views:

193

answers:

1

Hi all

Let's say I have 2 AD security groups: "Access to SharePoint" and "Access to Archive". How do I set the security in this way on a SPWeb that only people who are member of both groups, are allowed access?

Is this possible with out of the box AD tools?

Thanks!

A: 

I am making the assumption that you are using SharePoint 2007. With that being said, its best practice to only apply security at the site collection level. Everything under the site collection level should inherit that security [e.g. sites, lists, libraries, items, documents].

EDIT:

*@OedipusPrime brought up a good point that I overlooked in my original answer. The best thing I can think of now to ensure a SharePoint group only allows users that are comprised of two different Active Directory groups would require a custom script that would need to be run on a regular basis (at least daily I would assume).

You'd still create a new Active Directory group, but you'd populate the group with a C# console application that would query Active Directory and determine which users were in both Active Directory groups ("Access to SharePoint" & "Access to Archive"), then programmaticlly assign those users into the new Active Directory group ("Restricted Site Access") and remove any users that were no longer in both groups. Not the best option, but the best I can think of for now if you're not able to manually control the Active Directory group access. This link provides some useful samples for C# / Active Directory interactions: http://www.codeproject.com/KB/system/everythingInAD.aspx*

After this new Active Directory group is created you can add the group to your SharePoint site and provide the permission level the group will have to the site.

  1. Site Actions -> Site Settings -> Advanced Permissions -> New -> Add Users
  2. Type in the Active Directory group you created
  3. Select Give users permission directly
  4. Choose the permission level
  5. Uncheck the box to send an email
  6. Click OK
Robert Williams
Your setup would grant access to people who were in EITHER group, not both, just like adding them both directly to a SharePoint group would.
OedipusPrime
Thank you for the answer. I was afraid that there wasn't going to be an out of the box solution for this. Although this is a very common security requirement.
Maarten Louage