SharePoint Profile Cleanup and the My Site Cleanup

Joel Oleson April 27, 2012 0
Share it!


One of the mysteries of SharePoint Profile Management is that scary proposition of deleting old profiles vs deleting my sites which may have data which they shared with other users. In the enterprise it’s easy to blame AD for making mistakes about users sticking around too long, but sometimes it is actually SharePoint displaying profiles that are "Missing from Import." These profiles that are missing from import have been flagged to be deleted, but without the My Site Cleanup job, those profile will continue to persist. In our environment, the engineers were worried that my sites would disappear without someone first having a chance to get the data off those sites before they should be deleted. Support was light handed as it was, so turning off a job that was called "My Site Cleanup" felt safe.

That assumption was incorrect. In fact the "My Site Cleanup" timer job does NOT delete my sites! I know that Spence says you my run the My Site Cleanup timer job to delete my sites, but that is only half correct. You must run both the "My Site Cleanup" timer job AND the Site Use Confirmation Deletion to delete My Sites. Most people will never turn on the Site Use Confirmation Deletion, and as a result the My Sites will never be auto deleted. The fears were unfounded. We found we had more than a few hundreds users that were in this case.

Using Windows Powershell to see users "Missing from Import" (This snippet from this article in TechNet "Maintain profile synchronization" has some great info that is often overlooked. People don’t even know it exists!! Thanks Ram

Note: you’ll need to string the first two or the first and third strings together to see the users or to delete the users manually. This is not the long term solution, but a quick look.

To get the User Profile Service application object, type the following command:

$upa = Get-spserviceapplication <identity>

Where <identity> is the GUID of the User Profile Synchronization service application.

To view the users and groups to delete, type the following command:

Set-SPProfileServiceApplication $upa -GetNonImportedObjects $true

To delete the obsolete users and groups, type the following command:

Set-SPProfileServiceApplication $upa -PurgeNonImportedObjects $true

 

 

While it could be said that the feature called Site Use Confirmation Deletion was built based on my feedback it wasn’t implemented the way I asked for it. It’s one of the most useless features the way it was designed. Here’s why… SharePoint has a problem with old unused sites. That’s a fact and my feedback was, I need the ability to automatically ping people with old unused sites and encourage them to delete them. Why ping everyone? Why is it not usage based? The more advanced concept is to lock them if no one responds to give us a chance to correct the owners/administrators. We don’t want to put an added burden on support. Spence’s blog is pretty good, but was just missing that detail, which it sounds like he wanted to explore at some later time.

Spence Harbar did a great post on the Account Deletion and User Profile Sync in SharePoint 2010 back in February that is a must read as is a lot of what he writes.

First off there is a common misconception that Spence addresses in his post: "There are a number of Microsoft sources (including some of mine) that state it’s the forth sync run following account deletion that will remove profiles. It is also a common misconception that a full synchronization is required. Both of these are wrong and come from how the previous version worked… This is because the profiles still exist in the Profile DB and are a simply marked for deletion. In order to actually delete the profiles, we must run the My Site Cleanup Timer job. This job will purge the profiles marked for deletion and therefore once complete make the count tally with the number of useable profiles."

Essentially the main point to understand is that to delete a profile it requires not only the profile sync which marks the profiles as "missing from import," but also requires the My Site Cleanup Timer job. This timer job is one of the first ones people will turn off because they are *Freaked Out* that the support issues are going to go through the roof. In SharePoint 2007 if the profile sync ran a few times on the 4th attempt it would clean it up. Now this is not the case in SharePoint 2010. The My Site Cleanup job actually deletes the marked profiles. This job runs hourly by default, but if people think they don’t have my sites, they don’t need this job. As well if they have no my site host, they won’t even get this job.

Also important to note is that the "My Site Cleanup" Timer job requires a My Site Host to be configured on the UPA, even if you are not using My Sites. Spence explains, "If there is no My Site Host configured the job will bail out and the profiles marked for deletion will never be deleted."

Kudos to @harbars for keeping all of us from utter insanity around UPA…

Here’s how things go in simple terms:

  1. You want profiles only, no My Sites.
    1. You need to configure the User Profile Service Application with your import settings. See: Plan for profile synchronization (SharePoint Server 2010).
    2. You need to setup a My Site Host (but not give anyone rights to create my sites) This is needed for the My Site Cleanup job to show up.
    3. You need to enable the My Site Cleanup Job to clean up users that are "missing from import" during the profile import.
  2. You want Profiles and My Sites (but no my site deletions)
    1. You need to configure the User Profile Service Application with your import settings.
    2. You need to setup a My Site Host and configure it for normal my site creation (Users have rights to create sites on the web app)
    3. You need to enable the My Site Cleanup Job to clean up users that are "missing from import" during the profile import
  3. You want Profiles and My Sites including My Site Cleanup
    1. You need to configure the User Profile Service Application with your import settings.
    2. You need to setup a My Site Host and configure it for normal my site creation (Users have rights to create sites on the web app)
    3. You need to enable the My Site Cleanup Job to clean up users that are "missing from import" during the profile import
    4. You need to enable the Site Use Confirmation Deletion to delete sites after X number of confirmations and in Y number of days. The deletion is the key piece. You can configure these settings to whatever you want. It is VERY important to note that any restore of a team site will need to be reset with a confirm that it is in use or it will again be deleted on the next notification round. Changing Owners/Administrators is the key. Doing a simple restore will also restore the # of times a site owner/admin has been notified.

The next question I had was… if you use the actual Site Use Confirmation Deletion process built into SharePoint, will it be in the SP1 Site Recycle bin? I assume it will be and available to restore via powershell, but I haven’t had a chance to confirm this. Anyone know?

 

One resource that’s an oldie but goodie is SharePoint Profile Cleanup from Sean, great info about how a lot of this has changed over time:

This update was the key to helping me have doubts "Chris reminded me that I was not quite right about the My Site deletion.  While the e-mail itself is not related to the "Site Use confirmation and deletion" feature, sites are not actually deleted unless that feature is turned on.  The e-mail to the manager is telling a fib.  If the "Site Use confirmation and deletion" feature is enabled, the site is deleted due to the fact that the user never confirms the e-mail checking to see if they are still using the site; not due to the My Site Cleanup Job itself.  I also came across another great resource on My Sites and disabled/deleted users from Phil Wicklund that is well worth reading: http://philwicklund.com/whitepapers/Documents/My%20Site%20Concerning%20Scenarios%20Study%20and%20Strategy.pdf)

 

Related

Share it!

Leave A Response »