List user permissions per site and rebuild security
Hello, I'm currently working as a consultant and I'm analyzing a MOSS portal with the purpose of restructuring the data and reviewing the security. I'm done with restructuring the data within the portal, so it's now more userfriendly and easier to find what you're looking for. So the next part is .. security .. To be honest, this is kind of a real mess. You should know this company has grown historically and has 3 Active Directory domains that are used. So from these AD-domains there are security groups that are used for settings security. To make it more difficult security groups are often nested, up to 3 levels down with groups from all over those AD-domains. Beside Active Directory groups, they also use SharePoint groups to configure security. I need to be able to map the effective user permissions for each site within the portal. Once we have a map of the permissions, we will rebuild security from scratch and remove the old groups afterwards. I can't seem to find a good way to map the permissions as SharePoint contains AD-groups mostly. You can't see the members of those groups from SharePoint, so I'm kind of stuck ... Is there anybody that has experience with this? Are there any tools that will help me with that? Of course, non-commercial tools are preffered, but I'm guessing this will be difficult? Any feedback related to this problem is very much appreciated!Best regards, David
January 22nd, 2011 7:16pm

Hi David, In my opinion, permissions on sites with security groups is definitely a good practice. Nested security groups beyond a couple can be problematic especially when a contact or DL is in the mix or when a global group is used improperly. The following list shows problematic groups: · Distribution Lists with contacts in them · Security groups with contacts in them · Global security groups used in a separate "resource" domain (often happens in cross domain/cross forest migrations) · Security groups which contain contacts · The deeper the nesting the more likely windows itself will freak out For more information about rule of thumb about nested security group, please refer to the following articles: http://blogs.techrepublic.com.com/networking/?p=3303&utm_source=twitterfeed&utm_medium=twitter http://hermansberghem.blogspot.com/2008/04/windows-security-groups-vs-sharepoint.html https://www.nothingbutsharepoint.com/sites/itpro/Pages/BestPracticesforEnterpriseUserScalabilityinSharePoint.aspx http://blogs.msdn.com/b/joelo/archive/2007/06/29/sharepoint-groups-permissions-site-security-and-depreciated-site-groups.aspx If anything is unclear, please let me know. Rock Wang TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.comRegards, Rock Wang Microsoft Online Community Support
Free Windows Admin Tool Kit Click here and download it now
January 22nd, 2011 7:16pm

Hi Rock You information was very valuable and it took many things into account that were mentionned by you and in those blogs. For example the problems that can occur when using Distribution Lists for assigning security. So many thanks for listing this up for me! Nevertheless my specific question remains somewhat unanswered. I need to find a way to list the effective user permissions that are assigned on each site. Since security is put in place on AD-groups, I cannot see in an easy way on which users the permissions have impact on. The goal is to create new security groups and put the same permissions in place as now, but with a simplified structure. For that I need a map of which user permissions are currently assigned on those sites. If you would know a way to create such a map so we can recreate security groups, it would be very lovely. Best regards, David
January 22nd, 2011 7:27pm

Hi David, If you want to enumerate a security group’s memberships, you can use VBScript to do that. For more information about how to write the VBScript, please refer to the following articles: http://support.microsoft.com/kb/301916 http://explodingcoder.com/blog/content/how-query-active-directory-security-group-membership In this way, you will know which groups has which accounts. Then you can get a map between SharePoint permission and users. Hope this helps. Rock Wang TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.comRegards, Rock Wang Microsoft Online Community Support
Free Windows Admin Tool Kit Click here and download it now
January 29th, 2011 8:01pm

Hi Rock It still ment a lot of work to complete. And it took a few days to map the security, but we got there using this information and these scripts. I had to map all the users with the sharepoint sites manually in some excelsheets to get the information though ... But my problem is currently solved! Many thanks! Best regards, David
January 29th, 2011 8:03pm

Hi David, Did you have questions? If anything is unclear, please feel free to ask me. Rock Wang TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.comRegards, Rock Wang Microsoft Online Community Support
Free Windows Admin Tool Kit Click here and download it now
January 29th, 2011 8:28pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics