How can I stop users from a certain OU being granted access to sharepoint
When have a subdomain containing an OU that we do not want any of the users being granted access to SHarepoint. We have some self-service sites as well as MySites that users control access to. Is there a way to deny any members of that OU being added to any site within Sharepoint? Is it as simple as denying a specific Sharepoint (service) account access to that OU so that it cannot read it?
March 18th, 2010 4:13pm
If you have applied at least SP1 then there is an STSADM command that will let you apply a query filter to the accounts selected from AD by the people picker. Filtering out a specific OU is fairly easy to achieve. See the following for more info:http://technet.microsoft.com/en-us/library/cc263452.aspx Paul Stork
SharePoint Server MVP
Free Windows Admin Tool Kit Click here and download it now
March 18th, 2010 4:28pm
So to set the search so that it does not search a specific OU, I would use the following filter?
stsadm -o setproperty -url http://contoso -pn "peoplepicker-searchadcustomfilter -pv (!(OU=deniedOU))
stsadm -o setproperty -pn Peoplepicker-searchadcustomfilter -pv (!(samaccountname=<Myalias>)) -url http://<servername>
Which is the correct way of entering the command ? – the first statement has the Peoplepicker in quotes, with the URL coming before the peoplepicker option, the second does not use quotes and has the URL at the end of the command.
Also, from http://support.microsoft.com/default.aspx/kb/958578?p=1
In this scenario, <Myalias> is resolved despite the filter. The expected result is that the Check Names button honors the LDAP filter. However, the LDAP filter is not honored when you click the Check Names button.
SO it only works when you use the Browse function, not the check names function? I need to be sure that these users are being denied access
March 18th, 2010 5:13pm
Hi limey,
The Peoplepicker without quotes is correct, but if you have Blanks in you command, you may want to use quotes.
To forbid search for a OU, you could use the command:
This sample disables searching from SharePointOU in iqin.local domain.
stsadm -o setproperty -url http://mysite.iqin.local/personal/administrator -pn peoplepicker-searchadcustomfilter -pv (!(distinguishedName=*,OU=SharePointOU,DC=IQIN,DC=Local))
There was a known issue that Check Names button is not honored the LDAP filter and it is fixed in http://support.microsoft.com/default.aspx/kb/958578
Let me know if you need further information.
Lambert Qin
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact tngfb@microsoft.com Sincerely,
Lambert Qin
Posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
March 19th, 2010 6:17am
Hi limey,
Could you please let me know if Paul's and my suggestions are helpful?
Lambert Qin
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact tngfb@microsoft.com Sincerely,
Lambert Qin
Posting is provided "AS IS" with no warranties, and confers no rights.
March 22nd, 2010 2:34pm
I tried using the command (once I typed it in correctly!) but it seems to deny me from adding any users using the "people picker or check names".
I then reversed it by re-running the command without the deny and can then add users from both the parent and child domains. (I had originally thought it was an OU but it is a child domain, sorry if that makes it more complicated)
Here is the command that I am using
stsadm -o setproperty -url http://testserver -pn peoplepicker-searchadcustomfilter -pv (!(distinguishedName=*,DC=childdomain,DC=parentdomain,DC=org))
Am I misssing something?
Thanks
Free Windows Admin Tool Kit Click here and download it now
March 24th, 2010 11:21pm
Hi limey,
The peoplepicker-searchadcustomfilter command does not verify whether the LDAP filter is correct or not. therefore, it seems that you write a wrong LDAP filter.
I am afraid that I do not have a child domain to local reproduce your issue.
If you want to limited the users to the parent domain, you could use stsadm -o setsiteuseraccountdirectorypath -path "DC=parentdomain,DC=org" -url http://testserver
Hope the information can be helpful.
Lambert Qin
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact tngfb@microsoft.com Sincerely,
Lambert Qin
Posting is provided "AS IS" with no warranties, and confers no rights.
March 25th, 2010 1:29pm
I thiknk this sounds like what I need - I am out of the office this week, but will test as soon as I return. THnaks, I'll let you know how it works
Free Windows Admin Tool Kit Click here and download it now
March 30th, 2010 4:02pm