SharePoint 2013 – How to Automatically Remove Disabled Active Directory Users

I’ve recently had a requirement to remove disabled Active Directory users from our SharePoint deployment so that organograms and the likes are correct. As part of this, I’ve been looking at the options available in SharePoint and stumbled upon a method that should automatically maintain our SharePoint deployment.

The method I used was to filter the Synchronization Connections based upon the Active Directory status field and then to manually run an incremental profile synchronization twice to force the deletion of users MySites. I’ll cover how this was done below.

Deleting Users

Set up the connection filter

  1. First, access the SharePoint Central Administration on the SP server.
  2. Navigate to ‘Application Management’.
  3. Navigate to ‘Manage service applications’ below the Service Applications heading.
  4. Access the ‘User Profile Service application’ link.DeleteSPUsers1
  5. Once here click ‘Configure Synchronization Connections’ and once the page loads click the name of the Connection you want to filter then select ‘Edit Connection Filters’ which will take you to a page that will allow you to filter the records returned from Active Directory to SharePoint.DeleteSPUsers2
  6. Once the new page loads you want to input the following filter and an ‘Exclusion filter for users’ –
    • userAccountControl – Bit on equals – 2
  7. If you can’t select the operator for the filter then wait for the page to refresh once the field is chosen.
  8. Finally, click ‘Add’. If done properly you should see the filter appear at the top right of the page similar to the image below –DeleteSPUsers3
  9. Once done, click OK to apply the new filter.

Synchronise profiles and run the My Site cleanup

Next, we want to run an incremental synchronization to pick up which users have been disabled in Active Directory and then finally runt he ‘My Site Cleanup’ job which will delete the user’s sites and tidy up email reminders etc.

  1. Go back to the homepage for the Central Administration.
  2. Access ‘Manage Service Applications’.
  3. Access ‘User Profile Service application’.
  4. Under ‘Synchronization’ click ‘Start profile synchronization’ and finally start an ‘Incremental Synchronization’
  5. Once the sync finishes access the ‘Scheduled Jobs’ which can be reached using one of the methods below. For the sake of sanity, I’d suggest just going to the link below –
  6. Locate the ‘My Site Cleanup Job’ task and access it (I normally find this on page 2), then manually run the task by clicking ‘Run Now’.
  7. Once done you should notice disabled AD users being removed from SharePoint.


Once this is all set up it should take care of itself in future however if you encounter any issues or if you spot any mistakes in the article don’t hesitate to get in touch!




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s