24 October, 2012

Users are not deleted from SharePoint site after leaving the company


Our company's security policy is to immediately delete user accounts in AD after when an employee leaves the company. The user account still shows valid in SharePoint people picker/ all people group etc. 

Normally on full import of AD users all users are import into SharePoint from AD, then if new user requests to log into SharePoint it checks against AD and adds user, but SharePoint doe not remove users if removed from AD, so Site Admins sometimes wanting to find a script to iterate thru the current users listed in SharePoint and test against AD, if user does not exist in AD then remove from SPUsers?

Answer to the above concern would be that after the profiles have been imported. If a user  is deleted in AD then after 3 successive full profile imports there profile will be deleted also. If
deactivated their MySite will be cleaned up, but not their profile.

You also need to understand about the difference between SharePoint users used for security and Profiles. They are related, but not the same thing.

First, Profiles.

1. Moss is setup to import all the users in your AD domain as profiles into the SSP that you create. However, this action is not scheduled. Profiles will not be imported until you either do a manual import or setup the schedule for Full and incremental imports. This imparts no security rights to the user
at all.

2. After the profiles have been imported. If a user is deleted in AD then after 3 successive full profile imports there profile will be deleted also. If deactivated their MySite will be cleaned up, but not their profile.

Second, Authentication/Authorization (Assuming you are not using any kind of Forms Based Authentication)

1. SharePoint depends on Windows Authentication via IIS to establish the user's identity. (this happens completely external to SharePoint)

2. SharePoint checks the user's AD identity and group membership, as established in #1, to see what the user has the ability to do in SharePoint.

You can successfully authenticate and still not gain access to SharePoint.

3. Security Access in SharePoint is dependent on the AD identity or an AD group of which the user is a member being added as a SharePoint user. Or the user or group may be added directly to a SharePoint group. This will allow the user to gain access to SharePoint resources.

4. If the access is through group membership then the user's identity will only be added to SharePoint when the user logs in and submits something to a document library or list. This adds their identity as a user, but doesn't directly re-associate them with specific rights. The rights are still gained through group membership. But they would now show up in the People and Groups
list.

5. If the user's account is deactivated or deleted in AD their account in SharePoint is NOT deleted, but they won't be able to use it to access SharePoint  anymore because AD won't be able to authenticate them so they'll never get to Authorization. If deactivated, you will still be able to click on their name attached to documents or list items and see their profile. If deleted clicking on these items will normally lead to an error page because the profile isn't there anymore.

6. Removing SharePoint users can be done programmatic, but it is a fairly involved process requiring walking each object in the FARM and looking for the user entries. There are 3rd party products that do this, but I don't normally recommend using them since you are destroying the history of the user in the system.

My normal recommendation is to deactivate users in AD, but let them stay in SharePoint. Once deactivated they won't be able to login, but history of their usage of the system will remain intact.

The users deleted from AD certainly still exist in the SharePoint SSP user profiles. Suggested is to run a full import of user profiles. The first full import (after the users are deleted) will make them inactive. After the 3rd full import they will disappear completely.

To run a full import of users profiles
go to Central Admin > Click your Shared Service Provider under Shared services administration > User profiles and properties, under user profiles and mysite section > Start full import. You must grant yourself the right to manage user profiles: Under user profiles and mysite section, click Personalization services permissions > Select manage user profiles.

If you have any queries/questions regarding the above mentioned information then please let me know. 
I would be more than happy to help you as well as resolves your issues, Thank you.

5 comments:

  1. Do you have the code to search for expired users from SharePoint group.

    ReplyDelete
    Replies
    1. instead of looking from the SharePoint, this will be very easy from the AD track.

      any active directory expert working in your org can tell you the reference of this.

      please refer for the eample:
      http://support.risualblogs.com/blog/2011/09/02/find-all-expired-accounts-in-your-domain-via-active-directory-powershell/

      http://blogs.msdn.com/b/adpowershell/archive/2010/08/09/9970198.aspx

      Delete
  2. I do bеlieve ɑll the concepts yoս've offered to yoսr post.

    Тhey're really convincing and ϲаn definitely wоrk.
    Ѕtill, tɦe posts aree too brief for starters.Coսld you please prolong tɦеm ɑ
    lіttle frօm subsequent time? Тhanks fоr thhe post.


    Ѕtop by my web sige ... blackberry curve

    ReplyDelete
  3. But how can I delete the user from drop down listing if I only "deactivate them in AD"? I won't to avoid user to tag/assign those deactivated users in SharePoint. Please kindly advise. Thanks very much!

    ReplyDelete
    Replies
    1. *I want to avoid
      Sorry for the typo!!

      Delete

Your feedback is always appreciated. I will try to reply to your queries as soon as possible- Amol Ghuge

Note: Only a member of this blog may post a comment.