CHunky Universe of Vigourous Astonishing SHarepoint :)

Tag Archives: spuser

Access User Profile Properties from Powershell

To use only SPUser objects isn’t always sufficient. To get other properties we have to retrieve user profiles. Giles Hamson gives an example how to get and how to update user profile properties with powershell.

Here is an example how to get all work phones:

$url = "http://intranet/"
$site = Get-SPSite $url
$context = Get-SPServiceContext $site
$profileManager = New-Object Microsoft.Office.Server.UserProfiles.UserProfileManager($context)
$profiles = $profileManager.GetEnumerator()

while ($profiles.MoveNext()) {
  $userProfile = $profiles.Current
  $name = $userProfile.DisplayName
  $phone = $userProfile["WorkPhone"]
  $line = '{0};{1}' -f $name, $phone
  write $line

If you are not sure what properties are called, see the whole list by typing:

$userProfile.Properties | select name

Get Distinguished Name for a user

To get the distinguished name for a user, it isn’t enough to get an SPUser object. The distinguished name is the unique string for identifying a user in Active Directory (eg. CN=BeforeDAfter,OU=Test,DC=North America,DC=Fabrikam,DC=COM) Even using UserProfile object is not that clear. The distinguished name can be found in a property which can be retrieved with brackets:

public static string GetDistinguishedName(string login)
   var dn = "";
   UserProfile up;
   using (var site = new SPSite("http://dev"))
      var serviceContext = SPServiceContext.GetContext(site);
      var upm = new UserProfileManager(serviceContext);
      var exists = upm.UserExists(login);
      if (!exists)
      if (exists)
         up = upm.GetUserProfile(login);
         dn = up[PropertyConstants.DistinguishedName].Value.ToString();
   return dn;

The code is simplified and doesn’t contain any error handling. And a better handling of upm.UserExists must be implemented: If upm.CreateUserProfile(login) runs, it doesn’t make it so quickly and the next step won’t run (upm.GetUserProfile).

If you are not working in SP Context, you can see the distinguished name for a user in Powershell:

import-module activedirectory
$u = get-aduser administrator

Configure User Profile Service Application

Today I have struggled with User Profile Service Application. I should have followed this awesome tutorial by ShareponitGeorge.

And many thanks to my friend David for the great assistance!

One important thing to beware about: Forefront Identity Manager Service must be running. Otherwise you don’t see the existing synchronization connections and you can’t add new connections.

thanks to johan

You can ensure that this service is running by running services.msc (just press Windows button and write services). Or you can do in powershell:

Get-Service FIMService

If the status is stopped. Start it:

Start-Service FIMService

We can even restart this service with one cmdlet:

Restart-Service FIMService

Another useful service is IISAdmin, you need to restart if you add registry keys for your host-named site collections.

For starting and stoping services in Powershell, you can even use aliases:

sasv : start-service

spsv : stop-service

User Profile Service must be running too

and Sync Service:
net stop FIMSynchronizationService
net start FIMSynchronizationService

See better logs

There is an desktop application where you can see all logs for every single account sync:

C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\UIShell\miisclient.exe
KB2560890 and ups issues

If you have installed KB2560890, and encounter issues, follow the steps described on this blog.


After starting Microsoft recommends to restart IIS (iisreset). Don’t forget it, otherwise you can get this error when you try to see Synchronization Connections:

An error has occurred while accessing the SQL Server database or the SharePoint Server Search service. If this is the first time you have seen this message, try again later. If this problem persists, contact your administrator.

Or in uls you can see:

System.IO.FileLoadException: The located assembly's manifest definition does not match the assembly reference. (Exception from HRESULT: 0x80131040)    
	at Microsoft.Office.Server.UserProfiles.UserProfileConfigManager.InitializeIlmClient(String ILMMachineName, Int32 FIMWebClientTimeOut)     
	at Microsoft.Office.Server.UserProfiles.UserProfileConfigManager..ctor(UserProfileApplicationProxy userProfileApplicationProxy, Guid partitionID)     
	at Microsoft.SharePoint.Portal.WebControls.ManageProfileProperty._BuildPropertyMappingList()     
	at Microsoft.SharePoint.Portal.WebControls.ManageProfileProperty..ctor()     
	at ASP._layouts_mgrproperty_aspx.__BuildControlMgrProperty1()     
	at ASP._layouts_mgrproperty_aspx.__BuildControl__control6(Control __ctrl)     
	at ASP._admin_admin_master.__BuildControlP...

You don’t need to change anything in the database. Just restart the IIS, or (better) just recycle the central admin application pool.

$appPool = gwmi -Namespace "root\MicrosoftIISv2" -class "IIsApplicationPool" `
| where {$_.Name -eq "W3SVC/APPPOOLS/SharePoint Central Administration v4"}

Check if user is in group

Use LINQ to check if user is in a group. Create an extension method.

public static bool InGroup(this SPUser user, SPGroup group)
  return user.Groups.Cast<SPGroup>()
    .Any(g => g.ID == group.ID);

EDIT 2011-01-22: There is a shortcoming of this method. You won’t get a user which is in group through a AD group. You’ll get only users and ad groups. But there is another method to check if a user is inside an AD group.

How could we combine them?…

I think we must start from group this time, not from user:

public static bool HasUser(this SPGroup user, SPUser user)
	var users = group.Users.Cast();
	var samAccount = Regex.Replace(user.LoginName, @".*\\(.*)", "$1", RegexOptions.None);
	var exists = users.Any(u => u.LoginName.Equals(user.LoginName));
	if (!exists)
		var ctx = new PrincipalContext(ContextType.Domain);
		foreach (var u in users)
			var login = u.LoginName;
			var groupName = Regex.Replace(login, @".*\\(.*)", "$1", RegexOptions.None);
			var grp = GroupPrincipal.FindByIdentity(ctx, IdentityType.Name, groupName);
			if (grp == null) continue;
			var principals = grp.GetMembers(true);
			exists = principals.Any(p => p.SamAccountName.Equals(samAccount, 
			if (exists) break;
	return exists;

Using Regex to get the samAccount from loginname is taken from the awesome answer on StackOverflow.

Daniel Chronlund Cloud Tech Blog

News, tips and thoughts for Microsoft cloud fans

Вула Чăвашла

VulaCV - Чăвашла вулаттаракан сайт

Discovering SharePoint

And going crazy doing it

Bram de Jager - Architect, Speaker, Author

Microsoft 365, SharePoint and Azure

SharePoint Dragons

Nikander & Margriet on SharePoint

Mai Omar Desouki

PFE @ Microsoft

Cameron Dwyer

Office 365, SharePoint, Azure, OnePlace Solutions & Life's Other Little Wonders


Me and My doings!

Share SharePoint Points !

By Mohit Vashishtha

Jimmy Janlén "Den Scrummande Konsulten"

Erfarenheter, synpunkter och raljerande om Scrum från Jimmy Janlén

Aryan Nava

DevOps, Cloud and Blockchain Consultant


SharePoint for everyone


Ryan Dennis is a SharePoint Solution Architect with a passion for SharePoint and PowerShell

SharePoint 2020

The Vision for a Future of Clarity

Aharoni in Unicode

Treacle tarts for great justice

... And All That JS

JavaScript, Web Apps and SharePoint


Mostly what I know and share about...