AAron nAAs

 All MindsharpBlogs

AAron's SharePoint notepad

My Links

Archives

Blog Stats

My Sites

How NOT to add Active Directory Groups

It makes sense to create groups in Active Directory for SharePoint authentication, rather than adding users to SharePoint individually, but you already knew that. If you are trying this by yourself for the first time, you might make the same mistake that I did. I right clicked on "Users" and created groups, but SharePoint ignored them, and all the member users could not login to SharePoint. I needed to create groups elsewhere...

Do not add Active Directory groups from "Users" for SharePoint

Note: In the examples below, [home.local] is the name of my test domain

SharePoint HATES:
 Active Directory Users and Computers / [home.local] / Users / <right click> / New / Group
 Group Name: mygroup1
 Group scope: Global
 Group type: Security
 Creates
  "CN=mygroup1,CN=Users,DC=home,DC=local"
 Add mygroup1 as member of a SharePoint site
 Users in mygroup1 cannot log into SharePoint "Error: Access Denied"

SharePoint LIKES:
 Active Directory Users and Computers / [home.local] / <right click> / New / Group
 Group Name: mygroup2
 Group scope: Global
 Group type: Security
 Creates
  "CN=mygroup2,DC=home,DC=local"
 Add mygroup2 as member of a SharePoint site
 Users in mygroup2 can log into SharePoint

Conclusion:
 Add groups by right clicking on [home.local], NOT on "Users"

posted on Tuesday, December 25, 2007 7:26 PM

Feedback

# re: How NOT to add Active Directory Groups 12/26/2007 12:00 PM Paul Stork

I'm curious if you tried adding groups from any other OU's than Users. I wonder if the problem is having groups in the OU's or whether its that Users is a builtin container and not really an OU.

# re: How NOT to add Active Directory Groups 12/26/2007 3:10 PM Peter {faa780ce-0f0a-4c28-81d2-3667b71287fd}

This must have something to do with your OU permissions; ask your AD administrator what permissions you have, i.e. if there's any special security set on that OU.

# re: How NOT to add Active Directory Groups 12/28/2007 7:57 AM Peter {faa780ce-0f0a-4c28-81d2-3667b71287fd}

The filter apparently ate my second comment that I posted yesterday.

Let me retract my previous statement: Paul Stork is right; the Users folder is technically a "Container" and not an OU. So to reference something in a Container, just add

CN=Users

instead of

OU=Users


If you want to check, you can do what I did: install the Windows 2003 Admin Pack for Windows XP (search for adminpak xp) and fire up the Active Directory console.

Under the console you can view the "distinguishedName" field (add it as a column) and will have a definite, 100% guaranteed answer.

# re: How NOT to add Active Directory Groups 12/29/2007 3:19 PM Ben Curry

IF you use Universal groups, this problem goes away. Unfortunately, SharePoint creates global groups when leveraging DMS. So, you have to go into AD and change it after the fact. You can create as many global groups as you want and nest them into Universal Groups, but what is actually applied in the SharePoint interface must be a Universal Group. This works because of the way the list is expanded on the Global Catalog Server.

Cheers :-)

Title  
Name  
Url
CAPTCHA
Protected by Clearscreen.SharpHIPEnter the code you see:
Comments