SharePoint is made up of two separate products, which are very tightly integrated: Windows SharePoint Services v3 (WSSv3) and Microsoft Office SharePoint Server 2007 (MOSS2007). Because WSSv3 also can be implemented by itself, Microsoft has implemented WSS user profiles in order to keep track of user information in a WSSv3 environment. Each site collection has its own User Information List with profile information for each user that has ever logged onto the site collection.
When implementing MOSS2007, extra user profile functionality is implemented on top of WSSv3, but the WSSv3 profiles still exist in the site collections. To keep all user profile information synchronized across both the MOSS profiles and the WSS profiles, Microsoft has implemented a User Profile Synchronization mechanism which synchronizes all MOSS profile information to all WSS user profiles. Because MOSS profiles can be synchronized with AD, changes in AD are synchronized to all user profiles using this mechanism.
More information on user profiles can be found here (in Dutch).
How are deletions of AD accounts handled
When a full import from AD is done and a user which has a MOSS profile is not present in the AD import, this account is marked “Missing from Import”. When the user is missing from import during three imports, SharePoint considers this account as deleted and deletes the account from the MOSS profiles. Unfortunately these deletions are NOT replicated to the WSS profiles, so the WSS profiles of those users remain in the system.
Ok, what does that mean
I found out that when you are trying to grant a user permissions somewhere in a site collection, the SharePoint People Picker both checks the User Information List and Active Directory. If a user has been deleted from AD, but still exists in the User Information List (still has a WSS profile), this user is returned in the results. This means that you can still see users that have left the company ages ago, which is very confusing for site collection administrators:
Actual real life situation:
E.g. John Doe has left the company, I can’t see him anymore in the Outlook GAL, but I can still grant him permissions in my site collection.
Crap, how do I solve this
This can be solved by cleaning your WSS profiles regularly. Unfortunately by default this is a manual process. If you only have a few site collections and a few users, this is quite easy. But if you have many site collections and many users, this is a major challenge!
In my environment we created a custom tool for this issue:
- The tool checks the MOSS profiles against the WSS profiles and creates a delta file, “which WSS profiles do not have a MOSS profile”
- The output we compare (automated) with AD. This because we do not import all accounts like admin accounts
- The ouput is then feeded into another tool, which deletes these accounts
And are there any things I need to pay attention to
Of course! Nothing comes without a price! Because the WSS profile of users are deleted all items or documents that have been by those users become “orphaned”. SharePoint is not able to display who created or changed the item or document. So be careful!
Another issue we encountered is with search. If permissions have been granted to individual users and these users are deleted, the crawl has to change these permissions in the index file. If your index is small and have a limited amount of content, reset the index and start a new few crawl is the quickest way. In our case we ran an incremental crawl, which took three times the time a full crawl usually needs. During the crawl it looked like the crawl process was stuck. This because it was updating the index file, which just takes a very long time!