Tuesday, 14 September 2010

Restrict site collection users to a specific OU using PowerShell

There may be a scenario where you might want to restrict a site collection to only permit users from a specific Organizational Unit (OU) hierarchy in Active Directory for assigning permissions. For example, I have two OUs in AD called IT Team and Accounts. IT Team contains a user called “Shaun Young” and all other users are present in the Accounts OU, as shown below:

Accounts

ITTeam

In SharePoint, I have a site collection called “IT Team” which by default allows me to add any user from Active Directory:

Before command

For this example, I want to restrict the site collection so that only members of the IT Team OU are able to be given permissions to the site collection. I can do this in PowerShell by simply typing one line:

Set-SPSite -Identity "http://portal/sites/IT Team" -UserAccountDirectoryPath "ou=IT Team,dc=pacdomain2,dc=local"

Now when I search for an account, it shows me an error if I try any account from the Accounts OU:

after command

Note that specifying an OU using this command will still allow the principal picker to search for users below the OU that you have restricted – in other words, you are not restricting the ability to add users from just one OU, as you can still find users from the entire OU hierarchy below it.

To restore the site collection back to the default setting, type the command again with a double quote for the UserAccountDirectoryPath setting, as follows:

Set-SPSite -Identity "http://portal/sites/IT Team" -UserAccountDirectoryPath ""

The functionality provided by this cmdlet mirrors that provided by the setsiteuseraccountdirectorypath stsadm command introduced in Office SharePoint Server 2007 SP1, which has an article on TechNet here. There is some important information in this article that describes the behaviour of this command should you use it on new or existing site collections:

If a site collection is new and an administrator uses the setsiteuseraccountdirectorypath operation to specify a target OU, only users under the specified path can be added to the site collection and no one else can be added to the site collection.

If users have already been added to a site collection and the setsiteuseraccountdirectorypath operation is run, only users under the specified path will be able to be added going forward.

Unlike the Peoplepicker-serviceaccountdirectorypaths property where multiple OUs can be specified, only a single OU can be set at a time when the setsiteuseraccountdirectorypath operation is used. As a result, this operation should only be run once per site collection.

Posted by Phil Childs at 00:11
Labels: , ,

14 comments:

  1. When i try this i can then only select members that already exist on the site. I remember reading before that you had to "activate" thisa ability. Do you knwo what is going wrong?

    ReplyDelete

  9. With career averages of 5.7 points and 3.4 assists per game as a backup point guard, the Bucks paid a steep price of $38 million over four years to acquire Matthew Dellavedova from the Cavaliers during the Carmelo Anthony Jerseys offseason. Dellavedova has been a divisive figure in NBA fan circles throughout his career, due in part to the perception that he is a dirty player (which can be Karl Anthony Towns Jerseys easily argued) and actually not a very good player (which can be easily disproved). So why the big money for a guy who many believe only served the purpose Stephen Curry Shoes of giving Kyrie Irving time to catch his breath?The Bucks didn’t necessarily pay him for what he’s accomplished to this point or what he has the potential to become Paul Pierce Jerseys in the future. They invested in Dellavedova because he’s what their roster needs right now to maximize its potential.There are two simple reasons why that’s the case, the first Kyrie Irving Jerseys being Dellavedova’s ability to thrive as a complimentary shooter. In his final season with the Cavaliers, Dellavedova made 1.9 3-pointers per 36 minutes at a 41.0 percent clip. That Jimmy Butler Jerseys frequency put him on the same page as Gordon Hayward, Dirk Nowitzki and Irving, and he converted those opportunities at a greater rate. Furthermore, Dellavedova ranked in the 95.6 Moncler Jackets percentile in spot-up shooting with an average of 1.24 points per possession and finished behind only Stephen Curry, Seth Curry, Jeff Teague and Troy Daniels in catch-and-shoot efficiency.What’s impressive Stephen Curry Jerseys about Dellavedova’s numbers as a spot-up shooter is it made up a significant portion — close to a quarter — of his offense. By playing alongside ball dominant players Marc Gasol Jerseys like LeBron James and Irving, around 40 percent of his total shot attempts were either open or wide open 3-pointers. Despite being labeled as a "point guard," he’s comfortable Cleveland Cavaliers Jerseys parking himself on the perimeter and waiting for someone to kick him the ball if opponents send multiple defenders at the ball handler as if he were a shooting NBA Jerseys guard.Dellavedova does have experience creating for himself and others in the pick-and-roll — his go-to move off the dribble is a floater or alley-oop to the cutting big man Moncler Sale

    ReplyDelete

  14. The article you have shared here very good. This is really interesting information for me. Thanks for sharing!
    hotmail login |hotmail sign in |free hotmail login

    ReplyDelete

Subscribe to: Post Comments (Atom)