User has access but is not a member of any group

Posted on 2010-11-20
Last Modified: 2012-05-10
Help!  I have a user that access to all of the content in my site even though he has been restricted for certain lists and for certain items within the list.  

To troubleshoot the issue, I have removed him from all security groups in the site.  He should have no access to anything in the site or any lists.  He can still see the items.  And when I click on a list item and check his permissions, here's what I see.  What do I need to do now?  Where is he getting all these extra permissions?

Permission levels given to Matthew (domain\matt)  

The following factors also affect the level of access for Matthew (domain\matt)  
 Manage Permissions  
 Create and change permission levels on the Web site and assign permissions to users and groups.  
 View Web Analytics Data  
 View reports on Web site usage.  
 Create Subsites  
 Create subsites such as team sites, Meeting Workspace sites, and Document Workspace sites.  
 Manage Web Site  
 Grants the ability to perform all administration tasks for the Web site as well as manage content.  
 Add and Customize Pages  
 Add, change, or delete HTML pages or Web Part Pages, and edit the Web site using a Microsoft SharePoint Foundation-compatible editor.  
 Manage Lists  
 Create and delete lists, add or remove columns in a list, and add or remove public views of a list.  
 Apply Themes and Borders  
 Apply a theme or borders to the entire Web site.  
 Apply Style Sheets  
 Apply a style sheet (.CSS file) to the Web site.  
 Override Check Out  
 Discard or check in a document which is checked out to another user.  
 Manage Personal Views  
 Create, change, and delete personal views of lists.  
 Add/Remove Personal Web Parts  
 Add or remove personal Web Parts on a Web Part Page.  
 Update Personal Web Parts  
 Update Web Parts to display personalized information.  
 Add Items  
 Add items to lists and add documents to document libraries.  
 Edit Items  
 Edit items in lists, edit documents in document libraries, and customize Web Part Pages in document libraries.  
 Delete Items  
 Delete items from a list and documents from a document library.  
 Create Groups  
 Create a group of users that can be used anywhere within the site collection.  
 Browse Directories  
 Enumerate files and folders in a Web site using SharePoint Designer and Web DAV interfaces.  
 View Items  
 View items in lists and documents in document libraries.  
 Use Self-Service Site Creation  
 Create a Web site using Self-Service Site Creation.  
 View Pages  
 View pages in a Web site.  
 Approve Items  
 Approve a minor version of a list item or document.  
 Enumerate Permissions  
 Enumerate permissions on the Web site, list, folder, document, or list item.  
 Open Items  
 View the source of documents with server-side file handlers.  
 View Versions  
 View past versions of a list item or document.  
 Delete Versions  
 Delete past versions of a list item or document.  
 Browse User Information  
 View information about users of the Web site.  
 Create Alerts  
 Create alerts.  
 Manage Alerts  
 Manage alerts for all users of the Web site.  
 View Application Pages  
 View forms, views, and application pages. Enumerate lists.  
 Use Remote Interfaces  
 Use SOAP, Web DAV, the Client Object Model or SharePoint Designer interfaces to access the Web site.  
 Use Client Integration Features  
 Use features which launch client applications. Without this permission, users will have to work on documents locally and upload their changes.  
 Allows users to open a Web site, list, or folder in order to access items inside that container.  
 Edit Personal User Information  
 Allows a user to change his or her own user information, such as adding a picture.  
Question by:adelia_associates
  • 2
LVL 19

Expert Comment

ID: 34180009
What kind of access does he have on his domain account? He probably belongs to a group that has been granted rights trough the SharePoint install. I would look at his AD group membership and go from there. If you can, remove him from all groups in AD and go from there.

Author Comment

ID: 34180019
Do you know where those groups are granted rights through the Sharepoint install?  I'm not the AD administrator so can't check what groups he's in until Monday, but it would help to know where those might have been set so I can confirm that theory.  
LVL 19

Accepted Solution

Iammontoya earned 500 total points
ID: 34180386
You can look in central admin, to be sure that no global groups are included in admin. An AD group can be included anywhere in your install, so I would start at central admin, then move down through the site collections, etc...
You could theoretically create a site collection to test. If he has rights in that new site collection, then he has some sort of admin rights. If he doesn't, then he probably has rights at a site collection level.


Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

Note:  There are two main ways to deploy InfoPath forms:  Server-side and directly through the SharePoint site.  Deploying a server-side InfoPath form means the form is approved by the Administrator, thus allowing greater functionality in the form. …
SharePoint Designer 2010 has tools and commands to do everything that can be done with web parts in the browser, and then some – except uploading a web part straight into a page that is edited in SPD. So, can it be done? Scenario For a recent pr…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now