locked
List user permissions per site and rebuild security RRS feed

  • Question

  • Hello,

    I'm currently working as a consultant and I'm analyzing a MOSS portal with the purpose of restructuring the data and reviewing the security.   I'm done with restructuring the data within the portal, so it's now more userfriendly and easier to find what you're looking for. 

    So the next part is .. security ..

    To be honest, this is kind of a real mess.   You should know this company has grown historically and has 3 Active Directory domains that are used.  So from these AD-domains there are security groups that are used for settings security.   To make it more difficult security groups are often nested, up to 3 levels down with groups from all over those AD-domains.   Beside Active Directory groups, they also use SharePoint groups to configure security. 

    I need to be able to map the effective user permissions for each site within the portal.  Once we have a map of the permissions, we will rebuild security from scratch and remove the old groups afterwards.  I can't seem to find a good way to map the permissions as SharePoint contains AD-groups mostly.  You can't see the members of those groups from SharePoint, so I'm kind of stuck ...

    Is there anybody that has experience with this?   Are there any tools that will help me with that?  Of course, non-commercial tools are preffered, but I'm guessing this will be difficult?

    Any feedback related to this problem is very much appreciated!


    Best regards, David
    Tuesday, January 18, 2011 2:08 PM

Answers

All replies

  • Hi David,

     

    In my opinion, permissions on sites with security groups is definitely a good practice.  Nested security groups beyond a couple can be problematic especially when a contact or DL is in the mix or when a global group is used improperly. The following list shows problematic groups:

     

    ·         Distribution Lists with contacts in them

    ·         Security groups with contacts in them

    ·         Global security groups used in a separate "resource" domain (often happens in cross domain/cross forest migrations)

    ·         Security groups which contain contacts

    ·         The deeper the nesting the more likely windows itself will freak out  

     

    For more information about rule of thumb about nested security group, please refer to the following articles:

     

    http://blogs.techrepublic.com.com/networking/?p=3303&utm_source=twitterfeed&utm_medium=twitter

     

    http://hermansberghem.blogspot.com/2008/04/windows-security-groups-vs-sharepoint.html

     

    https://www.nothingbutsharepoint.com/sites/itpro/Pages/BestPracticesforEnterpriseUserScalabilityinSharePoint.aspx

     

    http://blogs.msdn.com/b/joelo/archive/2007/06/29/sharepoint-groups-permissions-site-security-and-depreciated-site-groups.aspx

     

    If anything is unclear, please let me know.

     

    Rock Wang

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    Regards, Rock Wang Microsoft Online Community Support
    Wednesday, January 19, 2011 3:58 AM
  • Hi David,

     

    Did you have any questions? If anything is unclear, please let me know. I am looking forward to hearing from you.

     

    Thanks!

     

    Rock Wang

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    Regards, Rock Wang Microsoft Online Community Support
    Friday, January 21, 2011 2:37 AM
  • Hi Rock

    You information was very valuable and it took many things into account that were mentionned by you and in those blogs.  For example the problems that can occur when using Distribution Lists for assigning security.   So many thanks for listing this up for me!

    Nevertheless my specific question remains somewhat unanswered.  I need to find a way to list the effective user permissions that are assigned on each site.  Since security is put in place on AD-groups, I cannot see in an easy way on which users the permissions have impact on.  The goal is to create new security groups and put the same permissions in place as now, but with a simplified structure.  For that I need a map of which user permissions are currently assigned on those sites. 

    If you would know a way to create such a map so we can recreate security groups, it would be very lovely. 


    Best regards, David
    Friday, January 21, 2011 10:12 AM
  • Hi David,

     

    If you want to enumerate a security group’s memberships, you can use VBScript to do that. For more information about how to write the VBScript, please refer to the following articles:

     

    http://support.microsoft.com/kb/301916

     

    http://explodingcoder.com/blog/content/how-query-active-directory-security-group-membership

     

    In this way, you will know which groups has which accounts. Then you can get a map between SharePoint permission and users.

     

    Hope this helps.

     

    Rock Wang

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    Regards, Rock Wang Microsoft Online Community Support
    • Marked as answer by David De Vos Thursday, January 27, 2011 12:39 PM
    Monday, January 24, 2011 6:25 AM
  • Hi David,

     

    Did you have questions? If anything is unclear, please feel free to ask me.

      

    Rock Wang

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    Regards, Rock Wang Microsoft Online Community Support
    Tuesday, January 25, 2011 11:12 AM
  • Hi Rock

    It still ment a lot of work to complete.  And it took a few days to map the security, but we got there using this information and these scripts.  I had to map all the users with the sharepoint sites manually in some excelsheets to get the information though ...  But my problem is currently solved!  

    Many thanks!


    Best regards, David
    Thursday, January 27, 2011 12:48 PM