I’m currently installing Connections 5 for a customer. It’s a great place as the onsite guys really know their stuff. Anyway, their LDAP is in a bit of a state. Typical example of an organisation that has grown, gone through many Active Directory upgrades and no hard and fast rules for user management.
For Connections to be useful, you need relevant and current users in the Profiles database.
With populating the profiles DB, you’ve got 2 types of people. You’ve got the Wizards, and the Command lines. I’m a Wizard guy, just because it has come along way since I first used it (2.5) and hey, it automates half of my job. I still like to know and understand what the Wizards are doing, but if they automate it, awesome.
So I’m doing this install, and I run the Wizard with the default search scope.
The default search filter I used was below. I wanted to see how many records…
As you do, I iterate the log file..
LFRN0027I: After operation, success records is 634, duplicate records 0, failure records is 366.
That’s interesting…these guys only have 400 users?
Opened the PEOPLEDB, and there were heaps..I means heaps… of deactivated users. Doesn’t look like a user account had been deleted. Ever.
So, reset everything, dropped the DB and recreated it.
I had to work out how to populate without syncing accounts that were disabled. I also wanted mail to be populated.
Here is the search string that did it..
The parameter (!(userAccountControl:1.2.840.113518.104.22.1683:=2) is a feature with MS AD, and is called a bitwise filter. Essentially, we’ve selected the users with the useraccountcontrol flag enabled. This link explains it better than I ever could.
After operation, success records is 406, duplicate records 0, failure records is 24, and last successful entry is
This worked, users synced dropped to the correct numbers. Happy days.