Exclude single OU from user profile sync in Sharepoint 2016

Question

I am trying to exclude single OU called ServiceAccounts from User profile sync in SharePoint 2016. I tried the query below but its not working,

(|(isDeleted=TRUE)(&(objectCategory=person)(objectClass=user)
(!userAccountControl:1.2.840.113556.1.4.803:=2)(!(memberOf=OU=ServiceAccounts,OU=Centers,DC=Contoso,DC=com)))

Can some one tell me whats wrong with this? Its not excluding OU members and keep syncing all users. I tried the purge command too after each sync but no luck.

Thanks in advance!

Answer 1

Just uncheck the Organization Unit from being synchronized. That said, it is possible that the service accounts will generate a Profile regardless, depending on what they're doing.

Answer 2

Ok, Finally I open up a case with MS and here is solution and some more details. As mentioned by @Trevor , uncheck the OU and it will exclude users, this will work but number of users showing on the Manage Profile Page will not go down. So for example is number of user profiles on top right was 100 , you uncheck the OU , number will still show as 100. it will go up if you add new user in AD after next sync but it will not go down.

This is a known issue with MS and will be resolved in August 2017 CU, as per MS.

Issue occurs when MySiteClean up job runs. Timer Job is responsible to clean up any excluded user profiles or disabled accounts but it’s not doing it. All excluded and disabled users are stored in table called "upa.userprofilescheduledforremoval" this is new in 2016. For more details you can check out this link and how to resolve this for the time being.

Hope this will help someone struggling with the same issue.

https://blogs.msdn.microsoft.com/spses/2017/05/22/sharepoint-2016-mysitecleanup-job-functionality-changes/

Answer 3

Issue resolved in August CU released today : https://support.microsoft.com/en-us/help/4011049/august-8-2017-update-for-sharepoint-server-2016-kb4011049