User has access but is not a member of any group

Posted on 2010-11-20
Last Modified: 2012-05-10
Help!  I have a user that access to all of the content in my site even though he has been restricted for certain lists and for certain items within the list.  

To troubleshoot the issue, I have removed him from all security groups in the site.  He should have no access to anything in the site or any lists.  He can still see the items.  And when I click on a list item and check his permissions, here's what I see.  What do I need to do now?  Where is he getting all these extra permissions?

Permission levels given to Matthew (domain\matt)  

The following factors also affect the level of access for Matthew (domain\matt)  
 Manage Permissions  
 Create and change permission levels on the Web site and assign permissions to users and groups.  
 View Web Analytics Data  
 View reports on Web site usage.  
 Create Subsites  
 Create subsites such as team sites, Meeting Workspace sites, and Document Workspace sites.  
 Manage Web Site  
 Grants the ability to perform all administration tasks for the Web site as well as manage content.  
 Add and Customize Pages  
 Add, change, or delete HTML pages or Web Part Pages, and edit the Web site using a Microsoft SharePoint Foundation-compatible editor.  
 Manage Lists  
 Create and delete lists, add or remove columns in a list, and add or remove public views of a list.  
 Apply Themes and Borders  
 Apply a theme or borders to the entire Web site.  
 Apply Style Sheets  
 Apply a style sheet (.CSS file) to the Web site.  
 Override Check Out  
 Discard or check in a document which is checked out to another user.  
 Manage Personal Views  
 Create, change, and delete personal views of lists.  
 Add/Remove Personal Web Parts  
 Add or remove personal Web Parts on a Web Part Page.  
 Update Personal Web Parts  
 Update Web Parts to display personalized information.  
 Add Items  
 Add items to lists and add documents to document libraries.  
 Edit Items  
 Edit items in lists, edit documents in document libraries, and customize Web Part Pages in document libraries.  
 Delete Items  
 Delete items from a list and documents from a document library.  
 Create Groups  
 Create a group of users that can be used anywhere within the site collection.  
 Browse Directories  
 Enumerate files and folders in a Web site using SharePoint Designer and Web DAV interfaces.  
 View Items  
 View items in lists and documents in document libraries.  
 Use Self-Service Site Creation  
 Create a Web site using Self-Service Site Creation.  
 View Pages  
 View pages in a Web site.  
 Approve Items  
 Approve a minor version of a list item or document.  
 Enumerate Permissions  
 Enumerate permissions on the Web site, list, folder, document, or list item.  
 Open Items  
 View the source of documents with server-side file handlers.  
 View Versions  
 View past versions of a list item or document.  
 Delete Versions  
 Delete past versions of a list item or document.  
 Browse User Information  
 View information about users of the Web site.  
 Create Alerts  
 Create alerts.  
 Manage Alerts  
 Manage alerts for all users of the Web site.  
 View Application Pages  
 View forms, views, and application pages. Enumerate lists.  
 Use Remote Interfaces  
 Use SOAP, Web DAV, the Client Object Model or SharePoint Designer interfaces to access the Web site.  
 Use Client Integration Features  
 Use features which launch client applications. Without this permission, users will have to work on documents locally and upload their changes.  
 Allows users to open a Web site, list, or folder in order to access items inside that container.  
 Edit Personal User Information  
 Allows a user to change his or her own user information, such as adding a picture.  
Question by:adelia_associates
  • 2
LVL 19

Expert Comment

ID: 34180009
What kind of access does he have on his domain account? He probably belongs to a group that has been granted rights trough the SharePoint install. I would look at his AD group membership and go from there. If you can, remove him from all groups in AD and go from there.

Author Comment

ID: 34180019
Do you know where those groups are granted rights through the Sharepoint install?  I'm not the AD administrator so can't check what groups he's in until Monday, but it would help to know where those might have been set so I can confirm that theory.  
LVL 19

Accepted Solution

Montoya earned 500 total points
ID: 34180386
You can look in central admin, to be sure that no global groups are included in admin. An AD group can be included anywhere in your install, so I would start at central admin, then move down through the site collections, etc...
You could theoretically create a site collection to test. If he has rights in that new site collection, then he has some sort of admin rights. If he doesn't, then he probably has rights at a site collection level.


Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Note:  There are two main ways to deploy InfoPath forms:  Server-side and directly through the SharePoint site.  Deploying a server-side InfoPath form means the form is approved by the Administrator, thus allowing greater functionality in the form. …
I recently came across an issue with a MOSS 2007 deployment where access into some sub-sites were denied, even for the MOSS farm administrators. A bit of background to the setup of this MOSS farm; this was a three server setup, consisting of a fr…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question