Add users from multiple forest domains

Applies To: Office SharePoint Server 2007

This Office product will reach end of support on October 10, 2017. To stay supported, you will need to upgrade. For more information, see , Resources to help you upgrade your Office 2007 servers and clients.

 

Topic Last Modified: 2007-05-22

Before you perform this procedure, confirm that:

  • You have read the topic Manage connections across domains in multiple forests.

  • Your system is running either the Standard or Enterprise version of Microsoft Office SharePoint Server 2007.

  • You know the location and settings for the domain server in another forest running Active Directory.

  • You know whether the target forest is trusted in your current domain.

Important

Administrators must have access to the Shared Services Provider (SSP) administration site, and must have the Manage user profiles permission enabled to complete this procedure. For details, see the "Additional considerations" section in this topic.

To add users from multiple forests, you add a connection to the relevant Active Directory resource in each forest running Active Directory, and then import user profiles. Imported information is available in user profiles, and can be used to target and personalize content in My Sites and targeted lists, links, and Web Parts.

To add a connection to an Active Directory resource in another forest

Use this procedure to add an import connection to multiple forests in Active Directory.

Add an import connection to multiple forests in Active Directory

  1. Open the administration page for the SSP, as follows:

    1. On the top link bar, click the Application Management tab.

    2. On the Application Management page, in the Office SharePoint Server Shared Services section, click Create or configure this farm's shared services.

    3. On the Manage this Farm's Shared Services page, there is a link to each SSP and links to the Web applications for each SSP. Click the link for the SSP that you want to open.

    You can also access the SSP by clicking the link to the Shared Services Administration home page in the Shared Services Administration section of Quick Launch.

  2. On the SSP home page, in the User Profiles and My Sites section, click User profiles and properties.

  3. On the User Profiles and Properties page, in the Profile and Import Settings section, click View import connections.

  4. On the View Import Connections page, click Create New Connection.

  5. In the Connection Settings section, from the Type menu, click Active Directory Resource.

  6. In the Connection Name text box, type the name of the connection for the resource.

  7. In the Domain name text box, type the name for the domain that contains the information that you want to import.

  8. Select Auto discover domain controller if the specific domain controller is not important. To select a specific domain controller, select Specify a domain controller, and then in the Domain controller name menu, click the name of a specific domain controller.

  9. In the Port text box, type the number of the port to use to connect to the domain. To use SSL to help secure the connection, select the Use SSL-secured connection check box, and type a port number that is configured to use SSL in the Port text box.

  10. To minimize the performance impact on the domain controller, type a number of seconds in the Time out text box, and select Enable Server Side Incremental.

  11. In the Master Forest Connection Settings section, in the Domain name text box, type the domain name for the master forest associated with the Active Directory resource that you want to import.

  12. Select Auto discover domain controller if the specific domain controller for the master forest is not important. To select a specific domain controller, select Specify a domain controller, and then in the Domain controller name menu, click the name of a specific domain controller.

  13. In the Port text box, type the number of the port to use to connect to the master forest. To use SSL to help secure the connection, select the Use SSL-secured connection check box, and type a port number that is configured to use SSL in the Port text box.

  14. Select Specify Account and type the account name and password that you want to use to import user profiles from this connection.

    Note

    It is recommended that you specify an account, rather than relying on the default content access account. To use the default content access account, select Use Default Account. This account must have access to the target forest or domain. If a two-way trust exists between the target domain and the current domain and the default content access account has access to the target domain, the default account can be used.

  15. In the Search Settings section, in the Search base text box, type the distinguished name of the directory node from which to import the users. If you do not know the distinguished name, click the Auto Fill Root Search Base button.

  16. In the User filter text box, you can add new query clauses to the default query to filter which user profiles are imported.

  17. Under Scope, select One level to import one level of user profiles, or Subtree to import all user profiles under the search base.

  18. To improve performance, you can type a maximum number of user profiles to import in the Page Size text box, and type a maximum number of seconds for the import in the Page time out text box.

  19. In the Authentication Information section, select Specify Account and type the account name and password that you want to use to import user profiles from this connection.

    Note

    It is recommended that you specify an account, rather than relying on the default content access account. To use the default content access account, select Use Default Account.

  20. Click OK.

After adding connections for each forest, you schedule and import user profiles. For more information about importing user profiles, see Configure profile imports.

Additional considerations

To add connections to directory services, administrators must have access to the Shared Services Administration site, and must have the Manage user profiles permission enabled. Users with access to the administration site but without the Manage user profiles permission enabled can view the SSP administration home page, but cannot access the User Profiles and Properties page.

In a single-click installation, the account used to install Office SharePoint Server 2007 has the following permissions enabled: Manage user profiles and Manage permissions. The installation account also has access to the Shared Services Administration site.

In an advanced farm installation, the user installing Office SharePoint Server 2007 selects an account to have these management permissions. This account can be used to add the Manage user profiles permission to users and groups responsible for administering user profiles and connections to directory services.