Logo 
Search:

MOSS Forum

Ask Question   UnAnswered
Home » Forum » MOSS       RSS Feeds

Tracking Enterprise CALs in a mixed-CAL environment

  Asked By: Joseph    Date: Feb 18    Category: MOSS    Views: 1549

Everyone in our company has a Standard CAL. Additionally, a small percentage of
users has Enterprise CALs which entitles the assignee to use a couple of
SharePoint applications where Enterprise functionality has been enabled. We had
put all the Ent users in an AD group, then compared the membership of that group
against the All People list in SharePoint, application by application. As it
turns out, MS doesn't require a someone to have an Enterprise CAL if they have
been added to SharePoint but have not been given access to anything. So we need
to figure out how to tell who has been assigned a permission level. Any ideas?

Share: 

 

12 Answers Found

 
Answer #1    Answered By: Aditi Msc     Answered On: Feb 18

I have found that it is best to add AD groups to SP groups. When you add people
one by one it becomes a maintenance nightmare that will eventually have to be
fixed by an administrator. If you want to control MySites, the only way to do it
(that I've found anyway) is to deny that privilege to each group or individual
with access to the site.

 
Answer #2    Answered By: Abinav Basu     Answered On: Feb 18

> I have found that it is best to add AD groups to SP groups. When you add
people
> one by one it becomes a maintenance nightmare that will eventually have to
be
> fixed by an administrator.

Normally I take this stance as well, but there have been situations where an
organization delegates its site administration to the relevant business
units. In that scenario, it actually makes more sense to let individual
site admins control access to their own site groups. Keeps the AD guys from
having to worry about that as well, especially where AD groups don't map
very well to the SharePoint taxonomy.

 
Answer #3    Answered By: Teresa Simpson     Answered On: Feb 18

True, as long as the site admins follow best practices. But if a site admin gets
lazy and just starts adding people one by one, and then moves on to another
job...

 
Answer #4    Answered By: Robby Barr     Answered On: Feb 18

But that argument could be used for the AD group scenario as well; in fact,
it's even more likely since there's more effort involved in getting someone
added to the requisite AD group.

 
Answer #5    Answered By: Patrick Davis     Answered On: Feb 18

This is a long running discussion, with vocal parties on both sides. Let's
remember, SharePoint is designed to be an end user driven product. That
means, it is meant to be managed by the users, for the users. Site
Collection admins and Site Owners have the ability to add users to their
sites, and should be adding users to their sites. If an AD group exists,
that fits the need, then sure, use it. If not, create a SharePoint group and
add the proper users to that group. There i8s no need to get AD involved.
There is a very good section in the Best Practices book about this. Trying
to manage SharePoint access permissions via your AD is a mountain you really
don't want to climb.

 
Answer #6    Answered By: Alexander Rocha     Answered On: Feb 18

Thanks to all for your responses. My questioin has to do with tracking access to
SharePoint sites where enterprise-level functionality has been enabled. We're
not using an AD group to control access to SharePoint but as a convenient
container for holding IDs of users who have been assigned Enterprise CALs. We
compare the members of the AD group against the All People list in SharePoint
applications where enterprise functionality has been enabled.

The problem with this is that you can add a user to SharePoint but unless you
assign him or her(or the group, either SharePoint or AD, that he or she is in) a
permission level, thereby allowing access, they are not required to have an
Enterprise CAL.

Any ideas on making sure only those users who have been assigned Enterprise CALs
access enterprise-level functionality?

 
Answer #7    Answered By: Maggie Benson     Answered On: Feb 18

My questioin has to do with tracking access to
SharePoint sites where enterprise-level functionality has been enabled. We're
not using an AD group to control access to SharePoint but as a convenient
container for holding IDs of users who have been assigned Enterprise CALs. We
compare the members of the AD group against the All People list in SharePoint
applications where enterprise functionality has been enabled.

The problem with this is that you can add a user to SharePoint but unless you
assign him or her(or the group, either SharePoint or AD, that he or she is in) a
permission level, thereby allowing access, they are not required to have an
Enterprise CAL.

Any ideas on making sure only those users who have been assigned Enterprise CALs
access enterprise-level functionality?

 
Answer #8    Answered By: Lane Trujillo     Answered On: Feb 18

If you can figure out a way to segment the sites into separate Web
Applications in SharePoint, you might be able to use a permission policy
to control this.
technet.microsoft.com/en-us/library/ff608071.aspx

 
Answer #9    Answered By: Rafael Willis     Answered On: Feb 18

As several users have noted you need to add the people with Enterprise CAL's to
a group whether it be AD or SharePoint.

There is no way for anyone other than your admins to know who has an Enterprise
CAL and who does not.

Plain and simple you need to create a group for them and assign that group to
the Enterprise CAL's

 
Answer #10    Answered By: Richard Davis     Answered On: Feb 18

my Powershell skills are not elite enough , but I am pretty sure
that *someone* could write a script to cycle through all sites, check
for that particular feature being enabled and then catalog the users who
have access to that site...

 
Answer #11    Answered By: Mason Davis     Answered On: Feb 18

True, I guess you are suggesting people be added to a SP group, right? That
would work as well. My aim is to keep people from being added singly to a site.
Yesterday was kind of hectic, and I probably didn't communicate that clearly!

 
Answer #12    Answered By: Savannah Pena     Answered On: Feb 18

Right; SP groups are much more maintainable by the people who should have
the power over their silos.

 
Didn't find what you were looking for? Find more on Tracking Enterprise CALs in a mixed-CAL environment Or get search suggestion and latest updates.




Tagged: