This week, I had a client of mine ask me to provide them with details regarding what happens to a user’s profile in SharePoint when the user is deleted from Active Directory. After doing a few tests in my lab to get to the bottom of the question, I decided to write this blog post as a brain dump, documenting the process at the same time. This article describes what happens when using AD Import for the user profile service. It does not apply to the 2010/2013 user profile sync process.
We have an employee named Johny BeGone that has access to our corporate intranet environment. Johny has been making changes to some documents in the SharePoint intranet environment. If we take a look at the Users catalog ([site url]/_catalogs/users), we can see that Johny has been “stapled” to the site, meaning the site itself has an static record of who Johny is, and acts as a log that Johny once had something to do with this site.
If we go take a peek at the Manage User Profiles section in the User Profile Service Application in Central Administration, we can see that Johny has a profile listed:
Johny BeGone also has an active MySite in which he stores multiple personal documents:
A few years into the job, Johny accepts a job offer with another company. The IT department then goes and deletes Johny’s account in Active Directory.
What’s Happening in the Background
The next time a user profile synchronization happens (incremental or full), the User Profile Service will detect that Johny’s account is no longer active in Active Directory, and will flag it for deletion. If you go back to the User Profiles pages in the Service Application, the profile now shows under the Profiles Missing from Import view, with the mention -DELETED-:
One of the main difference between the AD Import process and the User Profile Sync, is that with the AD Import, even if the MySite Cleanup Job timer job runs, the “deleted” profile still remains. With the User Profile Sync, the moment the timer job is ran, the profile is automatically removed from the profile database. Even if the user profile’s is now marked for deletion, the user entry will still be shown in the users catalog for the sites where Johny once had access to (e.g. /_catalogs/users). Using the object model, you will still be able to retrieve local static references to the user by calling the:
$web = Get-SPWeb http://intranetsiteurl $web.EnsureUser("i:0#.w|contoso\johnybegone")
14 days later, the associated MySite for Johny will be deleted by the daily MySite Cleanup Job timer job.
2 thoughts on “User Profile Automated Removal when User is Deleted from Active Directory”
By calling $web.EnsureUser are you not creating the local reference if it wasn’t there before? It checks the role and membership providers for a valid user, if I recall correctly, and there can be more than one. I’m not sure how it works with AD, whether it would go all the way to AD to check the user or whether it consults a local copy of user properties in the site collection like it did with Foundation.
$web.EnsureUser will throw an error because the active profile for the user is no longer found in the SharePoint provider, nor in AD. It therefore won’t create the local reference on sites where the user was not assigned to before.