Export (0) Print
Expand All
Expand Minimize

Active Directory Configuration, Domain Accounts, and Anonymous Access

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Deploying Microsoft Windows SharePoint Services in scalablehosting mode with Active Directory account creation depends oncorrect configuration of Active Directory directory service andother authentication-related settings.

Active Directory Configuration

To configure Active Directory directory service, the InternetPlatform and Operations group performed the following steps:

1. Configure Domain on Active Directory Servers

The domain settings for this deployment are the following:

  • Fully Qualified Domain Name(FQDN) STSBeta.net

  • NetBIOS Domain Name STSBeta

  • Domain Operation Mode Native

The domain controllers for the STSBeta domain are two serversrunning Windows 2000 Advanced Server SP4.

Note: When WindowsSharePoint Services is deployed in scalable hosting mode withActive Directory account creation, new Active Directory useraccounts are created by Windows SharePoint Services for every siteowner and user. The Security Accounts Manager SAM) account name isbased on the username part of the site owner's oruser's e-mail address, for example, someone@example.com. Whenmultiple sites are created at the same time, and successive usere-mail addresses have the same user name or multiple sites arecreated for the same user, two accounts with the same SAM accountnames might be created on two different domain controllers. Whenthe two domain controllers replicate, one account will be damaged.To reduce the possibility of error, the Internet Platform andOperations group minimized the replication interval and changed thedefault replication interval settings by editing the registry onthe two domain controllers as follows:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\ReplicatorNotify pause after modify (secs) = 30

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\ReplicatorNotify pause between DSAs (secs)= 5

Caution: Incorrectlyediting the registry may severely damage your system. Before makingchanges to the registry, you should back up any valued data on thecomputer.

2. Create Organization Unit

  1. On the domain controller computer, open the Active Directory Users and Computers dialog box.

  2. In the console tree, double-click the domain node forSTSBeta.

  3. Right-click the domain node.

  4. Point to New , and then click Organizational Unit .

  5. Type SharePoint Users for the name of the organizationalunit (OU).

All site owner and user accounts created by using WindowsSharePoint Services will be placed in this OU.

3. Create Domain Accounts

  1. Open Active Directory Users and Computers

  2. In the console tree, double-click the domain node forSTSBeta.

  3. In the details pane, right-click the organizational unit youwant to add the user to (not SharePoint Users), point to New, andthen click User.

  4. In Full name, type Windows SharePoint Services Site VirtualServer Application Pool Identity.

  5. In User logon name, type STSAcct.

  6. In Password and Confirm password, type the user'spassword.

  7. Select the appropriate password options.

  8. Repeat steps 1 through 7 to add another user with the Full nameWindows SharePoint Services Admin Site Virtual Server ApplicationPool Identity and the User logon name STSAdminAcct.

  9. Add STSAdminAcct to the local Administrators groups on allfront-end Web servers. Do not add STSAcct.

  10. Create accounts for the STSAdminAcct account on the back-endservers running SQL Server and add this account into SecurityAdministrators and Database Creators server roles.


  • Assign these two accounts in only the domain group DomainUsers.

  • To help ensure security, do not add the two accounts to theSharePoint Users OU.

4. Delegate Control of OU to Domain Accounts

  1. Open Active Directory Users and Computers.

  2. In the console tree, double-click the STSBeta domain node.

  3. In the details pane, right-click the SharePoint Usersorganizational unit, and then click Delegate control to start theDelegation of Control Wizard.

  4. Follow the instructions in the Delegation of Control Wizard todelegate the following tasks to the STSAcct and STSAdminAcctaccounts:

    • Create, delete, and manage user accounts

    • Reset passwords on user accounts

    • Read all user information

  5. To verify the permission granted to the two accounts, do thefollowing:

    1. In the Directory Users and Computers console, on the View menu, click Advanced Features .

    2. Right-click the SharePoint Users OU, and then click Property to open the Property dialog box.

    3. Click the Security tab.

    4. Click the account name or click Advanced to review theassigned permissions.

5. Edit Account Policy for the SharePoint Users OU(Optional)

  1. In the Directory Users and Computers console, on the View menu, click Advanced Features .

  2. Right-click the SharePoint Users OU, and then click Property to open the Property dialog box.

  3. Click the Group Policy tab, and add a new Group Policyobject (GPO) linked to this OU.

  4. Configure the Password and Account Lockout policies in the GPOas shown in Table 1.

Table 1. Account Policies for SharePoint Users OU



Password history


Maximum password age

0 days

Minimum password age

0 days

Minimum password length

7 characters

Passwords must meet complexity requirements


Store passwords using reversible encryption


Account lockout duration

30 minutes

Account lockout threshold

5 invalid attempts

Reset account lockout counter after

30 minutes

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
© 2015 Microsoft