I’ve posed this question in an email to our AD administrator but I thought I would also post here in case someone else has experience with this issue.
I work in higher education. We are about to launch a campus-wide Intranet with SP13. Because of licensing issues, only faculty, staff, and student workers will be able to log onto the Intranet (until we get licensing to include students). Is there anything in AD that would differentiate a student from a student worker from faculty and staff we could use for authentication purposes?
This may be a question only our ADÂ administrator can answer, as this may be unique to each institution, but conceptually, would the best approach be to create a custom field?
Darrell,
You should talk to your AD Admin about using an extended attribute in Active Directory – simple set a 0 for one category and 1 for another. For SharePoint Profile sake it can be added as an attribute for replication and this can be used to create filter rules.
But how would we give permission to student workers and not students?
Additionally, we will need to set this as a web app policy. Individual colleges will be given control over their own site collections. Our central IT administration can dictate a policy that students aren’t allowed, but the individual site collection administrators could easily ignore that policy, which is why we would like to control it at the web app level.
One idea IÂ suggested to our AD admins is to create a new “employee” security group. We could write a Powershell script to bulk move employees to this group, then we could authenticate against this group. What do you think of that idea? Any drawbacks?
ok – so if you are using a ‘deny’ somewhere – that suggests that you have ‘authenticated users’ allowed somewhere – ie, users are allowed by default, unless denied?
In which case, a possible answer is to use positive authorisation – ie, remove ‘authenticated users’ completely, and give the equivalent permissions to ‘intranet users’ instead.
However, you would be best to do this at the site collections level – rather than a web app policy – in case you end up with service account losing permissions due to removal of ‘authenticated users’ at that level.
Yes, we have it setup that way. The complication comes with the students who are student workers. If we deny all students, that will deny the student workers. Students are assigned to an OU when they become student workers, but OU’s are not a security principal and can’t be used for authorization.
Why not just have all the staff in an AD security group, and all the students in another.
Then in SharePoint, you can either drop the relevant AD groups into your members / visitors groups, or set a web app policy along similar lines?
