Sharepoint Forum

Ask Question   UnAnswered
Home » Forum » Sharepoint       RSS Feeds

Best Practices for AD

  Asked By: Krista    Date: Mar 14    Category: Sharepoint    Views: 1368

I've gotten some really good advice from you all about using AD to
manage security and users for my SharePoint project. Unfortunately now
our IT department is balking at creating all these groups. Can you
point me to some good documentation for using AD groups for adding
users to site?

See I have like 22 departments and I wanted to create different groups
for all the different levels of access on the WSS and SPS sites.
Anyeay, leaving off the administrators I came out with approx 132 groups.



8 Answers Found

Answer #1    Answered By: Renee Murray     Answered On: Mar 14

I would recommend having IT create  an OU just for SharePoint groups  and delegate only the right to create groups to you or a very select group of SharePoint Administrators. You would not have the right to create users  only add existing users to groups.

Those groups can now be added to SharePoint roles to give them the appropriate permissions.

Be patient. With the new version, you can give SharePoint rights directly to AD groups and use AD groups directly as audiences.

Answer #2    Answered By: Harshini Raju     Answered On: Mar 14

An Organisational Unit

Essentially a container where you can hold objects and then use that containers position in the directory tree to grant / deny permissions to the objects in that container or apply settings to the objects in the container

For example, I can delegate control to the PBX team to change peoples phone numbers in the internal directory and can delegate authority to HR to change peoples job titles

I can also control the users  environment using Group Policy Objects (GPO’s) so that, for example, they cannot see the “Run” command when they click on Start | Run – I can change their default home page in Internet Explorer to the company intranet and I can add the intranet site to the local intranet zone to aid integrated logon.

So, the IT department  can create  an OU (container) and delegate him the permissions to create groups  and change group membership

If they were smart they would import the groups using vbs and just delegate permissions to change membership, ensuring non-proliferation of groups and a consistent naming standard (e.g. group name starts SPS then its used for permissions in sharepoint)

Answer #3    Answered By: Christop Mcfadden     Answered On: Mar 14

What would they import the groups  from?
All I have now is a list that basically lays out the naming convention
for the groups.

AMHWSSR (for Area Mental Health WSS Readers)...
WOCSPSC (for Women's Commission SPS Contributors) etc...

Answer #4    Answered By: Gopal Jamakhandi     Answered On: Mar 14


If you give them the names of the groups  in excel they can add a header to that column and then create  the columns to set the groups up as the right type (local groups) and add them to the appropriate OU – they can just use vb script to connect to ldap to do this

Answer #5    Answered By: Chantal Rosa     Answered On: Mar 14

Unfortunately the balked at doing this. Funny, you guys understood me
fine but they don't get my naming conventions either.

Answer #6    Answered By: Kyla Eckert     Answered On: Mar 14

I agree with the delegation of authority with a sharepoint  OU . Here
is another thing to also plan..SPS has this great thing called
audiences and it also has this great tool called search.Both of
these require security  groups. I know IT people hate being told to
do these things, especially since it is more fun to build a server
or program a router, but here is what you are setting up: A Central
depot for finding documents\information and a way to direct them to
specific users. Think cross department  when it comes to audiences
(directors, secretaries, )

Put your service accounts in the Sharepoint OU if you do not have a
service account OU. You do not want your passwords for sharepoint to
expire based on AD Password policy. (if you run a password policy).

Answer #7    Answered By: Alisha Holmes     Answered On: Mar 14

If it helps the basic code to do this is



Set objOU = GetObject("LDAP://cn=Computers,dc=NA,dc=fabrikam,dc=com")

Set objGroup = objOU.Create("Group", "cn=DB-Servers")

objGroup.Put "sAMAccountName", "DBServers"

objGroup.Put "groupType", ADS_GROUP_TYPE_LOCAL_GROUP Or _



They will just need to set up the connection to excel and cycle through the entries and use variables to swap out DB-Servers (name of your group) and DBServers (again, the name of your group)

Answer #8    Answered By: Damon Garner     Answered On: Mar 14

I'll include that in my now pared down list I have to get them
to do and give them the list in an excel spreadsheet. My guess is next
month they will still be monkeying around with it.
But I really appreciate the information.

Didn't find what you were looking for? Find more on Best Practices for AD Or get search suggestion and latest updates.