Tuesday, July 01, 2008 3:30 PM
Does anyone know of an easy way to move users to new groups in sharepoint?
I work in a school and I have set up several sites within sharepoint which are based on curriculum subjects and years. Because students belong to several different groups according to the subjects learnt and groups & years taught in, I have also had to set up many different groups for administration & security purposes. These groups do not mirror our Active Directory structure in any way.
My problem is, these users will move groups at the end of every year and also sometimes during the year and I'd like to know if anyone has discovered an easier way of populating the groups without painstakingly deleting the users from their old group, then manually adding them to the appropriate new group.
Tuesday, July 01, 2008 3:49 PM
This is a problem that we faced in one of the companies I was a consultant with.
The easiest way to do this is through developing a custom solution that integrates with the SharePoint security model, but I am assuming that this is not an option.
At my last client, the SharePoint Security model did not reflect the AD groups and structure and that was OK as it did not require it, UNTIL, they want to move groups around and also Add\Remove\Move people from groups.
What I did was specify the structure that I wanted in AD. Remember the AD groups are only holding OU's and they dont not affect teh NTFS security when you only use them for SharePoint purposes.
So if you take the time an effort to create the Groups in AD, you can create certain Sharepoint Groups that are static and will not move. When you have to move users, you can get them moved thru AD, which can be done very easily. As long as the AD Groups is added to the SP group, you can add, remove, move, etc users in AD and the changes will be reflected in SharePoint.
I understand this is might be a polictical and technical challenge, but in the end the benefits out way the effort in terms on Management.
Kind regards and hope you find a solution,
Tuesday, July 01, 2008 4:23 PM
Having just read the first part of your reply (custom solution ...) I was idly thinking of replying with my suggestion.
That though was using AD groups in the way you suggested further in your reply (which I luckily checked before writing mine)
So regard this message as seconding your suggestion.
Tuesday, July 08, 2008 8:40 AM
Thanks for this information. It is as I had expected and my initial thought was not to bother as I couldn't see the benefits of creating all those groups all over again.
However, I am now thinking of putting this into practice and just wanted to make sure I understand what I need to do. This is how I see it:
In AD, create a new OU called Sharepoint Groups
Within this OU, create other OU's called Maths, Science, etc
Within the appropriate OU's, create Global Security Groups which correspond to the groups I have already created in Sharepoint
Add the appropriate users to the global security groups, as I have already done in Sharepoint
Now, this is the part I'm not sure about:
When I need to move users from one group to another, I do so in AD, not Sharepoint - will this directly map to Sharepoint? That is, if I then go to Sharepoint, will I see the changes reflected within the sharepoint groups?
Many thanks for your help
Wednesday, July 09, 2008 9:20 AM
Yes, you are correct in the way you are thinking about this.
A few points to mention, althought they seem trivial, are:
Name the AD groups A little different to the SharePoint Groups (You can get confused in Sharepoint if the SharePoint Group and the AD group are the same) AD Security Group for Sciences might be called SP_SecGroup_ScienceViewers and in SharePoint the SharePoint Group would be Called Sciences Viewers, for example.
SharePoint groups should only contain AD groups, where possible. This means that all the movement of people can be done in AD through the security groups and once the AD security group is a member of the SharePoint Groups, then all changes will be affected when you move users around AD.
Make use of Audiences too where possible. Audiences might be a good fit for your type of industry. So when all sciences people log on to the portal, you could Audience target Science Related content to show on the portal home for these types of users.
Hope this helps
Wednesday, July 09, 2008 3:22 PM
Thanks John, that's useful information.
As an experiment, I have just created an AD group called 8A_SP and added the appropriate users for next academic year. In sharepoint, I navigated to the appropriate site and added the new AD group to a sharepoint group called 8A-Gg. By the way, this particular site has inheritance turned off.
When I then clicked on Groups on the quick launch bar and then clicked on the new AD group in the list, it didn't show me the users who are a member of this group - is this normal? If so, it will be difficult for any sharepoint designers who do not have access to Active Directory to administer permissions on their own site.
Wednesday, July 09, 2008 4:00 PM
The issue that you point out is the marker for a decision to be taken whether or not Users are managed from SharePoint groups or through Active Directory.
In your case is would be important to find out if the moving of users SharePoint groups is more painstaking than if you were to do it through AD. If your Web Designers, who should not necessarily have priveliges to manage security, need to manage/move users around to various SharePoint groups then I would think that they should have to create some sort of a Change Request Form that is send to the managers of AD to move certain people to different groups.
When managing security the designer should only, where possible of course, move AD groups around with the SharePoint groups. I understand that this seems a little bit of a bottleneck where security on a site is concerned, BUT, it provides a good level of separation between the auditing of what groups users exist in in AD over the auditing of moving users from one SP group to another.
I dont want to tell you that you are doing it wrong when you manage users in SP groups, because sometimes, in fact a lot, thats the quickest way to manager security - but it is not the tidiest and as your original post pointed out, it takes a lot of time to move users for one SP group to another... not to mention how tiddious it can be
Thursday, July 10, 2008 10:47 AM
Many thanks for taking the time to explain all of this. It's useful to know the pitfalls at the start.
I still agree that it is a job worth doing and I shall gradually work my way through creating the AD groups for the start of next term.