This week I had that nemesis of the User Profile Service, my User Profile Synchronisation Service got stuck at ‘Starting …’.  Now I’ve had this before and resolved it OK.  There are a couple of articles which are key in implementing the User Profile Service which I recommend.  Firstly there is the TechNet article ‘Configure Profile Synchronization (SharePoint Server 2010)’ which is the definitive set of instructions, and then there is Spencer Harbar’s ‘Rational Guide to implementing SharePoint Server 2010 User Profile Synchronization’ which gives some extra background detail and has been updated by Spence to refer to the TechNet article.

Farm Account must be Local Admin during Provisioning

One of the key aspects of setting up the User Profile Synchronization making sure that the Farm account which runs the Forefront Identity Manager (FIM) services has local administrator privileges on  the box which runs the synchronisation service.  This I did and always have done since seeing Spence do his demo at the SharePoint Evolutions Conference last year in London, but in my case this week, I could not get the User Profile Synchronisation service to start properly. I checked and double checked every setting in the TechNet and Spence’s blog and still it didn’t work.

Manually Set the Log on Accounts?

In desperation, I manually set the FIM and FIM Synchronization services to run under the farm account and manually started them and then ran the synchronisation provisioning again and lo and behold, it seemed to work, the User Profile Synchronization Service finished provisioning and said ‘Started’.  Result!  So I thought. 

However I could not get the User Profiles to actually sync.  I rebooted the box and the FIM services refused to start properly again.  Further investigation of the event log said that the Farm Service did not have ‘Log On as a Service’ right. But the Farm account was set to a local administrator, and when I manually set the FIM accounts, I got a dialog saying that the account had  been granted ‘Log On as A Service’.  So what was happening?

Beware Group Policy

It was down to Group Policy.  I checked the ‘Local Security Policy’ and the client’s AD Group Policy overrode the local policy and only allowed users in a certain AD group ‘Log On as a Service’ right.  So I asked for the Farm account to be added to the AD group and voila!  User Profile Synchronisation works perfectly.

Moral of the story? Check Group Policy for ‘Allow Log On Locally’ and ‘Allow Log On as a Service’ when doing this work – it can override your manual changes!

Cheers

Dave Mc