SharePoint – AD Import – Some users are not imported

The most common reasons for some users not getting user profiles imported when using SharePoint Active Directory Import (AD Import; ADI) have been the same for a long time now. They are (in order):

• Container / OU selection (you didn’t select the containers that the missing users live in)
• LDAP Filter (your filter excludes those users)
• The LastKnownParent issue.

However, there’s also a little twist on container / OU selection that may not be obvious and requires some explanation. The short version is that only container-level selections matter to SharePoint user profile import. Selecting or deselecting individual users and groups does nothing.

Here’s the more detailed version:

Consider the following scenario:

• You have an Active Directory organizational unit (OU) that contains a child OU and also some user objects at the same level.
• For example, you have a “MyUsers” container that contains a “Disabled Users” container, and also a handful of users and groups.

  

• Within the “Populate Containers” dialog in the User Profile Service Application, you deselect the “Disabled Users” OU because you don’t want to import any of the users within that OU.

  

• You run a full profile import.
• You expect that only users within the “Disabled Users” OU are excluded from import, but you find that none of the users in the “MyUsers” container were imported either.

Explanation:

This is expected behavior for SharePoint 2013, SharePoint 2016, and SharePoint 2019 when using AD Import.

When you deselect an OU, its parent OU must also be deselected since you’re telling the service you no longer want everything within that OU imported. That makes sense.

Looking at the “Populate Containers” screenshot above is where the confusion usually comes in. It shows the individual users within the “MyUsers” container are selected for import, so they should be imported, right? Wrong.

This is an unfortunate “feature” of the “Populate Containers” dialog. I would prefer that it did not show user and group objects at all. Instead, it allows you to select and deselect user and group objects, but doing so makes no actual difference to the import. The dialog gives the appearance of an ability to select individual users, but it doesn’t actually work that way, and never has. Only OU / container selections are honored by the Import. In order for a user or group to be imported, the OU they live in must be selected. Since the “MyUsers” container is not selected, none of the user and group objects at that level are imported.

Workarounds:

You can restructure your Active Directory so that OUs that you don’t want imported are not at the same level, within the same OU as users and groups that you do want imported.

Keeping with my example above, I would simply move the “Disabled Users” OU out of the “MyUsers” OU in Active Directory, and then within SharePoint, select “MyUsers” and deselect “Disabled Users” for profile import. Example:

Another equally valid solution would be to create a new “Enabled Users” OU within “MyUsers”, move all user and group objects currently in “MyUsers” to that child OU, and then select that new “Enabled Users” OU, and deselect “Disabled Users” for profile import. Example:

You could also choose to include and exclude certain users by using an LDAP filter instead of using container selection.