Sharepoint Forum

Ask Question   UnAnswered
Home » Forum » Sharepoint       RSS Feeds

Importing AD Groups

  Asked By: Amolika    Date: Feb 27    Category: Sharepoint    Views: 5116

Can anyone help me with the syntax for the LDAP filter for the
AD profile import? I want to import users, but also groups. Currently, we are
not getting the groups and I believe that is because we set the filter to



4 Answers Found

Answer #1    Answered By: Aishwarya Dixit     Answered On: Feb 27

You can use groups  to filter  which users  get imported into SharePoint, but
when doing a profile  import SharePoint is looking for users not groups. It
doesn't create profile entries for groups. Could you clarify what you are
trying to accomplish?

Answer #2    Answered By: Indrajeet Patil     Answered On: Feb 27

Unfortunately you are running into one of the more confusing areas of the
SP <-> AD connection. Distribution Lists (DL) can't be committed to the users
table for some particular reasons which include, but are not limited to, DLs not
having the proper security tokens.

Sending Alerts to a DL is a common request, but SP wants to enumerate the
security permissions of each User in a group in order to determine the User's
eligibility for access to the site that the Alert is coming from. DLs don't have
the security token required.

A common suggestion to mail-enable Security groups  (SecGroup) is invalid in my
domain for security reasons; if emails were to go external, once you have the
name of a security account, you could potentially hack with it. That's what I am
told and it is gospel around here, DAGUMMIT!

My only problem with the limitation of disallowing DLs to be returned in the
People Editor control - for which it is perfectly capable, let me tell you - is
that I wanted to be able to write an SPDesigner workflow that takes a DL out of
a People and Groups column on a custom list and sends it an email.

I understand the security context when it comes to SP and the People Editor
control. In almost all of the places in SP that the control is used it is in a
security context: adding users  (User) to SharePoint Groups (SPGroup), alerts on
lists, permissions for lists, etc. In my case I wasn't looking for a security
context, I just wanted the DL email address to dynamically choose groups for an
SPD workflow email. (It's an Infrastructure Change Control application; I need
to dynamically pick which groups get emails for various changes in our

I finally figured this out, though it's a jQuery hack and not pretty. I built a
custom web part that is only the SP People Editor control. I set  the
SelectionSet property to allow only two (User, DL) of the four (User, SecGroup,
SPGroup, and DL) enumerated types I described in parenthesis above. In all other
contexts in SP 'DL' is simply not set in the SelectionSet property. I added the
web part to the NewForm.aspx and EditForm.aspx pages. Using jQuery I hide it by
default and pop it up in a modal dialog box when the button I added (with
jQuery!) to the form is selected. The person is then able to return DLs as well
as Users (remember I am only trying to get email addresses; the other two don't
return entries with email addresses.) After they have what they want in the
modal dialog popup they click the Add button and it checks for each <div> tag
that contains the AD account (DOMAIN/user) of each returned User and DL,
separated by semicolons (;). When I later look up that field in my SPD workflow
I am able to add it to the email address portion of the 'Send an Email' action.
My Exchange server can then send to "DOMAIN/user" as an email address.

It's ugly and hacky. I don't like it and my (still) open service call with
Microsoft doesn't sound like it is going to return me anything I can use. Their
code monkeys are working on something that sounds like it's going to be as hacky
as my current solution.

Good luck and sorry for my extra long email! It helps to be able to share this
information with others as it solidifies my own understanding of the solution I
eventually built (O;

If I were to rebuild this in Visual Studio it would be a lot less hacky. I could
just flatten a DL and get the users out of it to send email.

Answer #3    Answered By: Xavier Hopkins     Answered On: Feb 27

This seems to have been a popular topic lately. And I agree with Kristopher
that it is confusing. But for the sake of clarity let me try to say this
again one more time.

The question was about profile  import from AD. Profile import  has NOTHING
to do with security permissions. Adding people or groups  as to SharePoint
does not involve Profiles. If it did you wouldn't be able to do security in
WSS where profiles and profile import doesn't exist.

Every time someone asks a question about Profile import we seem to get off
on the tangent of AD users  and groups in SharePoint security. These are
unrelated topics and mingling them just makes a confusing topic more

Answer #4    Answered By: Viviana Rollins     Answered On: Feb 27

You are absolutely correct. My initial statement was to confirm that DLs
will not and cannot be brought in to SharePoint. Then I slipped in to my own

Didn't find what you were looking for? Find more on Importing AD Groups Or get search suggestion and latest updates.