SharePoint and Active Directory

[julesNDC]

Hello,

Here is one "simple" question. If I want to be able to fully integrate SharePoint and Active Directory so that:
1. When new users are added in AD, they will automatically have access to SharePoint
2. When users password changes in AD, users password will also be automatically changed in SharePoint

Can I use SharePoint Services or do I also need the Portal?

Thanks

 

[Thomas2000]

Hello,

1. I would suggest that you create an AD group or add an existing AD group to sharepoint and when a user is added in AD also make it a member of the AD security group that you have added in sharepoint. That way you can easily handle user management in sharepoint.
2. Since you are using AD accounts in sharepoint, a password change of that AD user account will also be affective in sharepoint (since it is the same account).

You can use AD groups with both WSS and SPS. The difference is that in SPS you import your AD user accounts into the profile database in sharepoint.

Cheers,
Thomas

http://www.thompa.se

 

[julesNDC]

I can't add AD groups in WSS. I know I am missing something. I installed and re-installed WSS and I never saw the options that Microsoft gives (see below)

Choosing a User Account Mode
When you install Windows SharePoint Services, you must choose which mode you want to use for user accounts. Windows SharePoint Services can work with either of the following user account modes:

• Domain account mode

This mode is used inside organizations to grant access to users with existing Microsoft Windows domain accounts.

• Active Directory account creation mode

This mode is used by Internet Service Providers to create unique accounts for customers in Active Directory directory service.


Where and/or at what point can I find that option?

Thnaks,
Jules

 

[philhege]

As you've seen, SPS doesn't play well with AD. Hopefully (God that's a horrible construct), the next version will integrate more intuitively with the security model. As in: why the heck would I use Exchange groups to manage SPS access?

Phil Hegedusich
Senior Programmer/Analyst
IIMAK

http://www.iimak.com

-----------
I'll have the roast duck with the mango salsa.

 

[Thomas2000]

I have never had any problems with AD groups and WSS or SPS. The two modes you are reffering to is set during the installation (in the Central Administration part).

Domain Account mode (is default); this you use when you already have uiser accounts in your domain that you want to use in sharepoint (I would say that this is the most commonly used setup).

Active Directory account creation mode; is used when your sharepoint users are not part of your Active Directory, so when you add the users in sharepoint they will also be created in your Active Directory.

In the Beta 2 the interaction with AD is a bit different, but you still import the user accounts into a profile database. I need to mess around with it a bit more, but one huge advantage is that Cross-forest deployment is now supported.

Cheers,
Thomas

http://www.thompa.se

 

[Thomas2000]

Just another thing i forgot i previous post..Remember that the AD groups has to be AD Security groups, not Distributionlists (that is supported in 2007 version). And also when you try and add an AD (or domain) group you need to add it in the format DOMAIN\ADGROUPNAME

Cheers,
Thomas

http://www.thompa.se

 

[julesNDC]

One word guys, DNS. I had my DNS setting wrong. Not sure how I did not think about this before.

Thanks for you help.

 

[philhege]

Thomas, when I add users to a site, I'm presented with the Outlook address book, not the AD group listing.

Phil Hegedusich
Senior Programmer/Analyst
IIMAK

http://www.iimak.com

-----------
I'll have the roast duck with the mango salsa.

 

[Thomas2000]

In WSS the address book is the choice you have if you want to add users, so in that sense yes you are correct, but from the Portal perspective you can search and find AD groups etc.

I agree with you that it is somewhat non-user friendly, but it sure does work using AD groups in WSS sites aswell, but you will have to type in DOMAIN\AD group name. But thank god that they have made it better in the 2007 version.

Cheers,
Thomas

http://www.thompa.se

 

[philhege]

Quote: but you will have to type in DOMAIN\AD group name

Pretty much defeats the purpose of a lookup tool, doesn't it?

It makes no sense whatsoever to use the address book as a user selection tool, and I question the sanity of the engineer who decided to do this. We manage network permissions and functional groups in AD, NOT Exchange.

Phil Hegedusich
Senior Programmer/Analyst
IIMAK

http://www.iimak.com

-----------
I'll have the roast duck with the mango salsa.

 

[Thomas2000]

Yes, I can't disagree with you there You are absolutely right. I just pointed out that it DOES work with AD groups in WSS V2 and with SharePoint Portal Server 2003 you do the lookup in AD not through Exchange (or perhaps I should say a mix of AD and the Profile database in SPS 2003). But once you want to add users to a sharepoint site (WSS) you do not get the possibility to add users by AD or profiledatabase lookup, even though the WSS site/site collection is a part of your portal structure..and this is insane

But in SharePoint Server 2007/WSS v3 they have made the lookup towards the AD instead, so that problem is gone there...and I liiiiike it

Cheers,
Thomas

http://www.thompa.se