Help: Need Some Suggestions...

Jul 4, 2013 at 2:49 PM
Edited Jul 4, 2013 at 3:34 PM
I am working on a large project and setting permissions to a large group of people where I add AD Security Groups to a SharePoint Group with the "Contribute" permissions. Some people are working fine others are not and after extensive troubleshooting we found the issue to be related to SID History in AD (there is an article about this problem with SharePoint and SID History). Due to the shear size of the environment the AD Team will NOT perform a SID History Cleanup let alone even asking the SharePoint Team to sync the user profiles :(.

I have an idea but not sure how to implement it fully, here it is:

I have created a list where AD Groups are being added as such "domain\ad group (I can change this to use the full DN of the group if needed i.e. cn=group,dc=domain,dc=com), I want to be able search this list to see if a user is a member of any of the groups within this list and if so grant them the rights "Contribute" for the site, all others are by default "Viewers" only (Read Access).

SPServices would be IMHO the best approach as I am only a "Site Collection Admin". Any one with ideas or thoughts about going this route and possibly provide an example, I can hash out the details?

I am on SP2010.

Update: Sorry I didn't add this piece. I am currently using a similar approach on my editform to verify edit permissions:

if current user is not the creator of the request then I run a function that opens a modal dialog which runs a vbscript (LDAP Query) in the same dialog to check the current users membership via another field in the editform named "Approvers" (DN format) and if they are a member set a variable (true or false) in the dialog callback and then this allows the current user to edit the request if var == '1'.

Thanks,
Bob
Jul 5, 2013 at 3:33 PM
Hi Bob,

This is an interesting challenge! I'm not sure if I am 100% clear on something though - are you expecting to find out if an AD group is a member of the SharePoint group, or if a specific user (i.e. not an AD group) is part of an AD group, that is then in turn part of a particular SharePoint group?
Jul 5, 2013 at 5:31 PM
alibby251 wrote:
Hi Bob,

This is an interesting challenge! I'm not sure if I am 100% clear on something though - are you expecting to find out if an AD group is a member of the SharePoint group, or if a specific user (i.e. not an AD group) is part of an AD group, that is then in turn part of a particular SharePoint group?
The latter, I am looking to see if a user is a member of an AD Security Group that has been added already to a SharePoint Group. There are multiple AD security groups contained within the SharePoint Group and these AD groups are geographically dispersed across several domains.

Does this clarify it better?

Bob
Jul 5, 2013 at 10:03 PM
Hi Bob,

Unfortunately that was what I was scared of - AFAIK, there is no way to iterate the members of a security group, at least using SPServices; check out http://sympmarc.com/2011/02/16/active-directory-groups-vs-sharepoint-groups-for-user-management-a-dilemma/ for more details, as well as https://www.nothingbutsharepoint.com/sites/eusp/pages/active-directory-groups-vs--sharepoint-groups-for-user-management-a-dilemma.aspx. Using AD Groups can be great in some respects, but I know this is probably one of those flaws that really gets in the way! Have a look also at https://spservices.codeplex.com/discussions/236861 - this issue has come up before within the forums; this is one example...

I have read though that it may be possible to do something with AD Web Services - http://technet.microsoft.com/en-us/library/dd391908%28v=ws.10%29 could be a good start, but you will need to do some further research on specifics of calling them, particularly with jQuery? Alternatively, it may be better to try to do something using Audiences - I know that there was a webpart available from Codeplex (for 2007, which I still use, but 2010 may have something similar) which allowed you to turn audiences into groups, using a timer job. It then may be a case of setting everyone with view only access to start with, but then add them if they match certain criteria, such as department or country? (My idea is a little convoluted, but it might spark something...;-) )

Alex.
Jul 6, 2013 at 10:59 AM
Edited Jul 6, 2013 at 11:11 AM
Alex,

Thanks for the response, I have indeed read the first articles but not the last one you referenced, this does look interesting. I think my best approach (which I did before as stated in the OP) is to pass the user info "domain\username" to a vbscript to get the group memberships for that user then use SPServices GetListItems to loop through the list (Contributers) with all the AD Security groups and if that user is a member then pass my variable back as true permitting the user to create a new item.

I knew this was going to be tricky from the start. Funny thing is if I go to "Site Settings" ->"Site Permissions" -> "Check Permissions" -> and check a user's permissions who is in of one of the AD Security Groups withing the SharePoint Group it shows they have the permission!

Bob
Jul 8, 2013 at 6:32 AM
Hi Bob,

This sounds like a good plan - I would say though that if you are trying to get the names of users within the Contributors group, then I would suggest looking at something like GetUserCollectionfromGroup instead? Sure, you could use GetListItems, which should work OK, but I think there may be more info that might be of use, but which is only accessible using a different web service?
Jul 8, 2013 at 11:43 AM
So your saying to use "GetUserCollectionfromGroup" instead? I never used it but assume it should check all the AD Groups contained within the SP2010 group and from there I can see if current user exists in this SP Group and if so allow the permission to continue?

Bob
Jul 8, 2013 at 1:48 PM
Correct - although you can't check the contents of an AD group in SharePoint (at least not using SPServices!), you can at least check to see if it exists in an specific SharePoint group. For the purposes of SharePoint (and this is a little bit of a rough generalisation), you can treat it as if it were a single user. Provided you can work out if a user exists within the AD group, you can then use GetUserCollectionFromGroup to establish the constituent members, and then do a match to see if one of those members is the same as the results of the variable from the VBScript check?

Does this make sense?
Jul 8, 2013 at 2:14 PM
Perfectly. Thanks for the feedback!