Requirement

Utilize audience targeting for a SharePoint Intranet so content can be targeted to users in a particular region of the world.  The Active Directory structure stores users in organizational units that are hierarchical by Geography. 

For example, here is some of the OUs that exist in the directory

OU=Accounts,OU=NorthAmerica,OU=US…

OU=Accounts,OU=NorthAmerica,OU=Canada…

OU=Accounts,OU=Europe,OU=Germany…

OU=Accounts,OU=Europe,OU=France…

Options

• Use Active Directory Groups, if they exist.
• Assuming the groups are maintained, this would be an easy solution that would not require any configuration in the SharePoint SSP as we could just use Security Groups in the audience targeting dialog.
• For this scenario, existing groups did NOT exist and we do not want to create and maintain new groups.
• SharePoint Security Groups
• Works well for single site collection content targeting, but not well for a larger scale.  Discarded because of the large management effort.
• PREFERRED OPTION - Leverage Active Directory Attributes via the user Profile store in SharePoint to build audiences.
• By leveraging the distinguishedName attribute (CN=UserID,OU=AppletonOffice,OU=US,OU=NorthAmerica,OU=Accounts,DC=domain,DC=com) on Active Directory user accounts, we can use a new profile property as a rule in an audience using the contains operator (i.e. distinguishedName contains “OU=US” to build an audience of all US users)

Implementation

Option 1 – NOPE!

My first try was to create a new profile property in the Shared Service Provider (SSP) that maps to the distinguishedName in Active Directory.  This did not work.  Apparently, SharePoint only allows an Active Directory Attribute to be mapped to one profile property in the SSP.  When an Active Directory connection is created for the profile import in an SSP, the distinguishedName property is automatically mapped to the AccountName profile property and cannot be changed; at least through the SSP UI. 

I found the following error after increasing ULS logging level for the Search Server Common category:

05/06/2009 10:57:34.82         mssdmn.exe (0x15C4)                            0x0A60    Search Server Common                          Common                                 0                Monitorable            [UserProfileImport]@CacheDataSourceMapping() For Source: litware, Mapping: The DS property (distinguishedname) ==> profile property (urn:schemas-microsoft-com:sharepoint:portal:profile:AccountName) has been retrieved! Error Code: 0x0 - File:d:\office\source\search\search\gather\protocols\profileimport\spsimporthndlr.cxx Line:989  

05/06/2009 10:57:34.82         mssdmn.exe (0x15C4)                            0x0A60    Search Server Common                          Common                                 0                Monitorable            [UserProfileImport]@CacheDataSourceMapping() For Source: litware,  the DS property (distinguishedname) has been mapped to another profile property. Its map to profile property (urn:schemas-microsoft-com:sharepoint:portal:profile:distinguishedName) is ignored! Error Code: 0x8000ffff - File:d:\office\source\search\search\gather\protocols\profileimport\spsimporthndlr.cxx Line:998          

OPTION 2 – NOPE!

My next steps was to look at the AccountName profile property which was being mapped to the distinguishedName Active Directory attribute.  During the profile import, the AccountName is populated with the domain\username rather than the expected CN=UserID,OU=Appleton,OU=Wisconsin,OU=US,OU=NorthAmerica,OU=Accounts,DC=domain,DC=com string value that Active Directory stores.

OPTION 3 – 3rd times a charm!

This option requires some custom development.  In this case, we already had a custom program that updates user profile pictures to standard corporate image location.  I added some code to this program that would update a new user profile property with the value from the distinguishedName Active Directory attribute.

1. Create an unmapped profile property in the SSP called UserDistinguishedName
2. IMPORTANT - Make sure that the Default Privacy Setting is set to Everyone or the property will not include any users in your audience during audience compilation.  (It took me a while to figure this out.)

1. Update profile sync program to set the UserDistinguishedName profile property with that user’s distinguishedName AD attribute.
2. Create a new audience called US Users that contains the following rule: UserDistinguishedName contains “,OU=US,”
3. Compile the audience and it can now be used to target content!

I can also use any OU in the UserDistinguished to build out an audience, users by region, country, state or site.