Wednesday, October 31, 2007

SharePoint Site, SSP Profile and Active Directory Users

This post was derived from an email response to a question about how I think things work with respect to users ("people") and Active Directory, SharePoint, our Lotus Notes email, etc. Specifically, there is detail about users who do not yet exist in a site directory. It is based on research, testing and our experiences. In our environment we create profiles for everyone in our Active Directory domain and add email addresses, names and a little organizational information from another SQL database.

When you create an alert (or use other people lookups), you can pick anybody from the Active Directory domain. In any of the SharePoint look-ups you are selecting these from a listing that is BOTH active directory and SharePoint groups, if groups are shown. In our environment, any of those users should have a profile in SharePoint (even the temporary accounts are imported, but many of those do not have email addresses) - the profiles are created and updated by two processes we run daily.

In practice it would be invalid to pick someone to whom you have not granted access to the site. Although the alert setting would be created, nothing would ever be sent to a user that has no rights to a site except for a notice that the alert was created.

People (site collection users) and profiles are not the same thing, but there is synchronization. If you add a user to a site and they were not previously in the site collection, they get added to people on that site collection and I'm not sure when their email address is looked up from the profiles (I think it depends - immediate if you send them a welcome email, and slightly delayed if you don't).

If you try to set up an alert for someone who has not been previously added to a site collection (or for any other reason does not have an email address - like most administrator accounts, many temporary accounts, etc.) you will get the message (trapped error):

The following users do not have e-mail addresses specified: Username, David. Alerts have been created successfully but these users will not receive e-mail notifications until valid e-mail addresses have been provided

Set my e-mail address...
Troubleshoot issues with Windows SharePoint Services.


Where "Username, David" was my demo user. The "set my email address" won't work for non-administrators and the "troubleshooting" won't be much help, but the main part of the message is correct - the alert is created. If the user has a profile with an email address, the system will set it up in the background and the user WILL get alerts IF there is anything they can access (but clearly the user still needs access to the site). If you had previously added the user to your site, you don't see this message after the email address has been synced.

I thought about prepopulating users in a members list, but I don't think this will be necessary unless we get a lot of site administrators having this problem. Only a someone with "manage alerts" permissions - a site owner - could ever have this problem. If we start seeing this we can look into a having prepopulated "members" list.


Further, it is good to note that there is a timer job to keep the site collection up to date with the profile.

I know this wasn't the best written post, and it may not have wide generic applications. You have to keep in mind that we do not use Exchange, so our Active Directory is pretty weak - it does not even have email addresses, we have to go get those from another database. Another interesting topic to consider would be alternatives to profile creation in advance, and a more standard view of how all this should work (with Exchange and a better AD).

5 comments:

  1. Anonymous11:31 AM

    Can you tell me the name of the timer job you refer to? 'timer job to keep the site collection up to date with the profile.'

    kbolen@mt.gov

    ReplyDelete
  2. I believe it is the Synchronization Scheduler.

    Bob

    ReplyDelete
  3. Anonymous5:15 AM

    Hi Bob,

    I was also getting the same error when i added an user to 'Alert Me' for a document library.
    After reading this blog, I opent the Central Administration->SharedServices-->User Profiels and properties.
    There I added the user alongwith his email address.
    When i tried to add alert again, i got the same error.

    Any sort of help will be appretiated..

    ReplyDelete
  4. Anonymous4:05 AM

    The job is called Profile Synchronization and it's run every hour. It copies user data (such as the email needed to create alerts) from MOSS profile to WSS user list. And like said already, user must exist in WSS user list (i.e. must have been added as a user to the site) and have an email in the WSS user list, otherwise the alert error will display. When user is added to site, his/her email is retrieved immediately from MOSS profile to WSS user list (and not with the hourly job), based on my tests.

    ReplyDelete
  5. Thanks for the info Bob.

    Pingback from http://social.msdn.microsoft.com/Forums/en/sharepointadmin/thread/078bd18f-6806-449d-abaf-5c98935114b0

    ReplyDelete