List user permissions per site and rebuild security
Hello,
I'm currently working as a consultant and I'm analyzing a MOSS portal with the purpose of restructuring the data and reviewing the security. I'm done with restructuring the data within the portal, so it's now more userfriendly and easier
to find what you're looking for.
So the next part is .. security ..
To be honest, this is kind of a real mess. You should know this company has grown historically and has 3 Active Directory domains that are used. So from these AD-domains there are security groups that are used for settings security.
To make it more difficult security groups are often nested, up to 3 levels down with groups from all over those AD-domains. Beside Active Directory groups, they also use SharePoint groups to configure security.
I need to be able to map the effective user permissions for each site within the portal. Once we have a map of the permissions, we will rebuild security from scratch and remove the old groups afterwards. I can't seem to find a good
way to map the permissions as SharePoint contains AD-groups mostly. You can't see the members of those groups from SharePoint, so I'm kind of stuck ...
Is there anybody that has experience with this? Are there any tools that will help me with that? Of course, non-commercial tools are preffered, but I'm guessing this will be difficult?
Any feedback related to this problem is very much appreciated!Best regards, David
January 22nd, 2011 7:16pm
Hi David,
In my opinion, permissions on sites with security groups is definitely a good practice.
Nested security groups beyond a couple can be problematic especially when a contact or DL is in the mix or when a global group is used improperly. The following list shows problematic groups:
·
Distribution Lists with contacts in them
·
Security groups with contacts in them
·
Global security groups used in a separate "resource" domain (often happens in cross domain/cross forest migrations)
·
Security groups which contain contacts
·
The deeper the nesting the more likely windows itself will freak out
For more information about rule of thumb about nested security group, please refer to the following articles:
http://blogs.techrepublic.com.com/networking/?p=3303&utm_source=twitterfeed&utm_medium=twitter
http://hermansberghem.blogspot.com/2008/04/windows-security-groups-vs-sharepoint.html
https://www.nothingbutsharepoint.com/sites/itpro/Pages/BestPracticesforEnterpriseUserScalabilityinSharePoint.aspx
http://blogs.msdn.com/b/joelo/archive/2007/06/29/sharepoint-groups-permissions-site-security-and-depreciated-site-groups.aspx
If anything is unclear, please let me know.
Rock Wang
TechNet Subscriber
Support in forum
If you have any feedback on our support, please contact
tngfb@microsoft.comRegards, Rock Wang Microsoft Online Community Support
Free Windows Admin Tool Kit Click here and download it now
January 22nd, 2011 7:16pm
Hi Rock
You information was very valuable and it took many things into account that were mentionned by you and in those blogs. For example the problems that can occur when using Distribution Lists for assigning security. So many thanks for listing
this up for me!
Nevertheless my specific question remains somewhat unanswered. I need to find a way to list the effective user permissions that are assigned on each site. Since security is put in place on AD-groups, I cannot see in an easy way on which users
the permissions have impact on. The goal is to create new security groups and put the same permissions in place as now, but with a simplified structure. For that I need a map of which user permissions are currently assigned on those sites.
If you would know a way to create such a map so we can recreate security groups, it would be very lovely. Best regards, David
January 22nd, 2011 7:27pm
Hi David,
Did you have any questions? If anything is unclear, please let me know. I am looking forward to hearing from you.
Thanks!
Rock Wang
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact
tngfb@microsoft.comRegards, Rock Wang Microsoft Online Community Support
Free Windows Admin Tool Kit Click here and download it now
January 22nd, 2011 7:56pm