine = [System.Environment]::MachineName }
$syncService = Get-SPServiceInstance | ? {$_.typeName -like "User Profile Synchronization Service" -And $_.Server.Address -like $Machine}
## get default timer service account
$serviceAccount = (Get-SPFarm).DefaultServiceAccount
Write-Output([System.String]::Format("Starting user profile sync service on machine {0} for UPA {1}; service account is {2}", $Machine, $upaApp.Name, $serviceAccount.Name))
$upaApp.SetSynchronizationMachine($Machine, $syncService.Id, $serviceAccount.Name, $Password) }
## Use the function Start-ProfileSynchronizationService to start profile synchronization service
write-output "Starting user profile sync service"
$machine = read-Host("Please enter the server on which you want to run the profile sync service (by default is current machine)")
$upa = read-Host("Please enter the UPA name the profile sync service will be associated with")
$password = read-Host("Please enter the service account (farm account) password")
start-ProfileSynchronizationService -ProfileApplication $upa -Machine $machine -Password $password
51
Start the User Profile Synchronization Service
Recommended