Managing Users and Cross-Site Groups (Windows SharePoint Services 2.0)

Every Web site has users, and part of your job as administrator is to make sure the users of a Web site have the appropriate rights to use the site. To grant access to a site, users must be added to the site (either individually or as part of a cross site group) and assigned to a site group. In Microsoft Windows SharePoint Services, users and cross-site groups can be added by using one of two modes:

  • Domain account mode — Used inside organizations to grant access to users and groups with existing domain accounts

  • Active Directory account creation mode — Used by Internet service providers to create unique accounts for customers

You determine which mode to use when you first install and configure Windows SharePoint Services, and you cannot switch between modes later. Whichever mode you use, you can add users and cross-site groups to your site by using either the command-line tool or HTML Administration pages for your Web site.

Note

Mixing account modes is not supported. You must choose either domain account mode or Active Directory account creation mode. Some organizations may need to be able manage accounts for both internal employees (in the organization’s Active Directory directory service) and external customers (not in organization’s Active Directory directory service). In these cases, one option is to choose domain account mode, use a separate forest for the external users, and then configure the external forest to trust the internal domain for adding internal users.

About Domain Account Mode

If you are using Windows SharePoint Services inside an organization that uses Microsoft Windows domain accounts, you can use domain account mode for user and cross-site group accounts. With domain account mode, you add users and cross-site groups to your site using their existing domain account information, including their account names and e-mail addresses. And you can add Windows NT domain groups to your site, which is not possible in Active Directory account creation mode. Domain account mode is the standard mode for Windows SharePoint Services. Note that you can use Active Directory directory service to manage domain accounts — the difference between the modes is the type of account you use and when they are created, not the tool you use to manage them.

About Active Directory Account Creation Mode

If you host Web sites based on Windows SharePoint Services for customers on the World Wide Web, you can configure Windows SharePoint Services to automatically create Active Directory accounts for new users and cross-site groups. You must enable Active Directory account creation mode when you first configure Windows SharePoint Services. When you use Active Directory account creation mode, you cannot use pre-existing domain accounts; instead, new accounts are created whenever you add users.

Creating users and cross-site groups with Active Directory account creation mode is the same as creating users with domain account mode, except that you only enter the e-mail address or group name, not a domain account, when adding the user or cross-site group to a site. Windows SharePoint Services checks Active Directory to see if an account with that e-mail address or group name already exists. If the user or cross-site group already has an account in Active Directory, and the account is being added in the same site collection, then the account is used. If the user or cross-site group is new, an account is created for them in Active Directory using the Windows SharePoint Services credentials, and they are notified of their account name and password through e-mail. Accounts are not re-used across site collections. If the account was already created in one site collection, then adding the same account with the same e-mail address in another site collection results in a new account. Accounts cannot be shared across site collections.

Note

When you are in Active Directory account creation mode, there are certain administrative tasks that are unavailable in the HTML Administration pages. For example, you cannot create a top-level Web site, you cannot enable Self-Service Site Creation, and you cannot add a user to a site from the Central Administration pages. To perform these actions in Active Directory account creation mode, you must use the command line or the object model. For more information, see Using the Object Model to Manage Windows SharePoint Services 2.0.

Note

The Minimum Password Age group policy on the domain controller must be set to 0 days. Failure to do so will result in users being unable to change their passwords, unless they have administrator rights on the server. For information on setting the Minimum Password Age group policy, see Microsoft Windows 2003 Server online help.

Using HTML Administration Pages to Manage Users and Cross-site Groups

The steps for adding users and cross-site groups are the same, no matter which account mode you are using. Using either method, you can manage users and cross-site groups from the Site Settings page for your Web site.

To manage users and cross-site groups, you follow the Manage users link on the Site Settings page to the Manage Users page. By using this page, you can view a list of users and cross-site groups, check which site group a user or cross-site group is assigned to, add new users and cross-site groups, delete users and cross-site groups, or assign users and cross-site groups to site groups. When you add new users or cross-site groups, you also have the option to send an e-mail message to them, inviting them to use the site. You can even include a custom message in the invitation e-mail message. For example, you can describe your site and what it should be used for, or add a personal message to the default e-mail invitation.

Note

If you do not see the Manage users link on your Site Settings page, you are probably in a subsites that uses the permission settings of a higher-level Web site of the server or virtual server. To work with user accounts and permissions, either go to the parent-level Web site, or change to using unique permissions for the subsite. For more information about subsite permissions, see Managing Site Groups and Permissions (Windows SharePoint Services 2.0).

If you want to view which site groups a user is a member of, use the Manage Users page.

View site group membership for a user or cross-site group

  • On the Web site you want to manage, click Site Settings.

  • On the Site Settings page, under Administration, click Manage users.

    The users and cross-site groups added to the Web site and the site groups they are a member of are displayed on the Manage Users page.

From the Manage Users page, you can change which site group a user or cross-site group is a member of.

Change site group membership for a user or cross-site group

  1. On the Manage Users page, select the check box next to the user or cross-site group name you want to change.

  2. Click Edit Site Group of Selected Users.

  3. In the Site Group Membership area, select the site group you want the user or cross-site group to be a member of.

  4. Click OK.

You can also add new users and cross-site groups to your site from the Manage Users page.

Add a new user or cross-site group

  1. On the Manage Users page, click Add Users.

  2. In the Step 1: Choose Users section specify the users that you would like to add, separated by semicolons. You can enter:

    • E-mail addresses (for example, someone@example.com)

    • User names (for example, DOMAIN\user_name)

    • Microsoft Active Directory directory service security group names (for example, DOMAIN\security_group_name)

    • Domain group names (for example, DOMAIN\group_name)

    • Cross-site group names (for example, Accounting)

      Note

      When running Windows SharePoint Services in a server farm, you cannot add local accounts.

      Note

      Local accounts must exist before you attempt to add them. Windows SharePoint Services does not create local accounts like SharePoint Team Services v1.0 does.

      Note

      When using Active Directory account creation mode, you cannot add local accounts or security groups.

  3. In the Step 2: Choose Permissions section, select the site group that the user or group will belong to, and then click Next.

  4. In the Step 3: Confirm Users section, verify the e-mail addresses, user names, and display names.

  5. In the Step 4: Send E-mail section, if you want to send an invitation, select Send the following e-mail to let these users know they've been added, and type the subject and body text information to send in the e-mail message.

  6. Click Finish.

You can delete users or cross-site groups from all site groups by using the Manage Users page. Note that this does not delete the user or cross-site group account, but does remove all rights to the Web site.

Add all users from an e-mail distribution list

Note

To complete the steps in this section you must have a Windows SharePoint Services–compatible address book program such as Microsoft Office Outlook 2003 installed on the computer you are running.

  1. On the Web site you want to manage, click Site Settings.

  2. On the Site Settings page, in the Administration section, click Manage Users.

  3. On the Manage Users page, click Add Users.

  4. In the Step 1: Choose Users section, click Address Book.

  5. Select the distribution list you want to add from the address book. The list of users from the distribution list appears in the Users field.

    Note

    You can add only distribution lists that reside on the same e-mail server as your current e-mail account. For example, in Office Outlook 2003 the names of distribution lists that reside on the same e-mail server appear in bold text.

  6. In the Step 2: Choose Permissions section, select the site group to which you want to add the members of the distribution list, and then click Next.

  7. In the Step 3: Confirm Users section, verify the e-mail addresses, user names, and display names.

  8. In the Step 4: Send E-mail section, if you want to send an invitation, select Send the following e-mail to let these users know they've been added, and type the subject and body text information to send in the e-mail message.

  9. Click Finish.

    Note

    Adding or removing users from the e-mail distribution list will not add or remove them from the site. You must manually add or remove users from the site after changing your distribution list membership.

Delete a user or cross-site group from all site groups

  1. On the Manage Users page, select the check box next to the user or cross-site group you want to delete.

  2. Click Remove Selected Users.

  3. On the confirmation message that appears, click OK to remove the users.

Managing Users in a Site Collection

Every Web site with unique permissions has a Manage Users page that the site's administrator can use to add, modify, or delete users. In addition to this page, the top-level Web site in a Web site collection also includes a page that server administrators or the site collection administrator can use to view and delete users. This page lists all users for the site collection, including the users of the top-level Web site and users of any subsites in the site collection. When you remove a user from this list, the user is removed from all sites and subsites in the site collection.

Remove a user from a top-level Web site

  1. On the top-level Web site, click Site Settings.

  2. Under Administration, click Go to Site Administration.

  3. On the Top-Level Site Administration page, under Site Collection Administration, click View site collection user information.

  4. Select the check box next to the user you want to remove, and then click Remove Selected Users.

Managing Users from SharePoint Central Administration

If you are an administrator on the server computer or a member of the SharePoint administrators group, you may have administrative rights to change settings on the Site Settings page for any individual site on your server. What happens when a top-level Web site owner leaves your organization, or a user must be added to or removed from a site that you do not have administrative rights for? The SharePoint Central Administration page includes a link for managing users for sites even if the administrator does not have rights to the site. You can add users or cross-site groups, remove users or cross-site groups, change site group membership, and change owners, without having to be an administrator on a specific site. You do, however, need to know the Uniform Resource Locator (URL) for the site, and the specific user name that you want to change.

Change the owner of a site collection

  1. Click Start, point to All Programs, point to Administrative Tools, and then click SharePoint Central Administration.

  2. On the SharePoint Central Administration page, under Security Configuration, click Manage site collection owners.

  3. On the Manage Site Collection Owners page, in the Site URL box, type the URL to the site, and then click View.

    The information for the current site owner and secondary owner is automatically filled in on the page when you click View.

  4. In the Site Owner section, in the User name box, type the account name for the new owner.

  5. If you have a new secondary contact name, type the account name in the Secondary Owner section.

  6. Click OK.

If you are an administrator on the server computer, and need to change the owner of a site that you do not have administrative access to, you can make the change from the SharePoint Central Administration page.

Add a new site user or group

  1. Click Start, point to All Programs, point to Administrative Tools, and then click SharePoint Central Administration.

  2. On the SharePoint Central Administration page, in the Security Configuration section, click Manage Web site users.

  3. On the Manage Web Site Users page, in the Site URL box, type the URL to the site, and then click View.

  4. In the Add a User section, specify the users that you would like to add, separated by semicolons. You can enter:

    • E-mail addresses (for example, someone@example.com)

    • User names (for example, DOMAIN\name)

    • Microsoft Active Directory directory service security group names (for example, DOMAIN\security_group_name)

    • Domain group names (for example, DOMAIN\group_name)

    • Cross-site group names (for example, Accounting)

      Note

      When running Windows SharePoint Services in a server farm, you cannot add local accounts.

      Note

      Local accounts must exist before you attempt to add them. Windows SharePoint Services does not create local accounts like SharePoint Team Services v1.0 does.

      Note

      When using Active Directory account creation mode, you cannot add local accounts or security groups.

  5. In the Display name box, type the full name.

  6. In the E-mail address box, type the e-mail address.

  7. In the Site group box, select a site group to which to add the user or group, and then click Add User.

You can also delete a user or change a user's site group membership from this page.

Delete a site user or change site group membership

  1. Click Start, point to All Programs, point to Administrative Tools, and then click SharePoint Central Administration.

  2. On the SharePoint Central Administration page, under Security, click Manage Web site users.

  3. On the Manage Web Site Users page, in the Site URL box, type the URL to the site, and then click View.

  4. In the Change Existing User section, in the Account name box, type the user account you want to change or delete, and then click View user.

  5. To change site group membership, select the check box for the site group you want the user to be a member of, and then click Update.

  6. To remove the user from all site groups, click Delete User.

Using the Command Line to Manage Users

You can add a user account to your site by using the adduser operation. The adduser operation takes the url, userlogin, useremail, username, and role parameters, plus the optional parameter siteadmin. You use the siteadmin parameter to specify that the user is the site collection administrator or owner of the site collection. Note that if you are using Active Directory account creation mode, you do not need to specify the userlogin parameter; you would use the useremail parameter to identify the user instead.

For example, to add User1 as an administrator for https://server1/site1 in domain account mode, you would type:

stsadm.exe -o adduser –url https://server1/site1
–userlogin DOMAIN1\User1 -useremail user1@domain.com
-username "User 1" -role administrator

You use the deleteuser operation to remove users from a site. The deleteuser operation takes the url and userlogin parameters. To remove User1 from https://server1/site1, you would type:

stsadm.exe -o deleteuser –url https://server1/site1
–userlogin DOMAIN1\User1

You can assign a user to a site group from the command line by using the userrole operation. The userrole operation takes the url, userlogin, role, and add or delete parameters. For example, to add the user User1 to the Contributor site group for site https://server1/site1, you would type:

stsadm.exe -o userrole –url https://server1/site1 –userlogin DOMAIN1\User1
-role contributor -add

Note that this does not remove the user from any site groups they were previously members of.

For information about creating, editing, or deleting site groups and controlling Web site permissions, see Managing Site Groups and Permissions (Windows SharePoint Services 2.0).

For more information about security, see Windows SharePoint Services 2.0 Security Model.

With Windows SharePoint Services, you can set quota and determine how many new user accounts can be created for each virtual server. For more information about setting quotas, see Configuring Site Collection Quotas and Locks (Windows SharePoint Services 2.0).