Chapter 8: Advanced Configurations

So far, you have seen how to configure both WSS and MOSS specific settings. In this chapter, you will learn about more advanced administration, such as how to manage user profiles, import properties from the Active Directory, configure and manage global search and indexing, and more. This chapter is important if you want to master SharePoint's more advanced features. It contains a lot of details, and a lot of step-by-step instructions on how to configure these settings. Note that some of these settings will apply to both pure WSS installations and MOSS farms, while others only apply to MOSS; be sure to read the title of each section carefully.

Managing User Profiles in MOSS

When working in any type of organization, you often need to get more information about a particular user. For example, you may read a document written by a user and need to ask the author for more information, or you may need to send an e-mail to a project manager responsible for developing a solution that is of interest for your own work. So, how do you find more information about people today? Most likely you are doing things like checking the address list in Outlook, looking at the Employee List on an intranet, or contacting the switchboard, asking for the phone number of this person. The most commonly requested information is:

• q e-mail address

• q Phone numbers: Office phone, mobile phone, and so on.

• q Organizational information: What department, group, or team does the user belong to?

• q Responsibilities: Who is the manager for this department? Who is the project leader?

• q Expertise: Who can I ask about a specific subject?

SharePoint solves this in a much better way! Whenever you see a name listed as a user (for example, the author of a document or the last person modified the Customer address list), simply click the user's name and you will get all publicly available information. Or if you don't see the name listed, you can search for the user. This will save you a lot of time, not to mention the frustration of having to chase around the network resources or find someone with the information needed.

So, where is this information stored? A good guess would be the Active Directory, right? And yes, this is often, but not always, true. Since SharePoint will also work in Windows NT 4 environment, there may not even be a place for storing this type of user-related information. And even if you have an Active Directory environment, you may not be allowed to store new user properties in the AD database; for example, "Personal Interests" or "Skills." Microsoft solved this problem by adding a special database to MOSS for storing user profiles. This database can import information from the Active Directory. Note that this database does not exist in pure WSS environments, regardless of the type of server operating system.

User Profiles in a Windows NT 4 Environment

This configuration is easy to describe. There is nothing stored in the Windows NT 4 user account database that can be imported into the User Profile database! Everything you want to store about users, from their e-mail address to their phone numbers, must be entered manually. SharePoint 2007 does allow you to import user profiles from any LDAP directory or from an existing Business Data Catalog (BDC) connection, so this could be your solution. If not, then every time you make a change, such as adding a new user or giving an existing user a new e-mail address, this must be manually updated in the User Profile database. The procedure for performing this update is exactly the same as that used when running SharePoint in an Active Directory environment, which is described in the next section.

User Profiles in an Active Directory Environment

The most common configuration is to run SharePoint in an Active Directory environment. This enables SharePoint to regularly import information from AD to the User Profile database, typically once every 24 hours. This is only interesting if AD actually contains information worth importing, so there may still be situations in which manual updating may be the preferred solution. In reality, you will often see a mix of these two approaches; that is, some information is imported from AD, and the rest is manually updated. A new feature of SharePoint 2007, which differs from its predecessor, is that it can also import user properties and add these to existing user profiles, using an existing BDC connector.

SharePoint allows the administrator to control exactly what user properties to import from AD, what properties to be manually edited, and if the user will be allowed to do this editing herself. This last option is very handy for information you may not want to store in Active Directory, for example subject matter expert areas, home phone numbers, or a description of a user.

Configuring the User Profile Import Process

All the settings that control the importing of properties in the User Profile database are accessed through SharePoint's configuration pages for the SSP. To see the options available, follow the steps in the Try It Out below.

Try It Out Manage the User Profile Database

1. Open SharePoint's Central Administration tool, and click the SSP created by you earlier; typically, this is named SharedServices1. You will find it in the Quick Launch bar.

2. Click User profiles and properties (in the User Profile and My Sites section); a new page is displayed, with all the settings related to user profiles (see Figure 8-1).

Figure 8-1

In this figure, you can see a lot of interesting things. At the top, you will find a summary of all settings related to the import from Active Directory, such as:

• q Number of user profiles: The current number of profiles. For a newly installed system, you will see a number 0 here. If you see 1, you have probably tested the My Site feature of the portal site.

• q Import source: What Active Directory domain will be imported, if any. Specify Source means this setting is not yet configured. If this is the case, click the Specify Source link to configure the setting, or click Configure user import, as described later in this list.

• q Profile import status: Idle means there is no import process active at the moment.

• q Membership & BDC import status: Idle means there is no import process active at the moment. Here, BDC means Business Data Catalog.

• q Import time: This gives the date and time for the last import.

• q Import schedule (full): This gives the date for the next full import process. Disabled means no schedule is defined. Click this link to configure the setting.

• q Import schedule (incremental): This gives the date for the next incremental import process. Disabled means that no schedule is defined. Click this link to configure the setting.

• q Last log entry: This is the latest status message regarding the import process.

• q Last import errors: Click the Click to view log link to see the latest log messages, including successful imports, errors, and warnings.

Below these links are a number of other links that are self-explanatory. One very important link is the Configure profile import link, which is used to configure the import settings. Click it to open the configuration page. This will open the same page that clicking the Specify Source link in the bulleted list above does. Use this page to define which source to import user profiles from, what account should be used, and the import type and schedule (see Figure 8-2).

Figure 8-2

Use these setting to configure the import process that fits the needs of your organization. Avoid choosing a time when other activities may run, such as backups or antivirus scanning. In Figure 8-2, the MS Windows domain to be imported is listed as the Current Domain, that is, the same domain that the SharePoint server belongs to. If you have more than one AD domain, and your users belong to any domain other than that of the SharePoint server, you can choose Entire forest.

One consequence of importing the complete domain is that all its user accounts will be imported, including a number of system accounts, such as Guest and IUSR. This may or may not be a problem, depending on the size of your domain and how sensitive you are about having nonstandard users listed in the User Profile database. In reality, these extra accounts do not require that much space and no one will see them, except the SharePoint administrator when looking at this page. Still, you may want to control this import in more detail, especially if you have lots of accounts in your domain that never will be SharePoint users, such as test accounts or multiple organizations.

For example, say that you have an Organizational Unit (OU) in Active Directory named SP2007 that contains SharePoint users. Why not just import that OU? You ask yourself, how hard can it be? What you need to do is to create a Lightweight Directory Access Protocol (LDAP) query filter. For example, the default LDAP filter that SharePoint uses is this:

     (&(objectCategory=Person)(objectClass=User)) 

This string says that all objects of class Users and the category Person will be imported.

The following Try It Out shows how you do a custom import of the OU SP2007; I'll let you be the judge of how hard it is.

Try It Out Import a Custom Source from Active Directory

1. Log on as a domain administrator and start the Active Directory Users and Computers tool. Select Advanced features from the View menu.

2. You will need some attribute names in step 5. To get them right-click the OU SP2007, select Properties, and switch to the Object tab. Note the value of the Canonical name of object; in this example, it will be FILOBIT/SP2007. This string tells you the following:

   1. The two domain attributes for this domain, or DC, are com and Filobit.

   2. The name of the OU attribute is SP2007.

3. Start SharePoint's Central Administration tool, then open the SSP instance (typically SharedServices1). Click User profiles and properties, then Configure profile import.

4. Select Custom Source and click OK. This will open the View Import Connections page.

5. Click Create New Connection, and enter the following values for this example (see Figure 8-3):

   
   Figure 8-3

   1. Type: Active Directory

   2. Domain name: http://www.Filobit.com

   3. Select Auto discover domain controller or select a specific DC. If you use the latter approach, be sure to use port 389.

   4. Search base: First, click the Auto Fill Root Search Base button, then complete the Search base field so that it looks like this: OU=SP2007,DC=FILOBIT,DC=COM.

   5. User filter: (&(objectCategory=Person)(objectClass=User))

      Important

      You can exclude disabled users by using this filter string instead: (&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

   6. Scope: One level. This will ignore any sub-OU under SP2007.

   7. Do not change any of the other values - they are fine for most import scenarios. Click OK to save this connection configuration.

6. You are returned to the View Import Connections page again. It is now possible to add other custom import sources, but in this example you are done. If the list contains other import connections, you may have to delete them to make sure that the one you just created is the only one that will be used by the import process.

7. Click User Profile and Properties to return to that page. The Import source is now listed as Custom source.

Regardless of whether you configure a custom source or use the default domain setting, the next thing to configure is the schedule for the import, if you did not do it previously. You can also force a full import manually by clicking Start full import. This will immediately start the import. You will see the page get refreshed regularly, and the Profile import status will say Enumerating, then Importing. Wait for it to change to Idle; the import is done. If this is the first time you have performed an import, you will see that the number of profiles has increased.

Click on the View user profiles link to see a list of all the imported user profiles. You can delete any of those users from the user profile or change a profile's imported settings. This will not affect the Active Directory information, since all of this is a one-way import. To view the imported settings, click to the right of a user name to display its quick menu, then select Edit. This displays all the imported information about that user, as shown in Figure 8-4. Since there are a large number of properties, Figure 8-4 only displays some of them.

Figure 8-4

Note that a yellow disk icon next to any attribute name indicates that the information was imported from the import source, typically Active Directory. You can change it now, but if you do it will be overwritten the next time the import process runs.

All attributes that do not have the disk icon, such as About me and Picture, must be set manually, either by the SharePoint administrator using this page or possibly by the user. This is controlled on another page. But first, if you changed any of these values, click Save and Close now, to return to the View User Profiles page, then click the breadcrumb trail link User Profile and Properties to go back to the first page, as shown in Figure 8-1.

There is more interesting information under the section User Profile Properties on this page. You can see the total number of user profile properties: 46 by default (which is almost twice the number in SPS 2003) and how many of these that are mapped to Active Directory attributes: 21 by default (compared to 14 in SPS 2003). There are two links:

• q Add profile property: Use this link when you need to add more properties to the user profile database. You can configure the new property in many ways, including any mappings to the Active Directory.

• q View profile properties: Use this link to view and modify existing properties; for example, if you want to map an existing property to an Active Directory attribute.

The best way of understanding these settings, as usual, is to try an example. Say that you want to add a new property named IQ. You don't want to map this value to any Active Directory attribute, but you want to enable users to set this value by themselves (yes, this is an unrealistic example!). The following Try It Out illustrates how you do this.

Try It Out Add a New Property to the User Profile

1. On the User Profile and Properties page, click Add profile property. This opens a web form. Enter the following values (see Figure 8-5):

   
   Figure 8-5

   1. Name: IQ. The name for this property.

   2. Display name: Brain IQ. The name as displayed to the user.

   3. Type: Integer. Defines what type of information you can store in this property.

   4. Description: "Enter your Brain IQ."

   5. Policy Setting: Choose between Optional, Required, and Disabled. In this example, chose Optional.

   6. Default Privacy Setting: Define who will see this attribute; chose My Manager. If you also check the option User can override, then users can change this privacy setting in their My Site web site, using the Edit Details link. Leave this unchecked in this example.

   7. In the Edit Settings section: Select Allow users to edit values for this property.

   8. In the Display Settings section: Check both Show in the profile properties section of the user's profile page, and Show on the Edit Details page.

   9. In the Search Settings section: Check Indexed only.

   10. In the Property Import Mapping section: Select Not mapped.

   11. Click OK to save and close this page.

2. You are returned to the User Profiles and Properties page. Click the View profile properties link to verify that the new property is listed (at the end of the page) as Brain IQ and configured in a proper way.

3. To test this value for a user listed in the user profile, click the link User Profiles and Properties to go back to that page (note that Number of user profile properties has increased by one). Click View User Profiles, and edit any user listed there. Enter a value for the Brain IQ property (for example, 120), and click Save and Close. Later, you will see how this value shows up in the My Site page.

To modify an existing property, you use the link View profile properties in the User Profile Properties section on the User Profiles and Properties page. For example, say that you want to map the attribute for the existing user property named "Mobile phone" to the Active Directory property "Mobile." The following Try It Out shows how you do this:

Try It Out Map a User Property to an AD Attribute

1. Log on as a SharePoint Administrator, and start the Central Administration tool. Click on the Shared Service instance (typically named SharedService1) listed in the Quick Launch bar under the Shared Service Administration heading. Next, click User profiles and properties in the User Profiles and My Sites section. At the end of the page, click View profile properties (in the User Profile Properties section). This opens a web form with all existing properties and their settings.

2. Locate the Mobile Phone property, near the end of this page. Use its quick menu to select Edit. This will open the configuration page for the property. Note that there are a lot of settings; for example, settings to define who can see the property, who can edit it, and if it will be searchable or not.

3. At the end of the page is the section Property Import Mapping; you can use that to map a user profile property to Active Directory, or any other existing data connection. Change the Data source field to map to mobile. This will connect the AD property Mobile to the user profile property Mobile Phone.

4. Click OK to save and close the page. Note that the Mobile Phone property is now mapped to mobile.

5. Click the breadcrumb link User Profile and Properties to return to that page.

6. Since you want to see immediately if this works, click Start Full Import. When the process is finished, open any user profile with the mobile property set in AD, then verify that the mobile number is listed in the user profile.

You have now seen how to manage user profiles, and how to add and modify new properties. You have also learned how to do a custom source import of the Active Directory. It was not that hard, was it? Well, if you want to import just the users who belong to a distribution list or something similar, you will need to understand more about LDAP query filters. There are lots of sources with good information about LDAP, including examples of how to do more advanced filtering for SharePoint's custom source imports.