CHunky Universe of Vigourous Astonishing SHarepoint :)

Tag Archives: spuser

Access User Profile Properties from Powershell

To use only SPUser objects isn’t always sufficient. To get other properties we have to retrieve user profiles. Giles Hamson gives an example how to get and how to update user profile properties with powershell.

Here is an example how to get all work phones:

$url = "http://intranet/"
$site = Get-SPSite $url
$context = Get-SPServiceContext $site
$profileManager = New-Object Microsoft.Office.Server.UserProfiles.UserProfileManager($context)
$profiles = $profileManager.GetEnumerator()

while ($profiles.MoveNext()) {
  $userProfile = $profiles.Current
  $name = $userProfile.DisplayName
  $phone = $userProfile["WorkPhone"]
  $line = '{0};{1}' -f $name, $phone
  write $line

If you are not sure what properties are called, see the whole list by typing:

$userProfile.Properties | select name

Get Distinguished Name for a user

To get the distinguished name for a user, it isn’t enough to get an SPUser object. The distinguished name is the unique string for identifying a user in Active Directory (eg. CN=BeforeDAfter,OU=Test,DC=North America,DC=Fabrikam,DC=COM) Even using UserProfile object is not that clear. The distinguished name can be found in a property which can be retrieved with brackets:

public static string GetDistinguishedName(string login)
   var dn = "";
   UserProfile up;
   using (var site = new SPSite("http://dev"))
      var serviceContext = SPServiceContext.GetContext(site);
      var upm = new UserProfileManager(serviceContext);
      var exists = upm.UserExists(login);
      if (!exists)
      if (exists)
         up = upm.GetUserProfile(login);
         dn = up[PropertyConstants.DistinguishedName].Value.ToString();
   return dn;

The code is simplified and doesn’t contain any error handling. And a better handling of upm.UserExists must be implemented: If upm.CreateUserProfile(login) runs, it doesn’t make it so quickly and the next step won’t run (upm.GetUserProfile).

If you are not working in SP Context, you can see the distinguished name for a user in Powershell:

import-module activedirectory
$u = get-aduser administrator

Configure User Profile Service Application

Today I have struggled with User Profile Service Application. I should have followed this awesome tutorial by ShareponitGeorge.

And many thanks to my friend David for the great assistance!

One important thing to beware about: Forefront Identity Manager Service must be running. Otherwise you don’t see the existing synchronization connections and you can’t add new connections.

thanks to johan

You can ensure that this service is running by running services.msc (just press Windows button and write services). Or you can do in powershell:

Get-Service FIMService

If the status is stopped. Start it:

Start-Service FIMService

We can even restart this service with one cmdlet:

Restart-Service FIMService

Another useful service is IISAdmin, you need to restart if you add registry keys for your host-named site collections.

For starting and stoping services in Powershell, you can even use aliases:

sasv : start-service

spsv : stop-service

User Profile Service must be running too

and Sync Service:
net stop FIMSynchronizationService
net start FIMSynchronizationService

See better logs

There is an desktop application where you can see all logs for every single account sync:

C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\UIShell\miisclient.exe
KB2560890 and ups issues

If you have installed KB2560890, and encounter issues, follow the steps described on this blog.


After starting Microsoft recommends to restart IIS (iisreset). Don’t forget it, otherwise you can get this error when you try to see Synchronization Connections:

An error has occurred while accessing the SQL Server database or the SharePoint Server Search service. If this is the first time you have seen this message, try again later. If this problem persists, contact your administrator.

Or in uls you can see:

System.IO.FileLoadException: The located assembly's manifest definition does not match the assembly reference. (Exception from HRESULT: 0x80131040)    
	at Microsoft.Office.Server.UserProfiles.UserProfileConfigManager.InitializeIlmClient(String ILMMachineName, Int32 FIMWebClientTimeOut)     
	at Microsoft.Office.Server.UserProfiles.UserProfileConfigManager..ctor(UserProfileApplicationProxy userProfileApplicationProxy, Guid partitionID)     
	at Microsoft.SharePoint.Portal.WebControls.ManageProfileProperty._BuildPropertyMappingList()     
	at Microsoft.SharePoint.Portal.WebControls.ManageProfileProperty..ctor()     
	at ASP._layouts_mgrproperty_aspx.__BuildControlMgrProperty1()     
	at ASP._layouts_mgrproperty_aspx.__BuildControl__control6(Control __ctrl)     
	at ASP._admin_admin_master.__BuildControlP...

You don’t need to change anything in the database. Just restart the IIS, or (better) just recycle the central admin application pool.

$appPool = gwmi -Namespace "root\MicrosoftIISv2" -class "IIsApplicationPool" `
| where {$_.Name -eq "W3SVC/APPPOOLS/SharePoint Central Administration v4"}

Check if user is in group

Use LINQ to check if user is in a group. Create an extension method.

public static bool InGroup(this SPUser user, SPGroup group)
  return user.Groups.Cast<SPGroup>()
    .Any(g => g.ID == group.ID);

EDIT 2011-01-22: There is a shortcoming of this method. You won’t get a user which is in group through a AD group. You’ll get only users and ad groups. But there is another method to check if a user is inside an AD group.

How could we combine them?…

I think we must start from group this time, not from user:

public static bool HasUser(this SPGroup user, SPUser user)
	var users = group.Users.Cast();
	var samAccount = Regex.Replace(user.LoginName, @".*\\(.*)", "$1", RegexOptions.None);
	var exists = users.Any(u => u.LoginName.Equals(user.LoginName));
	if (!exists)
		var ctx = new PrincipalContext(ContextType.Domain);
		foreach (var u in users)
			var login = u.LoginName;
			var groupName = Regex.Replace(login, @".*\\(.*)", "$1", RegexOptions.None);
			var grp = GroupPrincipal.FindByIdentity(ctx, IdentityType.Name, groupName);
			if (grp == null) continue;
			var principals = grp.GetMembers(true);
			exists = principals.Any(p => p.SamAccountName.Equals(samAccount, 
			if (exists) break;
	return exists;

Using Regex to get the samAccount from loginname is taken from the awesome answer on StackOverflow.

Discovering SharePoint

And having fun doing it

Bram de Jager talking Office 365, SharePoint and Azure

My view and thoughts on Productivity and more.

My programming life

and everything in between

SharePoint Development Lab by @avishnyakov

It is a good place to share some SharePoint stories and development practices.

SharePoint Dragons

Nikander & Margriet on SharePoint

RealActivity - Real-time and trustworthy

Blog site of founder, RealActivty - Paul J. Swider

Mai Omar Desouki - Avid SharePointer

Egyptian & Vodafoner - Senior SharePoint Consultant

Cameron Dwyer | Office 365, SharePoint, Outlook, OnePlace Solutions

Office 365, SharePoint, OnePlace Solutions & Life's Other Little Wonders


Me and My doings!

Share SharePoint Points!!

By Mohit Vashishtha

Jimmy Janlén "Den Scrummande Konsulten"

Erfarenheter, synpunkter och raljerande om Scrum från Jimmy Janlén


SharePoint for everyone


Ryan Dennis is a SharePoint Solution Architect with a passion for SharePoint and PowerShell

SharePoint 2020

The Vision for a Future of Clarity

Aharoni in Unicode, ya mama

Treacle tarts for great justice

... And All That JS

JavaScript, Web Apps and SharePoint


Mostly what I know about SharePoint - CommunicoCuspis