SharePoint 2010 - 2013: FIM Sync does not remove profiles for users that were deleted from AD
Consider the Following Scenario:
You're using SharePoint Profile Synchronization (FIM Sync) to import user profiles from Active Directory (AD) into a SharePoint 2010 or 2013 farm.
Users that have been deleted in Active Directory still show active user profiles in the User Profile Service Application (UPA). They also show up in People Search results and the organization viewer web part.
Cause:
The Active Directory Recycle Bin is enabled.
When the AD recycle bin is enabled, the deleted user is moved to the Deleted Objects container.
When FIM Sync runs, it treats this as a "rename" instead of a "delete" -- similar to what you'd see if the user was just moved to another OU.
If you open the FIM Client (miisclient.exe) on the Sync server and look at the DS_DeltaImport (or DS_FullImport) step for the synchronization that ran after the user was deleted, you would expect them to show as one of the "Deletes". However, the user will be shown in the "Renames" instead.
The tell-tale sign that this is an AD Recycle Bin issue is you'll see that the distinguished name for the user changed to something like this:
CN=User One\0ADEL:906965c9-1b17-4d0d-ad6f-29bf14040bf8,CN=Deleted Objects,DC=contoso,DC=com
Resolution:
There is no way to deselect the "Deleted Objects" container from the Sync connection (you won't see that container in the UI).
In that case, we need to create a connection filter on the AD Sync connection to filter out deleted users.
Browse to your UPA | Configure Synchronization Connections.
Hit the drop-down on your Sync connection and choose Edit Connection Filters.
Create a filter like this:
isDeleted | Equals | true
Important: If you have multiple Sync connection filters, you want to make sure the "Any apply (OR)" selection is set so that each filter will be applied to the users individually.
When looking at the connection filters for the Active Directory Management Agent in the FIM client, they should look like two separate filters:
Since this is a new connection filter, you will need to run a Full Sync to have it apply to all of your existing profiles.
After that, Incremental Sync should be sufficient.
Note: After you set the filter, you'll still see deleted accounts as a "Rename" in the DS_DeltaImport step, but it will be filtered out during DS_DeltaSync and should show as a "Delete" in MOSS_Export.
More Info:
This appears to only be an issue with FIM Sync. I was not able to reproduce it in SharePoint 2013 or 2016 using Active Directory Import (AD Import, ADI).
The active Directory Recycle Bin is a feature that was introduced in Windows Server 2008 R2. It is only available if the Domain and Forest Functional Level are both at Windows Server 2008 R2 or higher. Even then, it is disabled by default. To enable it, you would need to follow the steps here:
https://technet.microsoft.com/en-us/library/dd392261(v=ws.10).aspx
If the user profiles in question do not seem to be subject to the above AD Recycle Bin issue, then you would want to check if they are unmanaged / stub profiles. See my related blog post on that subject.