Hi all, I need some investigative help. The other day, I got a report that user permissions on a "bunch of webs" within a really large site collection were messed up. Come to find out, the "bunch of webs" was 177 out of 500+ webs and each of those webs were set to inherit permission up to the root web. Originally, they had unique permissions. Users are accusing "the system" of resetting the permission inheritance of these webs, but I disagree as the environment is 99.8% vanilla MOSS 2007. Any non-OOTB MOSS stuff doesn't touch permissions. And, logically, it doesn't seem possible that "the system" would set user permission to inherit from parent for only 177 out of 500+ webs in 1 site collection. While I work on restoring the permissions, I also need to find how what the heck happened. My gut tells me this was caused by a user. I need to scour for the evidence, though. That's where I need some help. This smells like some user ran code that calls a web service or something, but I'm not quite sure what to look for in the IIS logs to prove it and find out who. If a user did it manually, it would have taken them a while to hit 177 sites and make the permissions inherit from the parent; doesn't seem likely. Can anyone advise on some things I can look for to get to the bottom of this? ThanksAnn

Unfortunately the logging in 2007 was sub par. You'll have to scour the IIS logs to find the answers you need. Where I would start is by process of elimination. In order to reset permissions, the user would have to have Owner rights to the site. Since only 177 sites were reset, I would start by seeing who are owners all of those 177 sites. If some rogue code did reset the permissions, the fact that it only did it for 177 sites, should point you to a small group of people who had the proper permissions on ALL of those 177 sites and once you have those IDs, you can look for only those in the IIS logs to determine which one was the culprit. I trust that answers your question... Thanks C http://www.cjvandyk.com/blog

Thanks for the info, Cornelius. I've spent the past few days combing through the IIS logs, looking at activities for the 8 users who have access to those 177 subwebs. I've been able to rule out 6 of the 8 based on activity. Of the two left, there is one I'm super suspicious of, but I am not sure I've got the evidentry proof just yet. Maybe you can provide some additional guidance on next steps... The structure of the site collection is like this: SCRootweb (/sites/main) Web (/sites/main/web) <--- all subwebs fall below this web Subweb (/sites/main/web/userweb1) Subweb (/sites/main/web/userweb2) ..... I can see that this suspicious user went to /sites/main/web/_layouts/user.aspx. I see the user then went to /sites/main/web/_layouts/role.aspx and changed something on role.aspx, given I see a POST in the IIS logs for that page. I can't determine 100% what it was that this user changed, but I did see that the person set the permission levels to inherit permission levels from /sites/main. In terms of web properties, SharePoint Manager shows /sites/main/web as HasUniqueRoleAssignments = True and HasUniqueRoleDefinitions = False. Given that, all 177 subwebs have those settings and none load up role.aspx anymore. Back on topic: The IIS logs don't show me that this user hit all 177 subwebs. All I'm able to get is that the user modified /sites/main/web/_layouts/role.aspx. Is it illogical to conclude the following: If /sites/main/web had unique permission levels and all 176 subwebs were inheriting permission levels from /sites/main/web, then the act of setting /sites/main/web to now inherit permission levels from /sites/main would cause all 177 subweb user permissions to get reset to the same user permission list as /sites/main?? I always though inheritence for permissions and permission levels were treated independently, but perhaps I'm wrong... I also couldn't find anything in the logs that would tell me someone called a web service from rogue code. I was looking at all entries where cs-uri-stem contained ".asmx". Any thoughts on what I should be looking for? Thanks, Ann

You said in your post "Come to find out, the "bunch of webs" was 177 out of 500+ webs and each of those webs were set to inherit permission up to the root web. Originally, they had unique permissions. Users are accusing "the system" of resetting the permission inheritance of these webs, but I disagree as the environment is 99.8% vanilla MOSS 2007. Any non-OOTB MOSS stuff doesn't touch permissions. And, logically, it doesn't seem possible that "the system" would set user permission to inherit from parent for only 177 out of 500+ webs in 1 site collection." Unless you specified at the time of subsite creation you want to use unique permission, default behaviour is always to inherit permission from parent. Site administrator can always go and reset this to inherit from parent through the UI, custom code is not required. As far as investigating who is changing permission, auditing feature gives you some capabilities around auditiing permission changes, but its probably late at this point as chages are already made Microsoft Certified Master | SharePoint 2007 Blog