Welcome: Guest!

Sharepoint Forum

 
Home » Forum » Sharepoint       Ask a questionRSS Feeds

User profiles vs security (pulling info from AD)

  Asked By: Janak Kadni         Date: Apr 27, 2009      Category: Sharepoint      Views: 202
 

There have been a few discussions about the best way to limit the
generation of user profiles to just active user accounts but I'm
still unclear on a few things.

Lacking a better way, we are building two AD groups with which we
plan to import from AD into the SP profile database (thanks to Wayne
Hall's blog:
mindsharpblogs.com/.../497.aspx). None of
our administrative or utility AD accounts will be assigned to our two
AD groups.

So the question is: will I still be able to access the Central Admin
site using my utility account (which will not be imported into the
profile database)?

Can one of you brilliant people explain the difference between how SP
uses AD to create user profiles and how SP uses AD to identify folks
for access/security settings?

Tagged:                

 

3 Answers Found

 
Answer #1       Answered By: Elaine Mack          Answered On: Apr 27, 2009       

Assuming you're using NT authentication:

For authentication:

1) SP uses AD to identify  what security  groups the connecting user
belongs to.
2) SP checks the SP resource user  permissions against the AD user and
the group list from step 1 for a match.
3) If there's a match, SP grants the user access  as specified in the
permissions list. (I'm not sure what happens if there are multiple
matches. This may be the source of the 'never use nested SP groups  with
AD groups' bug.)

For profile  creation:

1) SP checks to see if the authenticated user who is connecting user has
a profile. If not, it creates one.
2) OPTIONAL: If you choose to import profiles  from AD, scheduled or
otherwise, it sets up new profiles as it finds users in AD who do not
have a profile. I don't believe it ever deletes old profiles.

 
Answer #2       Answered By: Baiju Hoskeri          Answered On: Apr 27, 2009       

So am I correct in my interpretation of your comments
that as long as SharePoint can verify that my utility  account is an
active account  in the domain or NT group, it doesn't matter that it
doesn't have a user  profile associated with it?

 
Answer #3       Answered By: Kristy Hicks          Answered On: Apr 27, 2009       

Yes, but there's no avoiding a user  profile for that account. As soon as
you connect with that account, it will set one up for it, even though
it's not part of your profile  import.

 
Didn't find what you were looking for? Find more on User profiles vs security (pulling info from AD) Or get search suggestion and latest updates.


Your Answer
  • Answer should be atleast 30 Characters.
  • Please put code inside [Code] your code [/Code].

 
Hall of Fame  |  Facebook  |  Twitter  |  LinkedIn  |  Terms of Use  |  Privacy Policy  |  Contact us
RSS Feeds: Articles |  Forum |  New Users |  Activities |  Interview FAQ |  Poll |  Hotlinks


Go4Sharepoint, is a Microsoft Featured Community. Microsoft, Windows, Sharepoint, Sharepoint logo, Windows logo, etc are trademarks of the Microsoft Corporation. All product names, logos, copyrights, and trademarks mentioned are acknowledged as the registered intellectual property of their respective owners. This site is not in any way affiliated with, nor has it been authorized, sponsored, or otherwise approved by, Microsoft Corporation.

Copyright © 2008-2011