Wednesday, October 04, 2006

Audience compilation in a multi forest environment

When you are trying to create an audience based on a membership of an Active Directory group and that group is located in a domain in another trust.......quit trying, it won't work. This can only be done with a workaround.

I have been in contact with Microsoft Support and they wrote me the following:


ACTION:
You have two Windows 2003 Active Directory Forests. Two Domains in these Forests are trusted (External Domain Trust, no Forest Trust). You have given some users from the External Domain permission to access SharePoint. This works so far. Now you want to create an Audience based on the membership of a Group in the External Domain.

RESULT:
You cannot compile this Audience. You receive the error:
One or more values typed on this page are not valid. Check the text for the indicated fields.

CAUSE:
This is as Design Limitation of SharePoint. SharePoint cannot read across the own Active Directory Forest because of the technique used to access it.

RESOLUTION:
The work around this Design Limitation follow these steps:
1. Create a Domain Local security group in the Domain where SharePoint resides 2. Add *users* from the External Domain domain to this group 3.
Create a Audience with a rule specifying the Domain Local group created in step 1 4. Compile the audience


So just create a local group in the Sharepoint Active Directory and add the users of the other domain to that group. Audience compilation then will work and users are added to the audience!!

8 comments:

Ying said...
This comment has been removed by the author.
Ying said...

Yorick,
I did exactly what you proposed to try to include the users from a trusted domain in my audience. But it does not work for me. After I compiled the audience, no one from the external trusted domain showed up.

Here are my Procedures:
1. created a local security group in the sharepoint AD
2. added users from the trusted domain to the local security group
3. greated an audience, and the rule is set for using "User" for Operand, "Member of" for Operator, and the "Value" is the name of the local security group.

I wonder what I have missed.

Thank you for your response.

Yorick said...

Ying,

Did you create a Domain Local Group or Global Group (which is the default setting)?

I used the Domain Local Group, which worked.

Regards,

Yorick

Ying said...

Hi Yorick,

Thank you for getting back to me. I use domain local group, and my domain functional level is Server 2003. I add users from the local doamin as well as from the trusted domain into the group. But only users from the local domain show up in the Audience Membership view.

Regards,

Ying

Yorick said...

Ying,

Strange, this solution worked for me. Unfortunately I have no solution for this.

Are you using SPS2003 or MOSS2007?

Yorick

Ying said...

Yorick,

I use MOSS 2007.

Thank you,

Ying

Yorick said...

Looks like MOSS works a little different than SPS. I performed this solution on a SPS2003 environment, which worked fine.

Ying said...

Yorick,

Thank you for your blog, and your responses anyway.

Best regards,

Ying