Did you know that built right into SharePoint 2010 during installation there’s a little check to look for a container in AD and if it exists then add the server? In fact you could create an AD Group Policy to block SharePoint installs! By default nothing more than a warning happens in the installation log and most people will ignore it and move on. Others will be a little confused and say, why is SharePoint trying to access an object in AD. What is this service connection point in Active Directory? I didn’t know I should extend my Active Directory schema for SharePoint. Again, by default you don’t have to extend the AD schema, but are there any benefits by doing so. I see three key scenarios here you can take advantage of all fairly straight forward with the right support from your AD team. (You know they already love you from your User Profile Service meetings.)
I want to track installations of SharePoint 2010 – You’ll simply create the "Microsoft SharePoint Products" under the system container for the service connection point (SCP) . Write does have to exist for those installing SharePoint servers to actually get the SCP created. If they don’t they’ll get an installation warning and move on. See the resources below on the how to details for configuring this.
See Jie Li put together a script in the Script Center for listing all the SharePoint 2010 server names
I want to BLOCK new installations of SharePoint 2010 including SharePoint Foundation – Since pretty much anyone can install SharePoint Foundation and run it under their desk, you might want to actually block the installation. Of course this would be the plan for someone trying to keep only the managed SharePoint farms on the radar and avoid the rogue deployments.
I want to control who can install SharePoint in the enterprise to a limited group – I remember discussing this need with the SharePoint product team… "For governance reasons we should be able to control who can install SharePoint." We went on to explain… "we don’t want it popping up everywhere" because people assume we won’t support their app. We want them to engage us. You can do that too! Here you’ll create an ADM policy or GPO with Disableinstall=1 filtered by the security group. Mark Cresswell goes into great detail including links to sample ADM/ADMX files.
Now you’re asking. Why didn’t I see this in the documentation before I installed my first SharePoint box? One option is running discovery… Consider a free demo of Quest’s Site Adminstrator to help you locate the SharePoint boxes in your enterprise. There have been a number of scanning tools I’ve used over time, but make sure you’re network admin knows before you start a port scan. I say that from personal experience. It looks nasty to a network admin and could be grounds for dismissal.
Key references on the *HOW TO* on configuring:
Mark Cresswell –SharePoint 2010 brings new Governance controls to IT Pro’s