How to Use Active Directory to Prevent Unwanted SharePoint Installations in Your Organization
As you may know, SharePoint deployments are managed at the farm level. Therefore, users can install additional SharePoint farms in your environment without your permission. Obviously, you don’t want SharePoint farms popping up on your network without your knowledge and approval. You want to make sure that new deployments conform to your company’s standards. So how do you stop unauthorized SharePoint deployments? Use the following methods to block or track SharePoint installations.
How to Block SharePoint Installations
To disable the installation of SharePoint Server and related products, configure the following registry key using Group Policy in Active Directory directory services:
HKLM\Software\Policies\Microsoft\Shared Tools\Web Server Extensions\14.0\ SharePoint\DWORD DisableInstall
Setting the DWORD value DisableInstall=00000001 will block the installation. Once you have configured this setting, when a user tries to install SharePoint Server, he/she will get the following error message:
SharePoint installation is blocked in your organization. Please contact your network administrator for more details.
How to Track SharePoint Installations
You can also track SharePoint installations in your organization by using the Active Directory Domain Services (AD DS) marker. Here’s a description from Microsoft TechNet on how the AD DS marker works.
“An Active Directory Domain Services (AD DS) Marker called Service Connection Point identifies the SharePoint 2010 Products servers in an organization. To use this marker, create a container in AD DS and set the permissions for the container before you install any SharePoint 2010 Products in the environment. Then, when you or another user in your domain runs the SharePoint Products Configuration Wizard as part of installing SharePoint Server 2010, this marker is set, and can be tracked by using AD DS. You must set this marker for each domain that you have in your organization if you want to track installations in all domains. This marker is removed from AD DS when the last server is removed from a farm. You can also set the marker by using Windows PowerShell. The marker contains the URL for the Application Discovery and Load Balancer Service (also known as the topology service application) for the server farm.
You have to grant permission to write to this container to any user accounts or domain accounts that could run the SharePoint Products Configuration Wizard. If the account does not have permission to write to this container, the following warning will appear in the log file for the SharePoint Products Configuration Wizard:
Failed to add the service connection point for this farm
Unable to create a Service Connection Point in the current Active Directory domain. Verify that the SharePoint container exists in the current domain and that you have rights to write to it.”
For more information on how to create the container in Active Directory and set the permissions using Active Directory Service Interfaces (ADSI) Edit, check out this article.