Track or block SharePoint Server 2010 installations

 

Applies to: SharePoint Server 2010

Because deployments of Microsoft SharePoint 2010 Products are managed at the farm level, a single SharePoint deployment has no information about other SharePoint deployments that might exist in the same enterprise. Administrators need this information to manage and control all deployments in the enterprise. For example, administrators need to know whether a deployment was configured according to organizational requirements, or how many unauthorized deployments exist in the enterprise. SharePoint 2010 Products provides the ability to lock down, track, and even block random installations of Microsoft SharePoint Server 2010.

In this article:

Block installations

If you want to block users from installing SharePoint Server 2010 and related products, set the following registry key by using Group Policy in Active Directory directory services:

HKLM\Software\Policies\Microsoft\Shared Tools\Web Server Extensions\14.0\ SharePoint\DWORD DisableInstall

To block installations, set DWORD DisableInstall=00000001.

When this registry key is set, users who try to install SharePoint Server 2010 receive the following error message:

SharePoint installation is blocked in your organization. Please contact your network administrator for more details.

To set a registry value by using Group Policy, you can use an .admx file in Windows Server 2008 or a Windows PowerShell cmdlet in Windows Server 2008 R2. For more information about how to set registry values by using group policies in Windows Server 2008, see Group Policy ADMX Syntax Reference Guide (https://go.microsoft.com/fwlink/p/?LinkId=194348). For more information about how to set registry values by using group policies in Windows Server 2008 R2, see Set a registry key value from the command line using Group Policy PowerShell cmdlets (https://go.microsoft.com/fwlink/p/?LinkId=194345). For general information about group policies, see Group Policy (https://go.microsoft.com/fwlink/p/?LinkID=177635) on TechNet.

Track installations

An Active Directory Domain Services (AD DS) Marker called Service Connection Point identifies the SharePoint 2010 Products servers in an organization. To use this marker, create a container in AD DS and set the permissions for the container before you install any SharePoint 2010 Products in the environment. Then, when you or another user in your domain runs the SharePoint Products Configuration Wizard as part of installing SharePoint Server 2010, this marker is set, and can be tracked by using AD DS. You must set this marker for each domain that you have in your organization if you want to track installations in all domains. This marker is removed from AD DS when the last server is removed from a farm. You can also set the marker by using Windows PowerShell. The marker contains the URL for the Application Discovery and Load Balancer Service (also known as the topology service application) for the server farm.

You have to grant permission to write to this container to any user accounts or domain accounts that could run the SharePoint Products Configuration Wizard. If the account does not have permission to write to this container, the following warning will appear in the log file for the SharePoint Products Configuration Wizard:

Failed to add the service connection point for this farm

Unable to create a Service Connection Point in the current Active Directory domain. Verify that the SharePoint container exists in the current domain and that you have rights to write to it.”

To create the container in Active Directory and set the permissions, you can use Active Directory Service Interfaces (ADSI) Edit.

To create a service connection point container to track installations

  1. On the domain controller, click Start, point to Administrative Tools, and then click ADSI Edit, or use a remote administration tool to connect to ADSI Edit from another computer.

  2. On the Action menu, click Connect to, and connect to the domain that you want to use.

  3. In the console tree, expand the connection, expand the domain name, and then click CN=System.

  4. In the details pane, right-click in the white area, click New, and then click Object.

  5. In the Create Object dialog box, in the Select a class box, click container and then click Next.

  6. In the Value box, type Microsoft SharePoint Products as the container name, and then click Next.

    This is the default name.

    Note

    You can use other names. However, if you do use other names, you must create a Group Policy for the domain computers to set a string value ContainerDistinguishedName under the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SharePoint. This makes it possible for the SharePoint Products Configuration Wizard to detect the new name.

  7. Click Finish.

    The container is created.

  8. Right click the container (CN=Microsoft SharePoint Products), and then click Properties.

  9. On the Security tab, click Add.

  10. In the Select Users, Computers, Service Accounts, or Groups box, add the users that you want to write to this container, and then click OK.

    Note that if a user who cannot write to this container installs SharePoint Server 2010, no new entry will be created. Consider giving all Authenticated Users the permission so that you can track all the objects.

  11. In the Group or user names box, select the names that you previously added, and then under the Permissions box, click Advanced.

  12. In the Permission entries box, select the names that you previously added, and then click Edit.

  13. In the Permission Entry for Microsoft SharePoint Products dialog box, in the Permissions box, select the Allow check box for Create serviceConnectionPoint objects, and then click OK.

To validate this process, install and provision a new SharePoint farm in the environment, and check whether the service connection point was created successfully. If everything works, you can find a new GUID object under the Microsoft SharePoint Product container. Right-click the object, and then click Properties. The URL for the server farm’s Application Discovery and Load Balancer Service will be listed.

A script is available that lists all the SharePoint 2010 Products server names in a domain. To get the script, see List all SharePoint 2010 boxes in a domain by checking AD Marker in the Script Center.

Use the following procedure to add or update the service connection point for the current farm in AD DS.

To set a service connection point in AD DS by using Windows PowerShell

  1. Verify that you meet the following minimum requirements: See Add-SPShellAdmin.

  2. On the Start menu, click All Programs.

  3. Click Microsoft SharePoint 2010 Products.

  4. Click SharePoint 2010 Management Shell.

  5. At the Windows PowerShell command prompt, type the following command.

    Set-SPFarmConfig -ServiceConnectionPointBindingInformation StringwithBindingInformation
    

    Where:

    • StringwithBindingInformation is usually the URL for the Application Discovery and Load Balancer Service. Note that this variable can contain any valid string you prefer, such as the URL for Central Administration, instead.

      To get the URL for the Application Discovery and Load Balancer Service, run the following command.

      Get-SPTopologyServiceApplication | select URI
      

      This returns the URL for the Application Discovery and Load Balancer Service. For more information, see Get-SPTopologyServiceApplication.

  6. When asked to confirm this action, type Y.

For more information, see Set-SPFarmConfig.

Use the following procedure to delete the service connection point for the current farm in AD DS.

To delete a service connection point in AD DS by using Windows PowerShell

  1. Verify that you meet the following minimum requirements: See Add-SPShellAdmin.

  2. On the Start menu, click All Programs.

  3. Click Microsoft SharePoint 2010 Products.

  4. Click SharePoint 2010 Management Shell.

  5. At the Windows PowerShell command prompt, type the following command.

    Set-SPFarmConfig -ServiceConnectionPointDelete 
    
  6. When asked to confirm this action, type Y.

For more information, see Set-SPFarmConfig.

Use the following procedure to determine the service connection point information for the current farm in AD DS.

To find the service connection point for a farm by using Windows PowerShell

  1. Verify that you meet the following minimum requirements: See Add-SPShellAdmin.

  2. On the Start menu, click All Programs.

  3. Click Microsoft SharePoint 2010 Products.

  4. Click SharePoint 2010 Management Shell.

  5. At the Windows PowerShell command prompt, type the following command.

    Get-SPFarmConfig -ServiceConnectionPoint 
    

For more information, see Get-SPFarmConfig.

See Also

Other Resources

Resource Center: Governance in SharePoint Server 2010