Sunteți pe pagina 1din 25

Configure SharePoint User Profile Service

June 09th, 2011 : By admin

SharePoint UPS (User Profile Service) can be a challenge to setup. UPS in SharePoint requires a
little extra attention to make it work as expected but trust me that this service is worth that time.
What is SharePoint User Profile Service?
You may be wondering why do I need SharePoint UPS. Just to make it simple and short all
social features from
SharePoint 2007, including My Site support, User Profile pages, audiences and social tagging is
now bundled in the User Profile Service.
Preparing your SharePoint farm for the User Profile Service
If you never updated your SharePoint 2010 farm with cumulative updates (and no, I am not
talking about Windows Update) you will need to do it to enable UPS. SharePoint 2010 RTM
version has many issues related to User Profile Service you will need to update to the newest
cumulative update available. Just to keep you informed if you have December Cumulative
Update for SharePoint 2010 then User Profile Service wont work at all! I will be focusing this
guide on the latest February 2011 Cumulative Update.
The best resource to find the latest SharePoint updates is TechNet at
For this walkthrough I will be using the SharePoint Foundation 2010 (KB 2475880) and
SharePoint Server 2010 (KB
2475878) updates for the SharePoint farm. These updates are downloadable on-demand. It best
practise to make a full server backup before you try any Cumulative Updates to SharePoint
(including database-backup), because there is no option to roll-back the update.
After you install both SharePoint Foundation 2010 update and SharePoint Server 2010 update,
you should run the SharePoint 2010 Products Configuration Wizard to complete the upgrade.
After a successful upgrade you should verify if your SharePoint server is indeed updated. To do
this, go to the Central Administration System
Settings Manage servers in this farm section. There you can see all your servers that are
connected with the SharePoint farm (including smtp servers and SQL Servers).

Manage Servers in the Farm Window
Unfortunately, there is no clear information about the update just build number in the
Configuration database version variable. In my case it is 14.0.5136.5002 which means I have
the February 2011 Cumulative Update installed.
To verify this I usually Google the exact build number to determine the Update details. If you are
following my links and you see 14.0.5136.5002 build you have February 2011 Cumulative
Update and you can continue.
One important note: if your build is 14.0.5136.5001 you also have February 2011 Cumulative
Update, but this build contains an error and you should download and reinstall the 5002 build of
the February 2011 Cumulative Update to prevent farm issues.
Most of this article is applicable to the original RTM version of SharePoint 2010, but some
solutions may not work exactly as described. I know that the UPS Service caused many issues
before February 2011 Cumulative Update (and to give you more the Feb 2001 CU is actually
dedicated for UPS Service hotfixes) so I strongly suggest to upgrade unless you have a strong
reason not to.
Verify Managed Metadata Service installation
User Profile Services requires Managed Metadata Service to interact with. The SharePoint
Managed Metadata Service (MMS) is a service that publishes a term store and normally some
content types that the managed metadata will consume in its services. MMS is the key to the
social tags and notes since it is where where all tags are to be stored. You can create multiple
MMS, but for the User Profile Service you will need at least one MMS.
First we will check if there is at least one MMS installed and configured.
Go to Central Administration Application Management Manage Service Applications
and look for the Managed Metadata Service. If you used Configuration Wizard on your farm
(which is what I would personally would recommend), you will probably have one MSS.

Managed Metadata Service in the Service Applications window
If you dont have one, from the ribbon select the icon New and choose Managed Metadata
Service. Then you will have to setup some MMS properties which you also need to verify
when you actually had one MMS before (then you have to mark the Managed Metadata Service
and click on the properties icon in the ribbon).

Managed Metadata Service properties window top
You need to type in/verify the service name (default Managed Metadata Service is fine), check
the service database name, select application pool and Content type hub.

Managed Metadata Service Properties window bottom
Even if you used the Configuration Wizard, the Content Type Hub field will be empty and you
will need to select one
of your site collections for this role. For the needs of the User Profile Service this step isnt
necessary, so if you havent decided yet where your Content Type Hub should be you can
leave it blank. For this demo I will just type in my default root site collection which is http://sps.
Create and Configure Accounts and Permissions
Next is the tricky part. Note that you need to apply all of these settings or your User Profile
Service wont work. To be able to complete this section, you will need full access to the Active
Directory to perform AD-Forest based permission settings using the adsiedit tool.
Step 1. Create Service Accounts in Active Directory
We will need two accounts, one for the UPS application pool (we will call this sps_ups_pool)
and one for the synchronization between SharePoint and Active Directory (we will call this
These accounts should only have domain user rights (dont listen to people stating you need local
admin or worse domain admin rights for these accounts). Also, these accounts need to have
two flags enabled in AD: User cannot change password and Password never expires.
Some SharePoint resources state that you should not check these options since Managed
Accounts in SharePoint handle password changes etc. However this is incorrect, the User Profile
Service does not work fully with the Managed Accounts and I have found that using them would
causes headaches each time your Active Directory policies demand the service account to change
the password.

Account properties window with two important flags enabled.
Step 2 : Check The Farm Administrator Account
To successfully provision the User Profile Service, the farm admin account needs to be local
administrator on all the SharePoint 2010 servers. You should check what account is your farm
admin and give that user local admin rights
remember to remove these permissions after you finish this tutorial and verify that UPS is
To identify your Farm Admin account, go to Central Administration Security Configure
Service accounts option and select Farm Account from the menu.

Farm Account credentials configuration in Central Administration
As you can see, my farm admin account is ad\spssetup so I will have to verify that this user
belongs to the local administrators group on every SharePoint server in my farm before going
forward with the tutorial.
Step 3 : Setup Active Directory Rights For The sps_ups_sync
Now the most important part of the setup, and one which often causes issues when improperly
Assign Replicating Directory Changes permission to sps_ups_sync account
Login to your AD Server and open up Active Directory Users and Computers console. Now
right-click the Active Directory Server name and choose the Delegate Control option.

Active Directory Users and Computers console
On the informational screen click the Next button. Now you need to choose the account for
delegation, click on the Add button and find the sps_ups_sync account.

Delegation Control window with sps_ups_sync account added
On the next setup screen, select the Create a custom task to delegate option and click next.

Custom task delegation selected
On the Active Directory Object Type window make sure that the This folder, existing objects
in this folder, and creation of new objects in this folder option is selected and click Next.

Active Directory Object Type configuration
Next we should see the permissions setup window. You need to find the Replicating Directory
Changes permission type. Do this with care since there are several other similar names. Also
make sure that the General Checkbox is selected. The Property-Specific and
Creation/Deletion of specific child objects should be unchecked.

Permissions window with the Replicate Directory Changes permission type selected
Now ensure that the proper permission is selected (verify with the screen above) and click Next.
On the summary screen, just click Finish.
Now we need to add the same sps_ups_sync account to the AD Configuration container with the
same permission set. To do this, press Windows + R buttons and type in: adsiedit.msc
If you do not have adsiedit (which is part of Windows Support tools), go to and follow the
instructions specific to your operating system.
In Adsiedit expand the Configuration tree node, right click on the CN=Configuration
container and select the Properties option.

Adsiedit window with CN=Configuration container properties just being selected
Next, go to the Security tab and click Add. If you have this button grayed-out, you probably
need to change the ownership of this container. To do this, click the Advanced button, select the
ownership tab and change the owner of this container to the administrators group or your current
user. After changing the permission revert to the original owner if possible to prevent possible
issues with system permissions to this container.
When youve clicked the Add button in the Security tab you should add your synchronization

AdsiEdit Security Tab on Cn=Configuration main container
In the Permissions for Administrators section below the accounts list, find the Replicating
Directory Changes and check the Allow option for our newly added sps_ups_sync account and
click Apply.

Synchronization account permissions Replicate Directory Changes checked.
You can close the Active Directory Users and Computers windows now and log off from the
Active Directory Server. The permission configuration setup is completed.
Configure the User Profile Service
Next, we go back to Central Administration to finally create the User Profile Service.
Navigate to the Central Administration > Application Management > Manage Service
Applications. If you used configuration wizard, you will have the User Profile Service already
configured. Delete this (unless you have it already working without any issues). If you were
configuring everything yourself (which is preferred way of doing the farm configuration) you
will not need to destroy anything.
Now on the ribbon click the New icon and choose the User Profile Service Application.

New User Profile Application option
The Create New User Profile Service window will appear. Enter some of the common and
obvious fields such Name, database server, database names, etc. I will focus only on those fields
where you need to change the default settings.

Create New User Profile Service Application window
As you can see on the above screen, you should create a new dedicated application pool for this
service (we can call this the User Profile Service Application Pool), and then assign our
dedicated AD account to this pool(i.e. sps_ups_pool). If you dont have it as the managed
account yet, add it now using the Register new managed account option, you will be returned
to the UPS configuration after that so dont be concerned that this cancels the configuration.
The next field you need to setup is My Site Host URL.

My Site Host URL field
You should provide a full URL to your My Sites root location. If you dont have the My Site
location, create one before continuing. It is enough to create a new site collection in your default
application with the format similar to the one Ive used in the example above. You need to create
a site collection without a template, and therefore you should mark the Select template later

Site Collection creation window with the no-template selected
The good thing about the User Profile Service configuration is that it will setup the template and
all necessary My Site settings for us. All you need to do is enter the correct site collection during
the UPS configuration.
The final field you should focus on is Site Naming Format. You may want to change how
personal sites would be named and used in URLs, personally I favor the default settings.

Site Naming Format field in User Profile Service Configuration
Next, after you hvae double-checked that all options are filled in correct, click the Create button.
When the setup completes, you will need to refresh the Service Applications window in Central
Administration to
see the newly created service just press F5 to refresh the browser.
The next step is to recycle the IIS Server. If you arent on the production environment yet, you
can simply execute the IISReset command.
Now you need to enable the User Profile Synchronization Service. Navigate to Central
Administration Application Management Manage Services on Server and search for the
User Profile Synchronization Service. Its state will probably be stopped, if so click Start.

User Profile Synchronization Service status
A new configuration window should appear, where you will need to enter the User Profile
Service Application Pool credentials. This would be your Farm Admin account and you cannot
change this account to a different one. Before you enter the password twice for this account and
click the OK button, make sure that this account is Local Administrator or else the provisioning
of this service would fail.

User Profile Synchronization Service startup setting
Now refresh the page until you see that the service is in started status. This may take a couple of

The User Profile Synchronization Service status we need to see before continuing
When you see that the service started, you need to perform IISReset command again, or you will
see the below error message when trying to configure something within the UPS Service.

Error message during UPS Configuration if IISReset has not been re-performed
This will get you started with SharePoint UPS configuration the concluding Part 2 will look at
some more advanced topics such as Active Directory sync as well as completing and testing the
Configure SharePoint User Profile Service Part 2
June 15th, 2011 : By admin
Configure User Profile synchronization with Active
Select the User Profile Service and click the Manage button on the ribbon. You should see the
screen just like the one below.

Default User
Profile Service configuration window after being created
Select Configure
Synchronization Connections in the Synchronization section. Now
click the Create new Connection option, if you see the
pop-up window In that case go back to Manage Services on Server and wait until the service

Pop-Up window when
attempting to create the UPS synchronization connection
In the Add New
Synchronization connection window, we will need to fill-in several fields.
In the Connection Name
field enter a descriptive name of your connection, such as AD Synchronization.
In the Forest name field
enter the FQDN name of your domain (in my example: ad.local). Leave
the Auto discover domain controller option selected.
In the Account name, Password,
Confirm Password,enter credentials for the synchronization account

User Profile
Synchronization Connection configuration
Now click the Populate
Containers button and select your AD organizational units you would like to
import. Ive selected NetPro and Users OUs where I usually store
all my users.

User Profile
Synchronization Connection AD Container selection
Click OK and after a
while you should see your newly created connection listed. We can add
additional properties now, to tell the UPS Service that we do not want to import
AD accounts that are disabled. In my experience this is often requested by clients, so I propose
to make it a default for your setups.
Scroll over your connection name
and expand the menu using the black arrow on the right, then select Edit
Connection Filters option.

Edit Connection
Filters option under Synchronization connection name
Right now we need to add
exclusion filter for users that are disabled. You need to choose userAccountControl
attribute with Bit on equals operator with filter value 2.
See the screenshot below for the exact config you should perform.

configuration that would prevent importing disabled user accounts
Click the Add button you
should see your newly created filter listed now. Click the OK button and
go back to the User Profile Service settings window.
Remove Local Admin permissions
from the Farm Account
Remember when we
had to setup the local admin rights for the farm account? Now is the time
to finally remove it, and I strongly suggest to do this. Remember that
when you have to provision the User Profile Synchronization Service again
you will also need to remember about adding the Local Admin rights again for the
farm account.
Setup Timer Job for the User
Profile Service
Now we should
setup when we would like to perform User Profile Synchronization. Click the Configure
Synchronization Timer Job option, and change the settings according your
requirements. I personally like the default daily import at 1 AM.
Now you need to hit the Enable button so the synchronization Timer Job
will start at the scheduled time.

User Profile
Synchronization Timer Job Settings
Now we need to
perform one last step start the full synchronization to check
if everything went OK and also to have some accounts before scheduled time.
Go back to the User Profile
Service configuration section and select the Start Profile Synchronization
option. Select Start Full Synchronization and click OK. The entire sync
process will be visible in the Profile Synchronization Status section on
the bottom-right side of the UPS Configuration window.

User Profile
Synchronization import in progress
Thats it!