13 July 2009

Active Directory & Sharepoint Users

Including User from Active Directory in sharpeoint internally had few process, However you need to be clear about the difference between SharePoint users used for security and Profiles. These are related.
First Profiles.
1. Moss is setup to import all the users in your AD domain as profiles into the SSP that you create. However, this action is not scheduled. Profiles will not be imported until you either do a manual import or setup the schedule for Full and incremental imports. This imparts no security rights to the user at all.
2. After the profiles have been imported. If a user is deleted in AD then after 3 successive full profile imports there profile will be deleted also. If deactivated their MySite will be cleaned up, but not their profile.


Authentication/Authorization (Assuming you are not using any kind of Forms Based Authentication)
1. SharePoint depends on Windows Authentication via IIS to establish the user's identity. (this happens completely external to SharePoint)
2. SharePoint checks the user's AD identity and group membership, as established in #1, to see what the user has the ability to do in SharePoint. You can successfully authenticate and still not gain access to SharePoint.
3. Security Access in SharePoint is dependent on the AD identity or an AD group of which the user is a member being added as a SharePoint user. Or the user or group may be added directly to a SharePoint group. This will allow the user to gain access to SharePoint resources.
4. If the access is through group membership then the user's identity will only be added to SharePoint when the user logs in and submits something to a document library or list. This adds their identity as a user, but doesn't directly re-associate them with specific rights. The rights are still gained through group membership. But they would now show up in the People and Groups list.
5. If the user's account is deactivated or deleted in AD their account in SharePoint is NOT deleted, but they won't be able to use it to access SharePoint anymore because AD won't be able to authenticate them so they'll never get to Authorization. If deactivated, you will still be able to click on their name attached to documents or list items and see their profile. If deleted clicking on these items will normally lead to an error page because the profile isn't there anymore.
6. Removing SharePoint users can be done programmatically, but it is a fairly involved process requiring walking each object in the FARM and looking for the user entries. There are 3rd party products that do this, but I don't normally recommend using them since you are destroying the history of the user in the system.

Special Thanks: Paul Stork.


No comments:

Post a Comment

Thanks for your valuable comments

Rate Now: