Tell me more ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
up vote 2 down vote favorite
1

We have both internal and external users on Windows SharePoint Services 3.0. We are using Windows Integrated authentication and have all users, both internal and external, in the same domain. We are allowing all users access to the application by adding the Domain Users group. The issue is that there are certain sites that need to be secure from the external users, but because they are in the same domain they have access. We have removed the Domain Users group from some sites and then explicitly assigned permissions to a dedicated group in Active Directory, but we have around 100 sites that we need to do this for and it would become an administrative nightmare to do this for all 100 sites.

I've done some searching and it looks like we might be able to accomplish this using zones, but when we tried last week we broke the entire application. Does anyone have any ideas?

The other option is to move the WSS server into a different domain and give the external users accounts in that domain so that we could keep them separate, but I wanted to see if there was a better way to do this.

share|improve this question

2 Answers

up vote 0 down vote accepted

Work on creating automation that creates and maintains Active Directory security groups that contain lists of internal or external users. Surely there is an attribute or two that distinguishes between these different types of users.

While you are at it, update your user provisioning process to make sure that when you create accounts, they get stuck in one group or another.

share|improve this answer
We have decided to create an internal and external users group. I'd still rather use zones, but I don't have time to figure out how to use it right now. Maybe I'll come update this thread once I have some time to tackle it. – tim8214 Mar 24 '11 at 21:15
up vote 0 down vote

It would seem to be relatively simple to automate the process of changing your security using a powershell script?

An example of a script like that is here

share|improve this answer
Our permissions aren't assigned on a user-by-user basis. The Domain Users group has read access which permits everyone to view the sites. Because the external users are part of the Domain Users group they are able to read all sites. – tim8214 Mar 19 '11 at 4:37
Surely you have an internal and an external group for your domain users. To permission everyone based on the Domain Users group is asking for a security fail somewhere along the line. – Nat Mar 19 '11 at 20:03

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.