AD Sync includes the ability to select a user I want to block

sharepoint.stackexchange https://sharepoint.stackexchange.com/questions/160930

Domanda

I have created a sync connection to my AD forest, and I'm selecting very specific OU's to sync.

This means that my forest of 6'500 users is actually only synching 360 - which is exactly what I need.

The problem however, is that I do not sync user "Joe Bloggs" with the AD import. I don't want "Joe" to be able to see my site.

However, if I go to the site, and use the people picker, I can see select him if I start to type in his name.

Additionally, if I put in the "Everyone" user, he can access the site as well.

How do I go about ensuring that only the OU's I've synched are able to see the site (either as users, or via the "Everyone" option)?

The reason for this, is that we have sets of users that must not have access to the portal. They are large sets of users, so adding people manually would be time consuming.

I was hoping that a specific set of OU's, combined with "Everyone" would block them out (as they are not being synched in the first place).

Edit: 29/10/2015

I have also tried this trick to restrict the people picker

    Set-SPSite -Identity "http://example.com" -UserAccountDirectoryPath "OU=UserSet,OU=Users,OU=Accounts,DC=eu,DC=foo,DC=domain,DC=COM"

This means the people picker only shows me users from Accounts > Users > UserSet.

Works perfectly, I can't add any users that I don't want - however, adding in "Eveyone" still gives "Jo Bloggs" access.

I can't fathom out how I can request that only the user profile directory is used.

È stato utile?

Soluzione

You can restrict OU access using the Set-SPSite cmdlet with the -UserAccountDirectoryPath param but as with any LDAP filter this is limited to one OU.

You can change the people picker settings using PS:

 $wapp = Get-SPWebApplication
 $wapp.PeoplePickerSettings

This gives you access to ActiveDirectoryCustomQuery and ActiveDirectoryCustomFilter that will apply to the web app rather than the site.

Finally you could use a variety of this solution Stack Exchange proposed for MOSS but will still work.

Autorizzato sotto: CC-BY-SA insieme a attribuzione
Non affiliato a sharepoint.stackexchange
scroll top