Red / Green: GP Preferences

http://blogs.technet.com/b/grouppolicy/archive/2008/10/13/red-green-gp-preferences-doesn-t-work-even-though-the-policy-applied-and-after-gpupdate-force.aspx

All those options  you can adjust in the Advanced Tab; that’s a lot of granularity and a lot of work to get exactly right. Instead of forcing admins to modify every single setting when they configure an IE option, Preferences offers the ability to pick and choose which setting choices the admin wants to be pushed out. Those that are red underlined (or have a red circle next to them) are going to be ignored. Those that are underlined with a green solid line (or next to a green circle) are going to be noted, captured in the GPO, and enforced on the target user or computer. So I can make a Preference item that only captures three or four settings out of a whole menu of settings. Cool, right?

 To ensure you aren’t pushing out unwanted settings, settings are ignored by default; this is indicated with red-dashed-underlined or a red circle icon. This is true of the home page, for example (you can see the red dashed line in the image above). If you do not consciously make the choice to have these settings captured, they will be ignored. No green line/circle, no configuration.  This is what causes most people to have issues with Preferences; they go through all the work of configuring the settings they want, set up targeting, link the GPO, gpupdate…nothing changes. The GPO applied in the report, but what happened? The settings were still set to be ignored, so nothing was pushed out.

The mechanism to specify or ignore settings is controlled by the F5 – F6 – F7 – F8 keys. They are grouped in pairs by outside keys (F5, F8) and inner; (F6, F7). The outer keys manage all the settings at once; F5 makes everything count, all the settings get green-underlined. F8 sets them all to be ignored, red-dashed-underline. F6 and F7 work on individual settings; F6 will light up one setting at a time, F7 will set one setting to be ignored. Here’s a diagram, hopefully it doesn’t make it more confusing. I’ll write up some examples for the next blog post, hope this helps so far!

http://blogs.technet.com/b/meacoex/archive/2013/08/04/step-by-step-active-directory-import-for-sharepoint-2013.aspx

Step by Step: Active Directory Import for SharePoint 2013

Active Directory Import (AKA Active Directory Direct Import – ADDI) is one of the new features in SharePoint 2013 allowing you to import users from active directory into your SharePoint User Profile Service Application.

Background

In SharePoint 2010, there was only one method allowing you to sync user profiles between your user repository and your SharePoint environment which was essentially a lightweight version of FIM.

With SharePoint 2013, there are now three methods that you to carry out the aforementioned sync operation.

• SharePoint Profile Synchronization (lightweight FIM)
  
• Active Directory Import
  
• External Identity Manager (C#)
  

While the focus of this article is Active Directory Import, the amount of enhancements that have been done especially with regards to the performance of lightweight FIM elicit mentioning.
One of the most important areas of enhancements is regarding how FIM retrieves data from BCS.

In SharePoint 2013, import operations from BCS are done as batches rather than one by one.
Furthermore, indexes were added to user properties that eliminated full table scans. A number of unused provisioning steps were also removed.
The end result? One piece of anecdotal evidence show that 300K users took less than 7 hours for a full import operation, previously it took nearly three weeks.

Active Directory Import

Active Directory Import allows you to import users from active directory into your SharePoint 2013 environment. The logical question would then be what are the pro and cons of ADI and when should I used it over FIM. The table below summarizes these points.

I now use ADI for any development/PoC environment. I would also highly recommend it for any production environment that leverages only AD DS and doesn’t require writing back to AD.

Great! How do I enable ADI?

Enabling ADI is done over essentially 4 steps. These 4 steps are done against an instance of the user profile service application with the exception of the first step.

1. Configure AD DS permissions.
   
2. Enable Active Directory Import
   
3. Configure the connection properties
   
4. Map the user properties between AD and UPSA
   

1. Configure AD DS permissions

In this step, you grant the security permissions (Replicate Directory Changes permission) to the account that SharePoint uses to connect to AD DS during profile synchronization. 

Step by step instructions are provided here: http://technet.microsoft.com/en-us/library/hh296982.aspx (Grant Active Directory Domain Services permissions for profile synchronization in SharePoint Server 2013)

2. Enable Active Directory Import

In this step, we select ADI as the import mechanism for the user profile service application instance that we accessing.

1. Verify that the user account that is performing this procedure is a member of the Farm Administrators group.
   
2. On the SharePoint Central Administration website, in the Application Management section, click Manage service applications.
   
3. On the Manage Service Applications page, click the User Profile service application name.
   
4. On the Manage Profile Service page, in the Synchronization section, click Configure Synchronization Settings.
   
5. On the Configure Synchronization Settings page, in the Synchronization Options section, select the Use SharePoint Active Directory Import option, and then click OK.
   

3. Configure the connection properties

The lightweight FIM component that comes with SharePoint 2013 stores its connection configuration in the Sync DB, however ADI stores its connection configuration in the profile DB and therefore on changing the sync mechanism from FIM to ADI the first time, you will need to configure the connection properties for ADI.
These properties include the credentials used to connect to AD DS (these should be the same credentials that were given the permissions in step 1) as well as which items to sync.

On subsequently switching between FIM and ADI the connection properties are retrieved for each respectively.

The complete steps for doing so are provided in “Configure profile synchronization by using SharePoint Active Directory Import in SharePoint Server 2013” http://technet.microsoft.com/en-us/library/jj219646.aspx

4. Map user properties between AD and UPSA.

In this step, you determine how the properties of SharePoint user profiles map to the user information that is retrieved from AD DS.

1. Verify that the user account that is performing this procedure is a member of the Farm Administrators group.
   
2. On the SharePoint Central Administration website, in the Application Management section, click Manage service applications.
   
3. On the Manage Service Applications page, click the User Profile service application name.
   
4. On the Manage Profile Service page, in the People section, click Manage User Properties.
   
5. On the Manage User Properties page, right-click the name of the property that you want to map to a directory service attribute, and then click Edit.
   
6. To remove an existing mapping, in the Property Mapping for Synchronization section, select the mapping that you want to remove, and then click Remove.
   
7. To add a new mapping, do the following:
   
   1. In the Add New Mapping section, in the Source Data Connection list, select the data connection that represents the directory service to which you want to map the user profile property.
      
   2. In the Attribute box, type the name of the directory service attribute to which you want to map the property.
      
   3. Click Add.
      
      
8. Click OK.
   
9. Repeat steps 5 through 8 to map additional properties.
   

Tips and Tricks

1. Each time you change the sync mechanism from FIM to ADI the user profile synchronization service is stopped. You will need to restart it if you have switched to FIM.
   
2. If you are mapping attributes and are using FIM, all of the attributes from AD are listed in the drop down box. However if you are mapping the attributes using ADI, you will need to type the attributes in the textbox. The drop down is still displayed, however empty. This is not an indication that there is something wrong with your security.
   
3. When setting up the connection details, you will be prompted for the FQDN, this doesn’t include the machine name. If you add the machine name to the FQDN you will be presented with a “No containers to display” error message.
   

To check the logs

http://www.harbar.net/archive/2012/07/23/sp13adi.aspx

http://blogs.technet.com/b/grouppolicy/archive/2008/10/13/red-green-gp-preferences-doesn-t-work-even-though-the-policy-applied-and-after-gpupdate-force.aspx

All those options  you can adjust in the Advanced Tab; that’s a lot of granularity and a lot of work to get exactly right. Instead of forcing admins to modify every single setting when they configure an IE option, Preferences offers the ability to pick and choose which setting choices the admin wants to be pushed out. Those that are red underlined (or have a red circle next to them) are going to be ignored. Those that are underlined with a green solid line (or next to a green circle) are going to be noted, captured in the GPO, and enforced on the target user or computer. So I can make a Preference item that only captures three or four settings out of a whole menu of settings. Cool, right?

 To ensure you aren’t pushing out unwanted settings, settings are ignored by default; this is indicated with red-dashed-underlined or a red circle icon. This is true of the home page, for example (you can see the red dashed line in the image above). If you do not consciously make the choice to have these settings captured, they will be ignored. No green line/circle, no configuration.  This is what causes most people to have issues with Preferences; they go through all the work of configuring the settings they want, set up targeting, link the GPO, gpupdate…nothing changes. The GPO applied in the report, but what happened? The settings were still set to be ignored, so nothing was pushed out.

The mechanism to specify or ignore settings is controlled by the F5 – F6 – F7 – F8 keys. They are grouped in pairs by outside keys (F5, F8)  and inner; (F6, F7). The outer keys manage all the settings at once; F5 makes everything count, all the settings get green-underlined. F8 sets them all to be ignored, red-dashed-underline. F6 and F7 work on individual settings; F6 will light up one setting at a time, F7 will set one setting to be ignored. Here’s a diagram, hopefully it doesn’t make it more confusing. I’ll write up some examples for the next blog post, hope this helps so far!