Microsoft Office Tutorials and References
In Depth Information
In contrast, Active Directory Account Creation (ADAC) mode, which also uses Active
Directory, will add an account to Active Directory after the account has been added to
SharePoint. This method requires that SharePoint have access and control over an OU
in AD to put the user accounts in. As you can imagine, ADAC does have its shortcomings
and is more complex to configure, but it offers an alternative for those who want to be able
to add users to AD from SharePoint, rather than vice versa. This can be useful to those who
want to allow SharePoint access to users who don’t originally have an account in AD.
Sadly, this setting is likely to be deprecated (meaning removed) in future releases
because using forms-based authentication is easier and does not impact the entire farm,
only the web application you configure to use it.
We are not going to be using ADAC for this implementation, so do not configure it.
13. Instead, take a good look at the summary, make sure there are no errors, and then click
Next to continue.
SERIOUSLY CONSIDERING ACTIVE DIRECTORY ACCOUNT CREATION MODE?
If you are considering using Active Directory Account Creation Mode (ADAC), there are a few more
things to consider.
Keep in mind that with Domain User Account mode, you need to have the user in AD before you
can add them as a user in SharePoint. With ADAC, you add the user to SharePoint, and then they
are added as users in the OU you made for SharePoint in Active Directory.
So, to use ADAC, you must set it under Advanced Settings during installation; otherwise, you won’t
be able to use it. There is no going back.
To use ADAC, you must have an organizational unit in Active Directory ready to contain the users.
The OU must be set to have the correct permissions to manage it; namely, the farm account and
content database accounts for the farm must be delegated the right to create/delete/manage user
accounts and read all user account information in that OU. If you are using ADAC, only users
created in the OU are available as users in SharePoint; you cannot add a user from elsewhere in AD
that isn’t in that OU. Nor are those users available to be added to groups or other resources in AD.
Further, because users are intended to be added on a per-site-collection basis, if you want to apply
a user you’ve already added to one site collection, you can’t. You’d have to add them again with a
slightly different username. As (I have to assume) a convenience, users are added in ADAC using
their email address, which is used to generate their username. This can be challenging if they are
added to ADAC over and over again because they need access to multiple site collections.
If you are going to enable ADAC for your user accounts, keep in mind a few things:
You cannot upgrade a SharePoint Foundation server to SharePoint Server 2010 if it is running
in ADAC mode. SharePoint Server doesn’t support it.
You cannot change your mind. If you decide the setup is too hard and you would rather go back
to the default Domain Account mode, you are out of luck. During a SharePoint installation, you
choose one user account mode or the other, and that is it for the whole farm forever. The setting is
unchangeably burned into the configuration database. You cannot change it without reinstalling.
This is why the Standalone install just goes for the default Domain Account mode automatically.