List user permissions per site and rebuild security
Hello,
I'm currently working as a consultant and I'm analyzing a MOSS portal with the purpose of restructuring the data and reviewing the security. I'm done with restructuring the data within the portal, so it's now more userfriendly and easier
to find what you're looking for.
So the next part is .. security ..
To be honest, this is kind of a real mess. You should know this company has grown historically and has 3 Active Directory domains that are used. So from these AD-domains there are security groups that are used for settings security.
To make it more difficult security groups are often nested, up to 3 levels down with groups from all over those AD-domains. Beside Active Directory groups, they also use SharePoint groups to configure security.
I need to be able to map the effective user permissions for each site within the portal. Once we have a map of the permissions, we will rebuild security from scratch and remove the old groups afterwards. I can't seem to find a good
way to map the permissions as SharePoint contains AD-groups mostly. You can't see the members of those groups from SharePoint, so I'm kind of stuck ...
Is there anybody that has experience with this? Are there any tools that will help me with that? Of course, non-commercial tools are preffered, but I'm guessing this will be difficult?
Any feedback related to this problem is very much appreciated!Best regards, David
January 22nd, 2011 7:16pm
Hi David,
In my opinion, permissions on sites with security groups is definitely a good practice.
Nested security groups beyond a couple can be problematic especially when a contact or DL is in the mix or when a global group is used improperly. The following list shows problematic groups:
·
Distribution Lists with contacts in them
·
Security groups with contacts in them
·
Global security groups used in a separate "resource" domain (often happens in cross domain/cross forest migrations)
·
Security groups which contain contacts
·
The deeper the nesting the more likely windows itself will freak out
For more information about rule of thumb about nested security group, please refer to the following articles:
http://blogs.techrepublic.com.com/networking/?p=3303&utm_source=twitterfeed&utm_medium=twitter
http://hermansberghem.blogspot.com/2008/04/windows-security-groups-vs-sharepoint.html
https://www.nothingbutsharepoint.com/sites/itpro/Pages/BestPracticesforEnterpriseUserScalabilityinSharePoint.aspx
http://blogs.msdn.com/b/joelo/archive/2007/06/29/sharepoint-groups-permissions-site-security-and-depreciated-site-groups.aspx
If anything is unclear, please let me know.
Rock Wang
TechNet Subscriber
Support in forum
If you have any feedback on our support, please contact
tngfb@microsoft.comRegards, Rock Wang Microsoft Online Community Support
Free Windows Admin Tool Kit Click here and download it now
January 22nd, 2011 7:16pm
Hi Rock
You information was very valuable and it took many things into account that were mentionned by you and in those blogs. For example the problems that can occur when using Distribution Lists for assigning security. So many thanks for listing
this up for me!
Nevertheless my specific question remains somewhat unanswered. I need to find a way to list the effective user permissions that are assigned on each site. Since security is put in place on AD-groups, I cannot see in an easy way on which users
the permissions have impact on. The goal is to create new security groups and put the same permissions in place as now, but with a simplified structure. For that I need a map of which user permissions are currently assigned on those sites.
If you would know a way to create such a map so we can recreate security groups, it would be very lovely. Best regards, David
January 22nd, 2011 7:27pm
Hi David,
If you want to enumerate a security group’s memberships, you can use VBScript to do that. For more information about how to write the VBScript, please refer
to the following articles:
http://support.microsoft.com/kb/301916
http://explodingcoder.com/blog/content/how-query-active-directory-security-group-membership
In this way, you will know which groups has which accounts. Then you can get a map between SharePoint permission and users.
Hope this helps.
Rock Wang
TechNet Subscriber Support
in forum
If you have any feedback on our support, please contact
tngfb@microsoft.comRegards, Rock Wang Microsoft Online Community Support
Free Windows Admin Tool Kit Click here and download it now
January 29th, 2011 8:01pm
Hi Rock
It still ment a lot of work to complete. And it took a few days to map the security, but we got there using this information and these scripts. I had to map all the users with the sharepoint sites manually in some excelsheets to get the information
though ... But my problem is currently solved!
Many thanks!
Best regards, David
January 29th, 2011 8:03pm
Hi David,
Did you have questions? If anything is unclear, please feel free to ask me.
Rock Wang
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact
tngfb@microsoft.comRegards, Rock Wang Microsoft Online Community Support
Free Windows Admin Tool Kit Click here and download it now
January 29th, 2011 8:28pm