Microsoft Identity Manager Series
Part 6: Scoping the Active Directory Management Agent in MIM
Many companies may not want to synchronize their entire directory to the SharePoint User Profile Service. This will guide through scoping the Active Directory Management Agent in MIM. Scoping will allow you to specify specific Organization Units to synchronize.
Using the Synchronization Service Manager, go to the Management Agents tab and double click on the Active Directory Management Agent (ADMA). In Configure Directory Partitions, make sure to highlight the Domain Naming Context partition (that is, the one that does not begin with “CN=Configuration”).
Click on Containers. You will be prompted for the synchronization account password to continue. Here, we can make our selections for what OUs are synchronized.
On the next full synchronization, the accounts outside of the scope of the selected OUs will be deleted from the ADMA, Metaverse, and SharePoint Management Agent (SPMA), which includes the User Profile Service.
To filter out additional users, for example, those users that are disabled in Active Directory, again go back into the ADMA. In Select Attributes, select the attribute you wish to filter on. In this example, we will be filtering out disabled users, so we’ll choose the attribute ‘userAccountControl’. This attribute is not selected by default. Click OK to exit the ADMA. This is needed for the next step.
Reopen the ADMA and go to Configure Connection Filter. In the right hand pane, highlight the ‘user’ object type. Select the desired attribute, or userAccountControl in this case, with “Bit on equals” with a value of 0x2 (‘2’). Click Add Condition, then OK, and exit the ADMA. Start a full synchronization, and the user will be deleted from the Metaverse as well as the SPMA.
And that is it. I hope you enjoyed this series on MIM! Any further questions about MIM as it relates to SharePoint 2016, let me know!