Information technology tools and resources at the UW
Sharepoint in NETID domain
Microsoft SharePoint can be installed on a MI domain-joined computer but there is one significant restriction. The SharePoint User Profile Synchronization Service cannot be enabled.
The User Profile Synchronization Service (UPSS) keeps SharePoint user profile information synchronized with the corresponding MI Active Directory user attributes. To do this, it requires an elevated privilege in AD, the “Replicating Directory Changes” permission. There are two problems with running UPSS against the MI AD:
- UPSS is FIM under the covers and requires the full synchronization permissions of the regular FIM. This setting circumvents the ACLs that have been put in place to implement FERPA protections of sensitive student data. SharePoint will leak this FERPA-protected data. See Course Group Privacy Configuration for more information.
- There are hundreds of thousands of user accounts in the MI AD. You certainly don’t want to synchronize all of those accounts to your SP server.
One option is to not install SharePoint yourself. UW-IT offers a centrally managed SharePoint service for campus customers. Please refer to the Service Catalog entry.
If you do opt to install your own instance of SharePoint on a MI domain-joined server, then please follow these instructions for turning the UPSS off.
- After SharePoint is installed, go to Central Admin and chose Manage Services on Server.
- Now stop the User Profile Synchonization Service. Do not stop the User Profile Service!
There are alternative ways that you can populate user profile data. When a user logs into SharePoint they can click their name in the upper right-hand of the SP window and choose “Edit Profile.” This will create a profile if it didn’t already exist. The user can then fill in the fields that they wish to share with their colleagues.
In addition, you can use PowerShell to create profiles. If you had, say, a spreadsheet of your potential SP population, you could export it as XML or CSV and use that as input to the PowerShell script to create profiles. Here is a TechNet article on doing this PowerShell scripting.
You can use a combination of these two methods: pre-populate and/or update profiles using PowerShell, and have new users self-provision their profile.
Note: the Sync Service may not start at all if its service account doesn’t have the “Replicating Directory Changes” permission. Consequently you are likely to see SP errors related to this. However, the User Profile Service (UPA) will run and do what it is intended to do. Do not turn on off the User Profile Service.