User has access but is not a member of any group

Posted on 2010-11-20
Last Modified: 2012-05-10
Help!  I have a user that access to all of the content in my site even though he has been restricted for certain lists and for certain items within the list.  

To troubleshoot the issue, I have removed him from all security groups in the site.  He should have no access to anything in the site or any lists.  He can still see the items.  And when I click on a list item and check his permissions, here's what I see.  What do I need to do now?  Where is he getting all these extra permissions?

Permission levels given to Matthew (domain\matt)  

The following factors also affect the level of access for Matthew (domain\matt)  
 Manage Permissions  
 Create and change permission levels on the Web site and assign permissions to users and groups.  
 View Web Analytics Data  
 View reports on Web site usage.  
 Create Subsites  
 Create subsites such as team sites, Meeting Workspace sites, and Document Workspace sites.  
 Manage Web Site  
 Grants the ability to perform all administration tasks for the Web site as well as manage content.  
 Add and Customize Pages  
 Add, change, or delete HTML pages or Web Part Pages, and edit the Web site using a Microsoft SharePoint Foundation-compatible editor.  
 Manage Lists  
 Create and delete lists, add or remove columns in a list, and add or remove public views of a list.  
 Apply Themes and Borders  
 Apply a theme or borders to the entire Web site.  
 Apply Style Sheets  
 Apply a style sheet (.CSS file) to the Web site.  
 Override Check Out  
 Discard or check in a document which is checked out to another user.  
 Manage Personal Views  
 Create, change, and delete personal views of lists.  
 Add/Remove Personal Web Parts  
 Add or remove personal Web Parts on a Web Part Page.  
 Update Personal Web Parts  
 Update Web Parts to display personalized information.  
 Add Items  
 Add items to lists and add documents to document libraries.  
 Edit Items  
 Edit items in lists, edit documents in document libraries, and customize Web Part Pages in document libraries.  
 Delete Items  
 Delete items from a list and documents from a document library.  
 Create Groups  
 Create a group of users that can be used anywhere within the site collection.  
 Browse Directories  
 Enumerate files and folders in a Web site using SharePoint Designer and Web DAV interfaces.  
 View Items  
 View items in lists and documents in document libraries.  
 Use Self-Service Site Creation  
 Create a Web site using Self-Service Site Creation.  
 View Pages  
 View pages in a Web site.  
 Approve Items  
 Approve a minor version of a list item or document.  
 Enumerate Permissions  
 Enumerate permissions on the Web site, list, folder, document, or list item.  
 Open Items  
 View the source of documents with server-side file handlers.  
 View Versions  
 View past versions of a list item or document.  
 Delete Versions  
 Delete past versions of a list item or document.  
 Browse User Information  
 View information about users of the Web site.  
 Create Alerts  
 Create alerts.  
 Manage Alerts  
 Manage alerts for all users of the Web site.  
 View Application Pages  
 View forms, views, and application pages. Enumerate lists.  
 Use Remote Interfaces  
 Use SOAP, Web DAV, the Client Object Model or SharePoint Designer interfaces to access the Web site.  
 Use Client Integration Features  
 Use features which launch client applications. Without this permission, users will have to work on documents locally and upload their changes.  
 Allows users to open a Web site, list, or folder in order to access items inside that container.  
 Edit Personal User Information  
 Allows a user to change his or her own user information, such as adding a picture.  
Question by:adelia_associates
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 19

Expert Comment

ID: 34180009
What kind of access does he have on his domain account? He probably belongs to a group that has been granted rights trough the SharePoint install. I would look at his AD group membership and go from there. If you can, remove him from all groups in AD and go from there.

Author Comment

ID: 34180019
Do you know where those groups are granted rights through the Sharepoint install?  I'm not the AD administrator so can't check what groups he's in until Monday, but it would help to know where those might have been set so I can confirm that theory.  
LVL 19

Accepted Solution

Montoya earned 500 total points
ID: 34180386
You can look in central admin, to be sure that no global groups are included in admin. An AD group can be included anywhere in your install, so I would start at central admin, then move down through the site collections, etc...
You could theoretically create a site collection to test. If he has rights in that new site collection, then he has some sort of admin rights. If he doesn't, then he probably has rights at a site collection level.


Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Last week I faced a strange issue recently, i have deployed SharePoint 2003 servers for one project and one of the requirements was to open SharePoint site from same server. when i was trying to open site from the same server i was getting authentic…
In case you ever have to remove a faulty web part from a page , add the following to the end of the page url ?contents=1
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question