Sharepoint Forum

Ask Question   UnAnswered
Home » Forum » Sharepoint       RSS Feeds

How do I narrow the scope of permitted users to my sharepoint system

  Asked By: Uma    Date: Nov 25    Category: Sharepoint    Views: 1046

we use ntlm to authenticate to our AD.
What I would like to do is limit the users to just two groups within
the AD ou so that no one can be added to the system unless they are in
one of these to groups.

I can not seem to find any way to do this OOTB.

I am looking for creative ideas as to how I can make this happen.




5 Answers Found

Answer #1    Answered By: Tanisha Rowe     Answered On: Nov 25

My best advice is training and setting policy. Authentication is done via user
account and not group. As long as I have an account, I can be granted rights and
permissions to any resource.

Answer #2    Answered By: Sierra Lewis     Answered On: Nov 25

You can always set up template user accounts (name them _template_xxx and
disable the account)

You put the settings you want for all new users  on that account (such as group
membership for example)

When you want a new account you right click the template and choose copy - this
will copy the template user including group memberships making sure they are in
those 2 groups

Answer #3    Answered By: Dwight Becker     Answered On: Nov 25

You can create an active directory group that would include all of the people
you want to deny access to. Then, create a Web application policy denying all
access. Add that group to the beforementioned policy.

Not pretty, but that's how I've been doing it.

Answer #4    Answered By: Amar Kumbar     Answered On: Nov 25

of course, they can still be added  - they just can't access the system.

Answer #5    Answered By: Marc Dixon     Answered On: Nov 25

What we've done is modify the web.config for the web application you're
trying to limit. If you change <allow users="*"> to <allow
roles="comma_separated_list_of_roles"> and then add <deny users="*">
below that, users  will have to be in one of those roles (AD groups) to
access the site. Any users can still be added  to sites, but they will
be denied access. It may be possible to achieve the same result through
policies, but this is how I've done it and it works fine. You can even
use a custom httphandler to redirect users that have been denied access
to a custom error page.