Sharepoint Forum

Ask Question   UnAnswered
Home » Forum » Sharepoint       RSS Feeds

User profiles vs security (pulling info from AD)

  Asked By: Janak    Date: Apr 27    Category: Sharepoint    Views: 1192

There have been a few discussions about the best way to limit the
generation of user profiles to just active user accounts but I'm
still unclear on a few things.

Lacking a better way, we are building two AD groups with which we
plan to import from AD into the SP profile database (thanks to Wayne
Hall's blog:
mindsharpblogs.com/.../497.aspx). None of
our administrative or utility AD accounts will be assigned to our two
AD groups.

So the question is: will I still be able to access the Central Admin
site using my utility account (which will not be imported into the
profile database)?

Can one of you brilliant people explain the difference between how SP
uses AD to create user profiles and how SP uses AD to identify folks
for access/security settings?



3 Answers Found

Answer #1    Answered By: Elaine Mack     Answered On: Apr 27

Assuming you're using NT authentication:

For authentication:

1) SP uses AD to identify  what security  groups the connecting user
belongs to.
2) SP checks the SP resource user  permissions against the AD user and
the group list from step 1 for a match.
3) If there's a match, SP grants the user access  as specified in the
permissions list. (I'm not sure what happens if there are multiple
matches. This may be the source of the 'never use nested SP groups  with
AD groups' bug.)

For profile  creation:

1) SP checks to see if the authenticated user who is connecting user has
a profile. If not, it creates one.
2) OPTIONAL: If you choose to import profiles  from AD, scheduled or
otherwise, it sets up new profiles as it finds users in AD who do not
have a profile. I don't believe it ever deletes old profiles.

Answer #2    Answered By: Baiju Hoskeri     Answered On: Apr 27

So am I correct in my interpretation of your comments
that as long as SharePoint can verify that my utility  account is an
active account  in the domain or NT group, it doesn't matter that it
doesn't have a user  profile associated with it?

Answer #3    Answered By: Kristy Hicks     Answered On: Apr 27

Yes, but there's no avoiding a user  profile for that account. As soon as
you connect with that account, it will set one up for it, even though
it's not part of your profile  import.

Didn't find what you were looking for? Find more on User profiles vs security (pulling info from AD) Or get search suggestion and latest updates.