Sharepoint 2013 Security not locking down document library
I've created a document library inside a SharePoint Foundation 2013 site. I have broken inheritance to the folder and assigned a single user. However, everyone in the company can still access, modify, rename, delete, everything in the document library. Doesn't make any sense.
I've even gone as far as removing everyone from the permissions of the document library, and it still allows everyone into it.
Thoughts ?
I've even gone as far as removing everyone from the permissions of the document library, and it still allows everyone into it.
Thoughts ?
McKnife
Look at the members and the nested groups of the local admin group. Anybody unexpected?
ASKER
are you talking particularly to the Site or the whole share point collection ?
ex:
we have the normal http://servername/ as our sharepoint site
i'm testing right now our section for HR -> http://servername/hr/
i've then created a document library called "Attendance Sheets" -> http://servername/hr/Attendance%20Sheets/Forms/AllItems.aspx
Attendance Sheets -> Settings -> Permissions for Document Library
- no inheritance
- one user -> Design
but everyone can get to it..
I'm not really sure where to look for what you are asking. i took over this security concern when we moved the sharepoint server/site from one domain to another.
ex:
we have the normal http://servername/ as our sharepoint site
i'm testing right now our section for HR -> http://servername/hr/
i've then created a document library called "Attendance Sheets" -> http://servername/hr/Attendance%20Sheets/Forms/AllItems.aspx
Attendance Sheets -> Settings -> Permissions for Document Library
- no inheritance
- one user -> Design
but everyone can get to it..
I'm not really sure where to look for what you are asking. i took over this security concern when we moved the sharepoint server/site from one domain to another.
I am talking about the local users, not sharepoint users. If you are local admin, you may access sharepoint sites as well.
So open the local user management and do as suggested.
So open the local user management and do as suggested.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
nothing for local admin. all of the users i've been testing with are generic accounts, like ones we use for meeting rooms... i'll keep hunting and see what i can figure out
What do you mean by generic accounts, ones you use for meeting rooms? Are these standard Active Directory user accounts, or something different?
ASKER
they are standard AD accounts. basic security to login, get email, surf web. they should be able to read the sharepoint site for the most part, but then i can get into areas where the security on sharepoint is supposed to be locked down.
ASKER
after following your previous post:
Central Admin -->Application Management -->Web Applications -->Manage web applications..
Highlight the web application that you want to check, then in the ribbon click on the icon under the Policy section named "User Policy". A window will open that shows the Policy for Web Application. Here you can make sure that domain users do not have defined access. Access granted here overrides ALL other access.
i think i might have found the issue..
(All Zones)
Display Name = Location-Specific-Domain-U
Permissions = Full Read
Central Admin -->Application Management -->Web Applications -->Manage web applications..
Highlight the web application that you want to check, then in the ribbon click on the icon under the Policy section named "User Policy". A window will open that shows the Policy for Web Application. Here you can make sure that domain users do not have defined access. Access granted here overrides ALL other access.
i think i might have found the issue..
(All Zones)
Display Name = Location-Specific-Domain-U
Permissions = Full Read
That is probably the issue. There may be a reason that is there, even if a bad reason. If you remove it then other things might break, so be very careful.
Good luck...
Good luck...
ASKER
that's what i'm looking into now.. anyone have a screenshot of what the default is?
That is different for every environment and every business. You should have some service accounts for search, maybe the farm account (used for installation), possibly an admin account although that would not be best practice, some super reader service accounts (discussed in technet) and possibly a few other accounts. Although domain users should not be in there in any situation that requires some form of security, I have also inherited farms that not only had all users, "Everyone" was added with full control, and the admin I replaced could never determine why "SharePoint security was broken, doesn't work, piece of crap...." but that's a different story :-)
Tomorrow I could give you the default of a clean sharepoint 2016 installation (don't think it will b different from 2013's default).
Any luck?
Ah, almost forgot.
Thanks