Sharepoint Forum

Ask Question   UnAnswered
Home » Forum » Sharepoint       RSS Feeds

Active Directory & SharePoint User Synchronization

  Asked By: Melanie    Date: Jan 02    Category: Sharepoint    Views: 16992

Need to double check if my thought process is correct on user persistence:

On install all users are import into SharePoint from AD, then if new user
requests to log into SharePoint it checks against AD and adds user, but
SharePoint doe not remove users if removed from AD [if I am wrong please explain
the process of how the user is persisted between the two], so I am wanting to
find a script to iterate thru the current users listed in SharePoint and test
against AD, if user does not exist in AD then remove from SPUsers?



5 Answers Found

Answer #1    Answered By: Deidra Best     Answered On: Jan 02

Users are authenticated against AD. The are not imported unless you configure
SharePoint for importing profile data. When you want to grant a user  access to
SharePoint you are pulling from your AD or other authentication sources.

Answer #2    Answered By: Rosalinda Merrill     Answered On: Jan 02

Ok, here's the process, but you need to be clear about the difference between
SharePoint users  used for security and Profiles. They are related, but not the
same thing.

First Profiles.

1. Moss is setup to import  all the users in your AD domain as profiles
into the SSP that you create. However, this action is not scheduled. Profiles
will not be imported until you either do a manual import or setup the schedule
for Full and incremental imports. This imparts no security rights to the user
at all.

2. After the profiles have been imported. If a user  is deleted in AD then
after 3 successive full profile imports there profile will be deleted also. If
deactivated their MySite will be cleaned up, but not their profile.

Authentication/Authorization (Assuming you are not using any kind of Forms Based

1. SharePoint depends on Windows Authentication via IIS to establish the
user's identity. (this happens completely external to SharePoint)

2. SharePoint checks the user's AD identity and group membership, as
established in #1, to see what the user has the ability to do in SharePoint.
You can successfully authenticate and still not gain access to SharePoint.

3. Security Access in SharePoint is dependent on the AD identity or an AD
group of which the user is a member being added as a SharePoint user. Or the
user or group may be added directly to a SharePoint group. This will allow the
user to gain access to SharePoint resources.

4. If the access is through group membership then the user's identity will
only be added to SharePoint when the user logs in and submits something to a
document library or list. This adds their identity as a user, but doesn't
directly re-associate them with specific rights. The rights are still gained
through group membership. But they would now show up in the People and Groups

5. If the user's account is deactivated or deleted in AD their account in
SharePoint is NOT deleted, but they won't be able to use it to access SharePoint
anymore because AD won't be able to authenticate them so they'll never get to
Authorization. If deactivated, you will still be able to click on their name
attached to documents or list items and see their profile. If deleted clicking
on these items will normally lead to an error page because the profile isn't
there anymore.

6. Removing SharePoint users can be done programmatically, but it is a
fairly involved process  requiring walking each object in the FARM and looking
for the user entries. There are 3rd party products that do this, but I don't
normally recommend using them since you are destroying the history of the user
in the system.

My normal recommendation is to deactivate users in AD, but let them stay in
SharePoint. Once deactivated they won't be able to login, but history of their
usage of the system will remain intact.

BTW, I'm giving a talk on this very subject at the Best Practices Conference in
August. It's actually even more involved than what I've listed  above. Click on
the link in my signature line to see more about the conference.

Answer #3    Answered By: Yogendra Zarapkar     Answered On: Jan 02

I think in our instance a user
saw a former employee showing up in a list as where as a document creator
(rightfully so) and when they clicked his name it took them to his profile and
this made them a little leary of it. I knew the user  would not be able to
authenticate cause they are gone from AD. But was not sure if there was a quick
way to sync.

Answer #4    Answered By: Jerad Mercado     Answered On: Jan 02

Actually, one of the recommendations I'm going to make in the Best Practices
talk is to add a field to the user  profile in SharePoint labeled something like
'employment status'. Then either manually or programmatically set that field in
a user's SharePoint profile when they leave the company and are deactivated in
AD. That way if a user clicks on their name in a document library it takes
them to a profile that shows their current  status.

Answer #5    Answered By: John Phlip     Answered On: Jul 29

Hello Friend,
You can read this blog post and I hope your issue will be shutout, regarding active directory and share point. For more details read this blog regarding your issue : activedirectorymanagementsoftware.wordpress.com

Didn't find what you were looking for? Find more on Active Directory & SharePoint User Synchronization Or get search suggestion and latest updates.