Well after laboring to install the MS Admin Toolkit I am disappointed to find out that the 'Check Effective Permissions' function only checks the current site permissions. I'm looking for a tool that will return the permissions a user has to every subsite. I have about 30 users that I need to confirm permissions on and almost 700 sites (all housed under a main site) to check.

Mikey, I haven't used this myself yet, but I think it might be along the lines of your needs: http://permissionsmanager.codeplex.com/.

Tracy, Thanks, I will give that a shot once I get my dev environment working again. I've tried the Access Checker (also on Codeplex) but it gives me an error when I try and retrieve permissions using it.

I was able to check out the Permissions Manager but it looks like it only does group. Still scratching my head for a solution on this one.

It's doubtful you'll be able to find a solution that indicates the actual members of a security group, any tool is just going to enumerate the groups and tell you what permissions they have on that object. Unless a user was given direct permission and does not belong to a particular security group. Otherwise, you can use SharePoint to easily view the membership for that group.

You brought up one of the issues we have which is many users are added individually to sites vs. being in SP or AD groups. The other issue is that we have close to 700 groups. To use the tool above I would have to go to each site (again, close to 700), see what groups have access, go through each group and see what users are in said group. This is a great solution which I had played with before but evidently one of the CUs broke it.

I'm not sure how development saavy you are, but it would be relatively simple (I think) to programmtically enumerate user permissions. I found the following code after a quick search: http://www.vbdotnetheaven.com/UploadFile/ssahmed/spuserperm09192006044916AM/spuserperm.aspx. I'm not sure what you mean when you say 'one of the CUs broke it'.

That's funny, same link a developer friend just sent to me. I have a thimblefull of development knowledge so it'll be tough for me to make my way through that but I understand that might be the only/best way to get the results I want. CU is cumulative update, sorry. The error I got was listed under the Issues tab on that codeplex page as being cause by the April 09 CU.

Hi Mikey, If programing is not acceptable for you, you may need to use some 3^rd party solutions. I have tested Access Checker web part, it seems that it is not working in my farm either. Then another solution may fit for your needs is the paid solution deliverpoint(http://www.lightningtools.com/deliverpoint/sharepoint-permission-management.aspx). You could try to request a trail version and see if it is helpful for your issue. Hope it helps. Lambert Qin TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Sincerely, Lambert Qin Posting is provided "AS IS" with no warranties, and confers no rights.

I've written a tool that does this. The other tools may be solutions as well, but from what I've gathered, mine is different in that it is done via web services, so there is nothing that needs to be added to the site in order to get it working. As of 5/10, it is still in beta, but I hope to have the remaining features finished within the week. http://www.thesug.org/Blogs/lsuslinky/SUA/Pages/default.aspx let me know if that works for you. Tim

Tim, thanks a lot, I'm running your tool now. It is taking some time to scan but I assume that's due to the number of sites we have. I'll let you know how it works! The tool listed above (DeliverPoint) looked like a winner until I realized it wasn't returning accurate results. It lists no access for a few users who I know had rights to several sites. Not good for a $1500 product!

I hope it suits your needs. Like I said, it's still got a few features to flesh out, so the permissions for AD groups may or may not appear just yet. But I'll have that put in shortly. As for the speed, I've found that Web Services' speed varies. I've hit the same site over and over (sandbox for testing) and it'll be slow the first time (understandable), fast another time, and then slow again. Just depends on SharePoint's "mood", I guess. But there are two scans: first is the site tree construction; second is the scanning of the sites. While it does a check for inheritance, it still has to hit the permissions web service for each site, so it'll take a little time if you have a large site. But if you're scanning a particular site, you can enter any URL in the system and scan from that point down. That or just right-click a node in the treeview and scan from there. Still then, at the least, I'd hope the speed trade-off here is a fair trade for not having to pay $1500! Let me know if something isn't right and I'll be sure to get it fixed. Tim

Hey, I'm not complainin! If it works it can take all day for all I care. I do need it to scan the whole collection (680ish sites) as I need to check and see what access these select users have on the entire collection.

To get the whole site collection, enter the site collection root in the URL box and scan. Then choose "Scan the site and all it's subsites" in the "What next?" box. That'll scan the whole site. Note, you'll only get the unique site permissions. If a subsite inherits permissions, you will not see a listing for permissions on that site. One thing that is not in place is for unique page/list item permissions. If you have unique permissions at that level, you will get the "Limited Access" level displayed for the site. But to get the data for specific users, once the scan is complete, goto the Data menu and choose "Print/Export Data". In the wizard that appears, you'll have the ability to print/export data for specific users or specific groups. This will keep you from having to sort through the whole list with a big print or XML expot.

Tim, I cant thank you enough for coming to my rescue here. Your tool worked beautifully! It took about 2 hours total to build the tree then scan the site collection. I went ahead and spit the entire thing out to CSV (50k rows!) and broke out the users I needed into a separate file. Thanks again!