Our company's security policy is to immediately delete user
accounts in AD after when an employee leaves the company. The user account still shows valid in
SharePoint people picker/ all people group etc.
Normally on full import of AD users all users are import into
SharePoint from AD, then if new user requests to log into SharePoint it checks
against AD and adds user, but SharePoint doe not remove users if removed from AD, so Site Admins sometimes
wanting to find a script to iterate thru the current users listed in SharePoint and test against AD, if user does not exist in AD then remove from SPUsers?
Answer to the above concern would be that after the profiles have
been imported. If a user is deleted in AD then after 3 successive full profile imports there profile will be deleted also. If
deactivated their MySite will be cleaned up, but not their profile.
deactivated their MySite will be cleaned up, but not their profile.
You also need to understand about the difference
between SharePoint users used for security and Profiles. They are related,
but not the same thing.
First,
Profiles.
1. Moss is setup to import all the users in your AD domain as profiles into the SSP that you create. However, this action is not scheduled. Profiles will not be imported until you either do a manual import or setup the schedule for Full and incremental imports. This imparts no security rights to the user
at all.
2. After the profiles have been imported. If a user is deleted in AD then after 3 successive full profile imports there profile will be deleted also. If deactivated their MySite will be cleaned up, but not their profile.
Second, Authentication/Authorization (Assuming you are not using any kind of Forms Based Authentication)
1. SharePoint depends on Windows Authentication via IIS to establish the user's identity. (this happens completely external to SharePoint)
2. SharePoint checks the user's AD identity and group membership, as established in #1, to see what the user has the ability to do in SharePoint.
1. Moss is setup to import all the users in your AD domain as profiles into the SSP that you create. However, this action is not scheduled. Profiles will not be imported until you either do a manual import or setup the schedule for Full and incremental imports. This imparts no security rights to the user
at all.
2. After the profiles have been imported. If a user is deleted in AD then after 3 successive full profile imports there profile will be deleted also. If deactivated their MySite will be cleaned up, but not their profile.
Second, Authentication/Authorization (Assuming you are not using any kind of Forms Based Authentication)
1. SharePoint depends on Windows Authentication via IIS to establish the user's identity. (this happens completely external to SharePoint)
2. SharePoint checks the user's AD identity and group membership, as established in #1, to see what the user has the ability to do in SharePoint.
You can successfully authenticate and still not
gain access to SharePoint.
3. Security Access in SharePoint is dependent on the AD identity or an AD group of which the user is a member being added as a SharePoint user. Or the user or group may be added directly to a SharePoint group. This will allow the user to gain access to SharePoint resources.
4. If the access is through group membership then the user's identity will only be added to SharePoint when the user logs in and submits something to a document library or list. This adds their identity as a user, but doesn't directly re-associate them with specific rights. The rights are still gained through group membership. But they would now show up in the People and Groups
list.
5. If the user's account is deactivated or deleted in AD their account in SharePoint is NOT deleted, but they won't be able to use it to access SharePoint anymore because AD won't be able to authenticate them so they'll never get to Authorization. If deactivated, you will still be able to click on their name attached to documents or list items and see their profile. If deleted clicking on these items will normally lead to an error page because the profile isn't there anymore.
6. Removing SharePoint users can be done programmatic, but it is a fairly involved process requiring walking each object in the FARM and looking for the user entries. There are 3rd party products that do this, but I don't normally recommend using them since you are destroying the history of the user in the system.
My normal recommendation is to deactivate users in AD, but let them stay in SharePoint. Once deactivated they won't be able to login, but history of their usage of the system will remain intact.
The users deleted from AD certainly still exist in the SharePoint SSP user profiles. Suggested is to run a full import of user profiles. The first full import (after the users are deleted) will make them inactive. After the 3rd full import they will disappear completely.
3. Security Access in SharePoint is dependent on the AD identity or an AD group of which the user is a member being added as a SharePoint user. Or the user or group may be added directly to a SharePoint group. This will allow the user to gain access to SharePoint resources.
4. If the access is through group membership then the user's identity will only be added to SharePoint when the user logs in and submits something to a document library or list. This adds their identity as a user, but doesn't directly re-associate them with specific rights. The rights are still gained through group membership. But they would now show up in the People and Groups
list.
5. If the user's account is deactivated or deleted in AD their account in SharePoint is NOT deleted, but they won't be able to use it to access SharePoint anymore because AD won't be able to authenticate them so they'll never get to Authorization. If deactivated, you will still be able to click on their name attached to documents or list items and see their profile. If deleted clicking on these items will normally lead to an error page because the profile isn't there anymore.
6. Removing SharePoint users can be done programmatic, but it is a fairly involved process requiring walking each object in the FARM and looking for the user entries. There are 3rd party products that do this, but I don't normally recommend using them since you are destroying the history of the user in the system.
My normal recommendation is to deactivate users in AD, but let them stay in SharePoint. Once deactivated they won't be able to login, but history of their usage of the system will remain intact.
The users deleted from AD certainly still exist in the SharePoint SSP user profiles. Suggested is to run a full import of user profiles. The first full import (after the users are deleted) will make them inactive. After the 3rd full import they will disappear completely.
To run a full import of users profiles go to Central Admin > Click your Shared Service Provider under Shared services administration > User profiles and properties, under user profiles and mysite section > Start full import. You must grant yourself the right to manage user profiles: Under user profiles and mysite section, click Personalization services permissions > Select manage user profiles.
If you have
any queries/questions regarding the above mentioned information then please let
me know.
I would be
more than happy to help you as well as resolves your issues, Thank you.
No comments:
Post a Comment