Hello, I'm currently working as a consultant and I'm analyzing a MOSS portal with the purpose of restructuring the data and reviewing the security. I'm done with restructuring the data within the portal, so it's now more userfriendly and easier to find what you're looking for. So the next part is .. security .. To be honest, this is kind of a real mess. You should know this company has grown historically and has 3 Active Directory domains that are used. So from these AD-domains there are security groups that are used for settings security. To make it more difficult security groups are often nested, up to 3 levels down with groups from all over those AD-domains. Beside Active Directory groups, they also use SharePoint groups to configure security. I need to be able to map the effective user permissions for each site within the portal. Once we have a map of the permissions, we will rebuild security from scratch and remove the old groups afterwards. I can't seem to find a good way to map the permissions as SharePoint contains AD-groups mostly. You can't see the members of those groups from SharePoint, so I'm kind of stuck ... Is there anybody that has experience with this? Are there any tools that will help me with that? Of course, non-commercial tools are preffered, but I'm guessing this will be difficult? Any feedback related to this problem is very much appreciated!Best regards, David

Hi David, In my opinion, permissions on sites with security groups is definitely a good practice. Nested security groups beyond a couple can be problematic especially when a contact or DL is in the mix or when a global group is used improperly. The following list shows problematic groups: · Distribution Lists with contacts in them · Security groups with contacts in them · Global security groups used in a separate "resource" domain (often happens in cross domain/cross forest migrations) · Security groups which contain contacts · The deeper the nesting the more likely windows itself will freak out For more information about rule of thumb about nested security group, please refer to the following articles: http://blogs.techrepublic.com.com/networking/?p=3303&utm_source=twitterfeed&utm_medium=twitter http://hermansberghem.blogspot.com/2008/04/windows-security-groups-vs-sharepoint.html https://www.nothingbutsharepoint.com/sites/itpro/Pages/BestPracticesforEnterpriseUserScalabilityinSharePoint.aspx http://blogs.msdn.com/b/joelo/archive/2007/06/29/sharepoint-groups-permissions-site-security-and-depreciated-site-groups.aspx If anything is unclear, please let me know. Rock Wang TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.comRegards, Rock Wang Microsoft Online Community Support

Hi Rock You information was very valuable and it took many things into account that were mentionned by you and in those blogs. For example the problems that can occur when using Distribution Lists for assigning security. So many thanks for listing this up for me! Nevertheless my specific question remains somewhat unanswered. I need to find a way to list the effective user permissions that are assigned on each site. Since security is put in place on AD-groups, I cannot see in an easy way on which users the permissions have impact on. The goal is to create new security groups and put the same permissions in place as now, but with a simplified structure. For that I need a map of which user permissions are currently assigned on those sites. If you would know a way to create such a map so we can recreate security groups, it would be very lovely. Best regards, David

Hi David, Did you have any questions? If anything is unclear, please let me know. I am looking forward to hearing from you. Thanks! Rock Wang TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.comRegards, Rock Wang Microsoft Online Community Support