User profiles make it easy for users to connect with and find other users and share information throughout your SharePoint Server 2007 sites. User profiles include information, or properties, specific to each user-such as contact details, areas of interest, and organizational reporting structure-and are used as the basis for users to create their personal sites, called My Sites. User profiles, combined with My Sites, form the backbone of social networking throughout your SharePoint Server 2007 by allowing users to easily connect with colleagues with similar interests and sets of skills throughout the organization.
User profiles are not used for authentication and are not user accounts like those in Active Directory.
User profile properties are both imported directly from Active Directory and created manually in SharePoint. The obvious advantage of importing user profile information is that the information already exists and can be updated from one central point. This assumes, of course, that you're richly populating your Active Directory user account properties. Properties, such as user account name and e-mail addresses, are imported from Active Directory and automatically distributed throughout all sites. This means, for example, that when a user wants to create an alert on a site, his e-mail address is already included and he is not prompted to manually enter his e-mail address to receive that alert.
Profile properties for each user can be mapped, or linked, directly to the Active Directory schema. For instance, if you extend your Active Directory schema to include an additional property unique to your organization, you can then map that property to the SharePoint user profiles and have it displayed in the user information in SharePoint. Conversely, if you create a new profile property in SharePoint, you can map that property to an existing user account property. You are not required to do this, but the option is available to you.
You can also further customize user profiles imported from Active Directory directly within SharePoint by creating SharePoint-specific profile properties, such as Skills and Interests. These properties are optional and are available in addition to the imported Active Directory prepopulated properties. User can then populate those additional properties through their My Site to display that information to other users throughout the organization. User profiles in SharePoint Server 2007 scale up to 5 million in number, compared to only 1 million in SharePoint Portal Server 2003.
With SharePoint Server 2007, you can import user profiles and properties from the following four directory sources:
Business Data Catalog (BDC) application-for example, cost center from SAP
Active Directory Resource
By default, SharePoint Server 2007 selects the main domain controller in the domain in which it is deployed and sets that domain controller as the default directory source for a user profile import. For example, Figure 8-6 shows the Contoso domain as the Current Domain selected on the Configure Profile Import page because the SharePoint server is deployed in the Contoso.msft domain.
Figure 8-6: Default domain controller for a profile import
If you want to include additional connections to domain controllers or create a custom profile import using an LDAP query, or if you want to import a column from an associated BDC application (such as an SAP cost center), you need to configure import connections to those additional directories before profiles or profile properties can be imported from those connections.
To configure additional import connections, follow these steps:
On the SSP Home page, under the User Profiles And My Sites section, click on User Profiles And Properties.
On the User Profiles And Properties page, click on Import Connections.
On the Import Connections page, click on the Create New Connection link.
In the Connection Settings section, under the Type drop-down list, select the type of directory connection, as shown in Figure 8-7. After you have completed entering configuration details for the directory, such as LDAP search filters, click OK. See Table 8-3 for some examples of LDAP filters.
All user objects but "amy"
All objects with a surname that starts with "sa"
All contacts with a surname equal to "Purcell" or "Bezio"
Imports user profile information of only user accounts that are enabled
Figure 8-7: Choose directory connection type
The new connection will be saved and is accessible via the Import Connections page, shown in Figure 8-8.
Figure 8-8: Custom import connections
New connections will be added and included in subsequent profile imports. The additional connections are denoted as a Custom Source on the Configure Profile Import page, as shown in Figure 8-9.
Figure 8-9: Custom Source profile import selection
The Configure Profile Import page also includes the options to configure both full and incremental import schedules. A full profile import removes users who were deleted from a source directory from the SharePoint profile database. Incremental profile imports ensure updates are made to user information in the SharePoint profile database. Depending on the size of your organization, you could, for example, schedule a full import once per month and an incremental import once every two weeks. You also have the option to manually start either a full or incremental profile import in addition to scheduled imports.
Any updates to user profiles will be re-indexed by incremental crawls so that correct user information is returned in people searches and throughout sites, including My Sites.
If you choose to set up one or more custom connections to your Active Directory, you need to have thought through your Active Directory design for user and group accounts. For example, let's assume that you place all your Active Directory service accounts in a single organizational unit (OU). Let's further assume that you don't want to import those accounts into the profile list in Office SharePoint Server 2007. To achieve this objective, you will have had to design your Active Directory so that all your service accounts exist in an OU. Hence, best practice here is to ensure that the accounts you want imported into SharePoint exist under one or more common OUs and accounts that you do not want imported exist under a separate OU.
SharePoint Server 2007 includes a profile import log, which will log successes and errors during profile imports. This will help you to troubleshoot any issues relating to importing user profiles. To access the import log, click View Import Log from the User Profiles And Properties page.
After you have successfully imported user profiles, you can view the list of user profiles by clicking the View User Profiles link on the User Profiles And Properties page.
On the View User Profiles page, you can search for users by E-mail Address, Account Name, or Preferred Name; you can also choose to show only active users or users missing from an import. Users missing from an import includes any user profiles previously imported but missing from the most recent import. You can also create a new user profile in addition to the imported user profiles. If you create a new user profile, you need to populate the user information, including the username and user e-mail.
On the View User Profiles page, user profiles can be edited by selecting profiles individually and choosing edit from the profile contextual drop-down menu, as shown in Figure 8-10. From this same menu, you can also delete user profiles and manage users' personal sites-for example, make changes to a user's alerts.
Figure 8-10: View User Profiles page in SSP
Before deleting a user profile, see the "Deleting User Profiles" section in this chapter.
If you choose to edit a user profile, you are directed to the Edit User Profile page, shown in Figure 8-11. Here, you can choose to update any user information or override any existing information.
Figure 8-11: Edit individual user profiles in SSP
If you override or change information or properties imported from Active Directory, those changes will be overwritten on the next user profile import-for example, the Name or Department properties, which are directly mapped and imported from the Active Directory schema. Best practice is to ensure that properties that are imported from Active Directory are not user-editable in their My Profiles page.
For instance, you might choose to update one of the SharePoint-specific properties on a user's behalf, such as Hire Date. Remember, as an administrator, you have rights to edit all editable properties on a user profile, whereas users only have rights to update their own profile properties via a My Site. Users have only limited editing rights, as determined by the administrator. For example, administrators can edit or override a user's First Name and Last Name properties on the Edit User Profile Page, whereas, by default, an end user will not have access to edit those properties.
SharePoint Server 2007, by default, includes approximately 46 user profile properties, 21 of which are mapped to common Active Directory properties, such as givenName and sn (surname). By mapped, we mean that there is a direct connection between some user attributes or fields defined in SharePoint and those already existing in Active Directory and exposed through the Active Directory schema, such as the user First Name, Last Name, and Work E-mail. SharePoint simplifies the population of its user attributes by mapping directly to user attributes in Active Directory and importing the prepopulated values during user profile import from Active Directory.
You can create additional profile properties either by mapping to existing fields in your Active Directory or other directory connection, such as a property from a BDC application, or by creating a SharePoint-specific profile property-that is, an unmapped property. For example, SharePoint Server 2007 includes a number of unmapped properties that can be optionally populated by the end users, such as Interests, Birthday, and Skills. You can also extend your Active Directory schema to expose additional fields and map to those fields from SharePoint.
An example of a situation in which you might want to create a new, custom mapped profile property in your SharePoint profile property store is if your organization includes multiple subsidiaries and you want the option to be able to search on people by company. Active Directory exposes by default a user attribute named Company, in the Organization tab of the user Properties window, as shown in Figure 8-12. In this case, the Company is Contoso, Ltd. SharePoint can map to and retrieve the value for the user's Company upon profile import.
Figure 8-12: Including additional profile properties from Active Directory
To create a new user profile property for Company, follow these steps:
From the SSP home page, under the User Profiles And My Sites section, click User Profiles And Properties.
On the User Profiles And Properties page, under the User Profile Properties section, click Add Profile Property.
On the Add User Profile Property page, in the Property Settings section, give the profile property a name-in this example, company-and a Display Name of Company. (The Display Name is the name that will be displayed on the User Profile details page.) From the Type drop-down list, select the default value of string. Change the value in the Length field to 250. Leave the Has Multiple Values and Allow Choice List check boxes cleared.
Under the Policy Settings section, leave the Policy Setting field as the default value, Optional, and grant Default Access to Everyone. Leave the User Override and Replicable check boxes cleared.
Leave the settings in the Edit, Display, and Search sections as the default values. Note, by leaving the Search Settings section Indexed check box selected, the user company value will be included in the people search scope and available as a search option in the people search.
In the Property Import Mapping section, leave the Data Connection value as the default value, Master Connection. From the Data Source Field To Map drop-down list, select company, and click OK to save the new user profile property, Company.
Back on the User Profiles And Properties page, under User Profile Properties, click View Profile Properties.
The above steps assume that the Active Directory attribute of 'company' has not previously been added as a mapped profile property.
On the View Profile Properties page, scroll down to the bottom of the page to view the newly added user profile property, Company. You can use the up and down arrows to change the order of the property on the profile property details page, which is the order in which it will be displayed on the user's profile details page.
To populate the new Company value throughout your user profiles, you need to run a full profile import against your configured Active Directory store. After you have done this, any Company values retrieved from Active Directory are included in the Company property throughout your user profiles, as shown in Figure 8-13. Here the Company property has been populated directly from Active Directory with the value Contoso, Ltd.
Figure 8-13: Additional profile property imported to the SharePoint profile database
Profile Property Policies offer a means for you to centrally view, set, and modify the privacy and audience settings for profile properties. To view the Profile Property Policies, from the SSP Home page, click Profile Services Policies.
The policy settings also determine whether a user can override the settings for a given profile property on the user detail page in a My Site. For example, you can specify whether the user can change the visibility for the profile property from Everyone to a particular group. Additionally, you can configure a property to be a required or optional field. For example, the profile property Manager is set as optional and can be left blank, or it can be modified on the Edit User Profile page by the administrator.
Table 8-4 lists the options for setting visibility on profile properties. If the User Override policy option is selected for a policy property, the user will be able to select to whom they want to show that property.
Show Profile Property To
The owner of the My Site.
Dynamically assigned, as determined by the mapped profile property attribute-that is, the Manager entered in Active Directory and imported with the user profiles.
A preconfigured group in each My Site. As My Site owners add colleagues to their My Sites, they can choose to also add those colleagues to the Workgroup group.
Other user profiles that users can choose to add to their My Site. These profiles are either found by people search or suggested by SharePoint when a user might share common attributes with another user-for example, when they are members of the same site or sites or in the same Distribution List.
All users with read access to the My Sites, such as the NT AUTHORITY\authenticated users domain group.
If you delete user profiles from the SharePoint user profile database and then want to reinstate those profiles, you can manually re-add profiles or re-import profiles from the source directory, providing the user accounts still exist on the source directory. One of the consequences of deleting a user profile from within SharePoint is that the user's My Site become inaccessible. Any custom profile property information that was added to the My Site before you deleted the user profile-such as About Me, Skills or Interests-is lost at the time of deleting the user profile. Any colleagues added to the My Site Colleague Tracker will also be removed. But any documents stored in the user's My Site Personal Documents and Shared Documents document libraries are reinstated after the user's profile is reimported and the user re-creates her My Site. If the user had previously created a personal blog, the blog will still exist and the link to the blog will be included under Sites in the left-hand menu on the My Home page.
You cannot delete a user profile where the user has created a My Site and has their My Site open in their browser.
If a deleted user profile has been previously added as a colleague to another user's My Site, that colleague reference will automatically be removed from the user's My Site Colleague list at the same time the user profile is deleted from SharePoint. Users will need to re-add the user to their Colleague list once the user profile has been reinstated. In deleting a user profile, assuming the user is still an active member in the source directory (such as Active Directory), permissions for that user will remain unchanged throughout site collections and the user will still be able to access sites where he is a member.
Each user profile is assigned a globally unique identifier GUID by SharePoint. If you delete a user profile, that profile is removed from the UserProfile table in the SSP database and added to the Profile DeletedUsers table. If you then reimport that user profile from Active Directory, SharePoint assigns a new user ID GUID to the user profile and adds the profile to the UserProfile table. Any references to the old user ID GUID should be updated with a content index crawl after the user profile has been reimported and any custom properties have been reapplied. Doing this also updates the user information throughout the associated site collections.
If a user account is disabled in the source directory, such as Active Directory, the equivalent user profile in SharePoint remains unchanged upon the next user profile import. If a user account is deleted from the source directory, such as Active Directory, the equivalent user profile in SharePoint is deleted upon the next profile import.