Active Directory Configuration, Domain Accounts, and Anonymous Access (Windows SharePoint Services 2.0)

  • Article

Deploying Microsoft Windows SharePoint Services in scalable hosting mode with Active Directory account creation depends on correct configuration of Active Directory directory service and other authentication-related settings.

Active Directory Configuration

To configure Active Directory directory service, the Internet Platform and Operations group performed the following steps:

1. Configure Domain on Active Directory Servers

The domain settings for this deployment are the following:

  • Fully Qualified Domain Name (FQDN)   STSBeta.net

  • NetBIOS Domain Name   STSBeta

  • Domain Operation Mode   Native

The domain controllers for the STSBeta domain are two servers running Windows 2000 Advanced Server SP4.

Note

When Windows SharePoint Services is deployed in scalable hosting mode with Active Directory account creation, new Active Directory user accounts are created by Windows SharePoint Services for every site owner and user. The Security Accounts Manager SAM) account name is based on the username part of the site owner's or user's e-mail address, for example, someone@example.com. When multiple sites are created at the same time, and successive user e-mail addresses have the same user name or multiple sites are created for the same user, two accounts with the same SAM account names might be created on two different domain controllers. When the two domain controllers replicate, one account will be damaged. To reduce the possibility of error, the Internet Platform and Operations group minimized the replication interval and changed the default replication interval settings by editing the registry on the two domain controllers as follows:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Replicator Notify pause after modify (secs) = 30

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Replicator Notify pause between DSAs (secs)= 5

Warning

Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

2. Create Organization Unit

  1. On the domain controller computer, open the Active Directory Users and Computers dialog box.

  2. In the console tree, double-click the domain node for STSBeta.

  3. Right-click the domain node.

  4. Point to New, and then click Organizational Unit.

  5. Type SharePoint Users for the name of the organizational unit (OU).

All site owner and user accounts created by using Windows SharePoint Services will be placed in this OU.

3. Create Domain Accounts

  1. Open Active Directory Users and Computers

  2. In the console tree, double-click the domain node for STSBeta.

  3. In the details pane, right-click the organizational unit you want to add the user to (not SharePoint Users), point to New, and then click User.

  4. In Full name, type Windows SharePoint Services Site Virtual Server Application Pool Identity.

  5. In User logon name, type STSAcct.

  6. In Password and Confirm password, type the user's password.

  7. Select the appropriate password options.

  8. Repeat steps 1 through 7 to add another user with the Full name Windows SharePoint Services Admin Site Virtual Server Application Pool Identity and the User logon name STSAdminAcct.

  9. Add STSAdminAcct to the local Administrators groups on all front-end Web servers. Do not add STSAcct.

  10. Create accounts for the STSAdminAcct account on the back-end servers running SQL Server and add this account into Security Administrators and Database Creators server roles.

    Note

    Assign these two accounts in only the domain group Domain Users.

    Note

    To help ensure security, do not add the two accounts to the SharePoint Users OU.

4. Delegate Control of OU to Domain Accounts

  1. Open Active Directory Users and Computers.

  2. In the console tree, double-click the STSBeta domain node.

  3. In the details pane, right-click the SharePoint Users organizational unit, and then click Delegate control to start the Delegation of Control Wizard.

  4. Follow the instructions in the Delegation of Control Wizard to delegate the following tasks to the STSAcct and STSAdminAcct accounts:

  • Create, delete, and manage user accounts

    • Reset passwords on user accounts

    • Read all user information

    • 5. To verify the permission granted to the two accounts, do the following:

  • In the Directory Users and Computers console, on the View menu, click Advanced Features.

  • Right-click the SharePoint Users OU, and then click Property to open the Property dialog box.

  • Click the Security tab.

  • Click the account name or click Advanced to review the assigned permissions.

5. Edit Account Policy for the SharePoint Users OU (Optional)

  1. In the Directory Users and Computers console, on the View menu, click Advanced Features.

  2. Right-click the SharePoint Users OU, and then click Property to open the Property dialog box.

  3. Click the Group Policy tab, and add a new Group Policy object (GPO) linked to this OU.

  4. Configure the Password and Account Lockout policies in the GPO as shown in Table 1.

Table 1. Account Policies for SharePoint Users OU

Policy Setting

Password history

1

Maximum password age

0 days

Minimum password age

0 days

Minimum password length

7 characters

Passwords must meet complexity requirements

Enabled

Store passwords using reversible encryption

Disabled

Account lockout duration

30 minutes

Account lockout threshold

5 invalid attempts

Reset account lockout counter after

30 minutes