Sharepoint 2010 Tutorial: Mapping Sharepoint 2010 User Profile to Active Directory

Sharepoint 2010 contains a user profile system which supports properties being mapped to Active Directory attributes. By default, when synchronization is performed between it and Active Directory, there are a handful of mappings already defined (such as mapping the firstname in the user profile system with the firstname in Active Directory). The purpose of this tutorial is to go into detail about how to access and modify the user profile as far as Active Directory is concerned. If a new property is created in Sharepoint 2010 it will not be replicated into Active Directory unless the property is mapped to an existing property in Active Directory and it is allowed.

You can create new properties in the user profile system and map those to Active Directory (perhaps you want to track more data than what is provided by default). Depending on your environment you could also create new attributes in Active Directory that don't already exist (so you can manage common data between the Sharepoint user profile system and other systems outside of Sharepoint). If this is the case, you may want to check out this additional documentation:
Information on Creating Attributes in Active Directory
technet.microsoft.com/en-us/library/bb727064.aspx
technet.microsoft.com/en-us/library/cc773354%28WS.10%29.aspx
technet.microsoft.com/en-us/library/cc773354%28WS.10%29.aspx
technet.microsoft.com/en-us/library/cc731607%28WS.10%29.aspx
www.petri.co.il/add_additional_attributes_to_user_objects.htm

Regardless of if creating attributes in Active Directory are needed, you should have some type of strategy to define (1) what you want to have inside of the user profile system, (2) what is mapped to Active Directory, and, (3) properties in the user profile system who's values originate from other sources. This XLSX file (zipped) is an early draft I've used to address those concerns. Additionally, there is a nice VBS script that will expose all the Active Directory attributes in your environment since some attributes in Active Directory are not common to everyone utilizing it. Finally, you can check out the default list of Active Directory attributes from Microsoft so you can see how your Active Directory may differ.

Now let's see how to work with Sharepoint 2010 user profiles.

STEP 1	(Enlarge)	From Central Administration (logged on with the farm account), go to "Application Management". Under "Service Applications" click on "Manage service applications".
STEP 2	(Enlarge)	Locate "User Profile Service Application" and click on the text.
STEP 3	(Enlarge)	Under the People section click on "Manage User Properties".
STEP 4	(Enlarge)	From this page you will see all of the properties that are currently synchronized with Active Directory.
STEP 5	(Enlarge)	In this tutorial, let's assume that you do not want to allow someone to be able to edit their "My Profile" picture. You want to preserve the data that is sourced from Active Directory into Sharepoint 2010. Mouse-over the property name or click it and then choose "Edit".
STEP 6	(Enlarge)	Under the section "Edit Settings" select "Do not allow users to edit values for this property"; this means that the only way to update this property in Sharepoint 2010 is from Active Directory. Under "Display Settings" you can uncheck "Show on the Edit Details page" so a user does not see the property. NOTE: A property not set to "Do not allow users to edit values for this property" will signal to Sharepoint 2010 that if the property is changed, it will push that change back to Active Directory when the synchronization job occurs (so Active Directory is updated).
STEP 7	(Enlarge)	After making changes you may need to perform a full synchronization again as accessed under the section "Synchronization" and clicking on "Start Profile Synchronization".

When you create a new property (will appear under Custom Properties), if you want to map that new property to an existing Active Directory attribute keep the following in mind:

When you name the new property you have to assign it the same type of Property Type (such as String/Multi) as the existing Active Directory attribute.
Under the section "Add New Mapping" you will want to (1) select the data connection (page may refresh if you have more than one), (2) attribute to map to, (3) and the direction; more than likely Import. Then click on the "Add" button. The page will refresh and you will notice that the section "Property Mapping for Synchronization" will contain the mapping.

IMPORTANT NOTE: If you do not add the new mapping to the new property you are creating before you click on the "OK" button at the bottom of the page, it will not be mapped to an existing attribute.