After struggling with this for a few days, we discovered an interesting problem when syncing users from Active Directory to SharePoint. Our disabled accounts, which are moved to a disabled OU (organizational unit) in Active Directory were not showing up in SharePoint, however disabled IT account were still visible. Our Active Directory structure looked something like this (this is a very simplified version):
The accounts in the Disabled OU did not show up in SharePoint, but the Disabled IT accounts did. There is a simple explanation for this, per this technet article:
“There is currently no utility that allows you to select a parent OU while excluding any of its child OUs from synchronization.”
Because we were syncing the IT OU, it was syncing all of the children, both Disabled and Active. The solution was to move the Disabled IT directory out of the IT OU, so our new structure looks like this:
Once this was done, we ran a Full sync of the User Profile Application Service but the disabled account still showed up in search. Why? We needed to run a Full Crawl of Local SharePoint Sites as well. Once that completed, the disabled IT accounts were gone.