Tuesday, April 29, 2014

Advanced SharePoint Extranet Management: (ExCM) 2013 Advanced Features - User Automation

A couple of problems that SharePoint Server Administrators regularly encounter are:
(1) How can I know when an extranet user from a partner company leaves the company, and
(2) How can I avoid accumulating inactive accounts for users that no longer exist, which are just "sitting out there?"

Unfortunately, it is nearly impossible to keep up with the "comings and goings" of extranet users who are employees of partner companies.

But Extranet Collaboration Manager 2013 (ExCM) contains within it the capability of helping our clients with specific extranet user security needs like this.

The ExCM User Automation (UA) feature can be used to apply recurring policies to accounts residing in the ExCM user database. These policies are applied by a SharePoint Timer Job, which periodically inspects each account. UA can be used to expire user accounts based on attributes such as periods of inactivity or failure to update their password within a specified period, solving the problem of user "housekeeping."


You first need to enable the SharePoint Service object, which is used to provide farm-wide services and configuration data. To activate the service, open the SharePoint Management Shell and typed the following command:

Next, create a User Automation Job:

Now, provide values for a few parameters:
PolicySite - URL of SharePoint site running ExCM 2013

Schedule - frequence the job will be executed

"every 5 minutes between 0 and 4"
"hourly between 0 and 59"
"daily at 15:00:00"
"Weekly between Fri 22:00:00"
"monthly at 15:00:00"
"yearly at Jan 1 15:00:00"

In this example, I will have the job run daily:

Once that is configured, a new menu appears under "Extranet Settings" from the Site Settings page:

From within this menu, all UA options are available. You can expire accounts based on two attributes: activity and password change. You can also choose to use both attributes in combination. Available options include when the policy will go into effect; how far ahead of that time the user will receive an email notification; and how often the expiration notification will be repeated:

In this case, I would like to expire accounts based on inactivity. To achieve this, I will disable all the password attributes using the default values provided:

Now that the User Automation options have been configured via the ExCM user interface, I'll need to edit the OWSTIMER.EXE configuration. Specifically, the job must be able to read and write data to the database wehre the extranet users are located. This file is found at the following location:

C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\Bin\OWSTimer.exe.config

Below is a sample configuration file that allows the service to connect to the extranet database:


<?xml version="1.0" encoding="utf-8" ?>
< configuration>
   <add name="ExtranetDirectory" connectionString="Data Source=[servername];Initial Catalog=ExtranetDirectory;Integrated Security=SSPI"/>
   <membership defaultProvider="Ext">
     <add name="Ext" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"connectionStringName="ExtranetDirectory" enablePasswordRetrieval="false" passwordFormat="Hashed" applicationName="/" requiresUniqueEmail="true"enablePasswordReset="true" requiresQuestionAndAnswer="true" maxInvalidPasswordAttempts="10" passwordAttemptWindow="10" minRequiredPasswordLength="6"minRequiredNonalphanumericCharacters="0" passwordStrengthRegularExpression=""/>
   <roleManager defaultProvider="ExtRole" enabled="true" cacheRolesInCookie="false">
       <add name="ExtRole" connectionStringName="ExtranetDirectory" applicationName="/" type="System.Web.Security.SqlRoleProvider, System.Web, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
< /configuration>

Please Note that some values in the example above, such as SQL server name and membership providers, may be different in your file. Once the edits have been made and the file has been saved, be sure to perform an IIS reset.

Now that I have configured the UA options and subsequently configured the timer job, I want to monitor the job's execution. Here's how you do it. Navigate to Central Administration:

From Central Administration's Home page, click Monitoring

On the Monitoring page, under the Timer Job section, click Check job status

From the Timer Job Status Page, in the "View" filter, click Service

In the Service filter, click Change Service

From the Select Service dialog, click Extranet Service

You should see a very similar screen to the one below if everything went smoothly;

In Summary, many organizations using ExCM to manage their extranet need to provide specific ongoing security for extranet user accounts. For example, if an employee with an extranet account leaves the company, a "live" account with working security credentials is potentially abandoned. Realistically, it is nearly impossible for a client running a SharePoint extranet to manually keep up with the employment status of extranet users from partner companies.

Without ExCM 2013's User Automation functionality, abandoned extranet user accounts would accumulate and could pose a security threat. With ExCM 2013's UA feature, SharePoint Administrators can have the peace of mind of knowing that abandoned accounts can be expired automatically based on periods of inactivity, failure to update passwords, or both.

No comments: