Wednesday, June 06, 2012

Implementing SharePoint Extranet Collaboration Manager 2010 (ExCM) Advanced Features– Part 2 – Extranet Account Managers

By Matthew McBride
Overview of Extranet Account Managers
In the 2007 version of Extranet Collaboration Manager (ExCM), we received a lot of feedback from customers regarding Site Collection Administrators and their ability to delete external accounts.  Many of them experienced inadvertent user deletion due to the elevated permissions a Site Collection Administrator has by default.

In Extranet Collaboration Manager for SharePoint 2010, users can only be deleted from the following Users tab ribbon in the ExCM Extranet Users menu:

By default, only SharePoint Farm Administrators can view this area.  For all other users, including Site Collection Administrators, the tab is hidden:

While this addresses the inadvertent deletion of users, there may be situations where administrators want to grant a particular user the ability to delete an account, but NOT grant that user Farm Administrator privileges.  The Extranet Account Manager (EAM) feature addresses such instances.
Granting Users Extranet Account Manager Privileges
An EAM is defined as a user who is a Site Collection Administrator and has been appointed an Extranet Account Manager using the SharePoint Management Shell.  One can grant EAM access to either a Windows or Forms Based account.

ExCM 2010 comes with a SharePoint Service object used to provide farm wide services and configuration data.  This opens up some advanced options available via a command line interface.  To activate the service, open the SharePoint Management Shell and type the following command:

Next, enter the command to create a new EAM:

Next, specify the identity of the new EAM.  This is the fully qualified login name of the account, so make sure to enter one of the following formats depending upon the type of user you are adding (Windows or FBA):
Windows:            DomainName\Username (ACME\TestyTester
FBA:                      MembershipProviderName:Username (Ext:ExtranetUser)
Finally, specify the Membership Provider Name(s) that you want the EAM to manage.  In this case, I only have one provider (Ext) so I will use it:

One can verify that the account was added successfully by typing this command:

If I now log on to my site as “,” I see the following under the “Extranet Users” menu:

In summary, Extranet Collaboration Manager for SharePoint 2010’s Extranet Account Manager feature allows SharePoint Admins to grant certain users the ability to fully manage your Extranet Users, including the ability to delete them, without having Farm Admin privileges.  Either Windows or FBA accounts can be granted EAM privileges.