Setting SharePoint Workspace user verification policy
Applies to: SharePoint Workspace 2010, Groove Server 2010
Topic Last Modified: 2010-02-11
This article describes how to set a policy that prevents domain members from successful SharePoint Workspace logon unless their Windows operating system logon credentials were issued by specific Active Directory forests. Because specified forests can be those that you manage, this policy helps ensure that accounts and related workspace data function only with operating system logons that comply with password quality requirements managed by your organization.
These procedures require that Groove Server 2010 Manager is installed as described in Deployment for Groove Server 2010.
In this article:
You can set a security policy in Groove Server Manager that specifies how SharePoint Workspace handles domain member communication with unknown contacts.
For guidance about how to manage domain member interaction with unknown SharePoint Workspace contacts, see Managing user interaction with unknown identities.To set SharePoint Workspace user verification policy
Log on to the Groove Server Manager administrative Web site, expand Policies, and then click Default or another policy template.
Click the Security Policies tab, and under User Verification Policy, select a user verification policy, using the following table for guidance, and then click Save Changes in the toolbar.
Do not warn or restrict members when communicating with any contacts.
Specifies that SharePoint Workspace will not display warnings prior to communication with unverified identities.
Warn member before communicating with contacts that have been neither administrator-certified nor manually verified by the member.
Specifies that SharePoint Workspace will display a Verify Identity pop-up window, prompting users to verify an unknown identity before they try to communicate with that identity.
Only allow members to communicate with administrator-certified contacts.
Specifies that SharePoint Workspace will allow communications among administrator-certified identities only. Administrator-certified identities include fellow domain members and members of any cross-certified domains.
For information about cross-certifying a domain, see Cross-certifying Groove Server Manager domains.
After SharePoint Workspace clients receive this policy from Groove Server Manager, they will handle contacts in domain member workspaces as required by the policy. This policy applies to domain members who are subject to this policy template. For information about assigning policy templates to domain members, see Deploying policies to SharePoint Workspace users.
SharePoint Workspace contact lists can include workspace identities that are unknown to a domain member. Groove Server Manager provides a policy to help minimize security risks from domain member interaction with unknown workspace contacts. The policy lets you define how SharePoint Workspace warns of or prevents communication with identities that have not been verified by the domain member or certified by a domain administrator. The default setting for this policy is to allow domain members to communicate with any contacts. Tightening this policy helps create a more secure environment for collaboration in your organization. The Manager user verification policy overrides related settings on the SharePoint Workspace client.
For this discussion, an unknown identity is a SharePoint Workspace identity that has not been personally verified or administrator-certified. You can set a policy that requires SharePoint Workspace to intercept member attempts to communicate with unknown identities as follows:
Display a warning to domain members when they attempt to communicate with an unknown identity. The warning encourages members to verify the identity personally, and then to mark the identity as verified (usually distinguished in SharePoint Workspace by color). Members can verify other identities using any of the following methods:
Authenticating the user identity by confirming the identity’s digital fingerprint.
Checking the identity’s membership in familiar workspaces.
Contacting the user by telephone or otherwise verifying the identity outside of SharePoint Workspace.
Allow domain members to communicate only with administrator-certified contacts - those who are certified members of their domain or of a cross-certified domain.
The warning or prevention policy goes into effect when a domain member tries one of the actions listed in the following table:
|User Action||Identity Security Policy Effect|
Sending an instant message or workspace (.grv) invitation (including light chat and MS Instant Messages), or replying to or forwarding an instant message.
Policy enacted when domain members attempt to send a Groove workspace message or invitation to recipients who are unverified or uncertified.
Confirming workspace invitations.
Policy enacted when domain members acceptance of a Groove workspace invitation sent from a contact whose identity is unverified and uncertified.
Opening a workspace.
Appears to domain members when they attempt to open a workspace that contains Groove workspace contacts whose identities are unverified and uncertified.
Creating a workspace.
Appears to domain members when they are about to send a SharePoint Workspace invitation (.grv file) to contacts whose identities are unverified and uncertified.
Fetching a workspace
Appears to domain members when they attempt to fetch a workspace from SharePoint Workspace contacts whose identities are unverified and uncertified.