MOSS Forum

Ask Question   UnAnswered
Home » Forum » MOSS       RSS Feeds

Adding a user to an AD group from within Sharepoint

  Asked By: Imran    Date: Sep 15    Category: MOSS    Views: 2349

I am pretty sure that this cannot be done without custom code. My
question is can MOSS 2007, out of the box, add users to a user group
in active directory?

Our security department is beginning to complain about the number of
AD groups that they need to keep up to date to maintain permissions
within MOSS 2007. Our MOSS 2007 security is not that difficult. We
create a site and by default that site's permissions are associated
with an AD group by adding that group to Site Permissions. Security
is responsible creating two groups, a special admin group we call
librarian and a collaborate group. They then add the users to this
group with allow the access to the site.

For some reason, they are under the impression that once the group is
created that a sharepoint admin would be able to maintain the users
within the AD group. I don't think this is possible, out of the
box. Can others confirm?



6 Answers Found

Answer #1    Answered By: Tonia Franco     Answered On: Sep 15

You are discovering one of the aspects that leads to the recommendation of
using SharePoint groups and not AD groups for managing permissions within
SharePoint. While I know there are times that you would want to use AD
groups for permissions in SharePoint, by and large it is best to use
SharePoint Groups to assign permissions to sites and then add your AD users
into those groups. This removes your AD admins from having to do all this
maintenance work on groups and users. It also makes it easier to see who has
permissions within a site or collection.

Further, to get to your specific question. SharePoint does not have access
into your AD. It pulls data from AD but does not put data into it. For your
users to modify groups within your Active Directory they would need to be
granted the proper permissions for creating and modifying groups within the
OU of your AD structure.

Answer #2    Answered By: Amareswar Karkera     Answered On: Sep 15

I believe that Bamboo Solutions makes a web part that can take care of that for

Answer #3    Answered By: Cheyenne Jacobson     Answered On: Sep 15

The Bamboo Solutions user  Account Accelerator manages SharePoint groups. It
will give you the option to create an AD user object if you are creating a
new user, but the group  permissions are SharePoint based.

Answer #4    Answered By: Makayla Lewis     Answered On: Sep 15

I can understand how a recommendation
can come to light to handle access rights within Sharepoint. And we may
be heading in that direction. Then if we do it that way, who should be
responsible to maintain the mess that will ultimately be created. The
one issue I have with how Sharepoint handles access management is the
user interface. It's not very well developed.

This opens the door wide for a 3rd party solution. I have looked at
the Bamboo solution on their website, thank Harry. Are there other
companies other than Bamboo?

Answer #5    Answered By: Miranda Scott     Answered On: Sep 15


We don't directly update SharePoint groups, but we do allow all site & site
collection owners to manage the permissions on their sites.

Answer #6    Answered By: Deirdre Macias     Answered On: Sep 15

This where proper planning and governance can come into play within a
SharePoint deployment. There really needs be no "mess" when it comes to
permissions and sites. As for who is responsible, in my opinion the
responsibility of who can access a site falls to the site owner. User
delegation and training is far too important with SharePoint to be over
looked. When all is said and done, this is a user  based product, and it must
be thought of in this light. Site owners need to be responsible for adding
users into access groups for their site, or collection as the case may be.
With proper training, this is certainly not as messy as you might think.

There are a number of tools that help with setting up, managing and
maintaining permissions within a SharePoint environment. While I have not
used it myself, AvePoint can help with this and DeliverPoint from Barracuda
(which I have used) integrates right into your SharePoint deployment to help
manage, discover and deal with your users and permissions.

Didn't find what you were looking for? Find more on Adding a user to an AD group from within Sharepoint Or get search suggestion and latest updates.