SharePoint 2013 Active Directory Import will NEVER delete users

by Ed Sparks

<face palm>

Microsoft teased us all with the prospect of finally having a simple, supportable and consistent way to quickly sync basic user information from Active Directory into SharePoint 2013.

No more do we have to deal with the wonders of FIM and this mess.  One-click wonder.

Look: it even filters disabled accounts with a checkbox!

It appears there's one minor doesn't work.

First off, check out Microsoft's (not so) tiny list of caveats/exceptions for AD Import.  

Consider the following situations and note what the AD import option does not support when you determine whether to use this option.  

Consider, indeed!  That should more accurately read: "If you wish to use this for any task whatsoever, choose a different option"

Well, it technically it does work, but I guess when they named it Active Directory Import they literally meant that. Once it imports a user it's there for the rest of eternity, never to be removed in any sort of automated fashion.  It doesn't matter if you disable, move, or delete an AD account - AD Import could care less, and will do nothing with the related SharePoint User Profile.  The "bdeleted" flag never gets updated.  Nothing.  Yes, Virginia, this wondrous tool will NEVER remove a disabled or deleted account.  Of course, the lack of deleted flags means we can't easily run PowerShell commands to remove orphaned users either.  In the eyes of the User Profile they're NOT orphaned.  They're still there as happy, safe and sound objects.

Honestly, Microsoft, do you ever test this stuff anymore?

It's our belief that this behavior comes from the fact that Active Directory Import appears to be based on a version of the DirSync utility to push users up to the Office 365 or Azure clouds, which also suffers from the same behavior (i.e. removing an on-premise user does nothing at all to the cloud user).

It also appears the LDAP filters may or may not even take effect either, nor are they documented about how they apply, or mix with the OU selection, etc.
This entire thing is just ridiculous and sad.

Back to User Profile Synchronization and FIM we go.

Here's a Microsoft Escalation Blog on this very issue.