Filters in SharePoint User Profile Synchronization Connections
When setting up user profile synchronization in SharePoint we have to provide filters in order to import users on a specific criteria. say, we don’t want to import disabled users. By default SharePoint pulls all the users from the directory source (usually Active Directory).
SharePoint 2010 has a nice user interface, where you will be able to select filter.
- Go to Central Administration >> Application Management >>
- Manage Service Applications >> User profile service application >> Configure Synchronization Connections >> Edit connection Filters
Select the attributes and set the operator & values accordingly. Here I’ve set the condition to exclude disabled accounts.
SharePoint will filter disabled accounts in a user profile. You can select desired attributes, group them and apply AND/OR conditions further.
But in MOSS 2007 you have to enter the filter in user profile synchronization manually.
Go to Central Administration >> SSP >> User Profiles and Properties >> Configure Profile Import >> User Profile Connections
Click on Configure Profile Import
Edit the Import connection
and set SharePoint user profile filters. 
Frequently used filters in SharePoint user profile synchronization connection:
By default, user filter will be:
(&(objectCategory=Person)(objectClass=User))
SharePoint user profile filter to disable accounts/users:
(&(objectCategory=person)(objectClass=user)( !(userAccountControl:1.2.840.113556.1.4.803:=2)))
Include only the accounts with valid email addresses
(&(objectCategory=Person)(objectClass=User)(mail=*com)
Exclude accounts disabled and which has no E-Mails:
(&(objectCategory=Person)(objectClass=User)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(mail=*))
Exclude accounts with passwords set to expire:
(&(objectCategory=person)(objectClass=user)(!userAccountControl=65536))
Exclude accounts that don’t have a first name
(&(objectCategory=Person)(objectClass=User)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(!givenName=*)))
Include only the accounts that are part of the “sales” organizational unit of crescent.com
(&(objectCategory=Person)(objectClass=User)(memberof:1.2.840.113556.1.4.1941:=(CN=Authenticated Users,OU=sales,DC=crescent,DC=com)))
Include groups and exclude disable accounts with no First Name, Last Name, E-mail address:
(|(objectCategory=group)(&(objectCategory=Person)(objectClass=User)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(sn=*)(givenName=*)(mail=*)))
All user objects except ‘SAM’
&(objectCategory=person)(objectClass=user)(!(cn=SAM))
All objects with a surname that starts with ‘sa’
&(objectCategory=person)(objectClass=user)(sn=sa*)
All contacts with a surname equal to ‘Smith’ or ‘Jones’
(&(objectCategory=person)(objectClass=Contact)(|(sn=Smith)(sn=Jones)))
Objects (Groups) with the name ‘DL-786’ or ‘DL-000005368’:
(&(objectCategory=group)|(name=DL-786*)(name=DL-000005368*)) –
SharePoint user profile exclusion filter: e.g. Exclude accounts that don’t have First name:
(&(objectCategory=Person)(objectClass=User)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(!givenName=*)))
Tips: You can write your own filters based on AD fields by looking them from an LDAP Browser/ADSI Edit console.
Links:
- Configuring user profile sync: Configuring My Sites & User Profile Synchronization in SharePoint 2010 – Step by step
- Search filters: https://msdn.microsoft.com/en-us/library/aa746475.aspx
Also you can add this only in LDAP filter syntax to exclude the disabled users
(!(userAccountControl:1.2.840.113556.1.4.803:=2))
Hello, I’m trying to configure a filter to exclude new users. I only want to update profiles that already exist in SharePoint 2007. Is this something you could help me with?