tag:blogger.com,1999:blog-4347283170930524749.post3564813363919370471..comments2017-09-23T10:52:55.154-04:00Comments on Adventures of a ServerGrrl- the WSS/SPF edition: SharePoint Security? An oxymoron? An after thought?Callahanhttp://www.blogger.com/profile/10988386747336082475noreply@blogger.comBlogger6125tag:blogger.com,1999:blog-4347283170930524749.post-9661586599468527682008-08-07T12:24:00.000-04:002008-08-07T12:24:00.000-04:00::Smacks herself in the forehead, *hard*::DOH!hk, ...::Smacks herself in the forehead, *hard*::<BR/><BR/>DOH!<BR/><BR/>hk, I would like to formally apologize for being an idiot. ; )<BR/><BR/>I knew there was an easier way to keep users from browsing People and Groups, I've simply gotten used to doing thing the hard way. : ( I just wasn't thinking:<BR/><BR/>Disable the "Browse user information" permission for the permission level used by the group the users are in. This will make them unable to both browse people and groups, as well as block them from being able to get into the user information for a particular user by clicking their author link anywhere, then getting back on the breadcrumb to the People and Groups page.<BR/><BR/>They can still see and access their own from the welcome menu, but not People and Groups.<BR/><BR/>Further, since the users can still see the People and Groups link in the quick launch, you may want to remove it so they don't click it then get rebuffed with a no access warning.<BR/><BR/>And, a further DOH!-- You are right, if a user is part of an AD group, then the user themselves are the creator of their own information-- due to the fact that sharepoint doesn't bother (rather insultingly I think) to create their user information for them until they log in personally. The reason I didn't even think of them is they don't show up on the group list they belong to by default, they only show up in All People. So if people were trying to get to members of a group, they'd only see the AD group name. In that case all user information bits are the balliwick of the account that added them.<BR/><BR/>Sigh. Thanks for keeping with it hk, and my sincerest apologies if my suggestion about managing the permission is too late (after painstakingly adding all those groups).Callahanhttps://www.blogger.com/profile/10988386747336082475noreply@blogger.comtag:blogger.com,1999:blog-4347283170930524749.post-75899989744673121172008-08-07T02:24:00.000-04:002008-08-07T02:24:00.000-04:00Hi,The weird thing about WSS is that if I didn'...Hi,<BR/><BR/>The weird thing about WSS is that if I didn't specifically assign that user to a site/sub-site and simply set access to "Authenticated Users", they are able to login and then WSS will set the "Created at" attribute to their user account, not Administrator.<BR/><BR/>But I think I was trying to do things not according to the "Microsoft Way", setting permissions for specific users so that WSS adds them to the various user lists. I've since switched to using just numbered AD groups so if clients browse People & Groups, all they see are the various numbered groups. So I've switched the Item-level Permissions back to "All items" and everything seems fine now.<BR/><BR/>Thanks.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4347283170930524749.post-32731268067862596422008-08-07T01:54:00.000-04:002008-08-07T01:54:00.000-04:00I don't believe there is an easy way to have a use...I don't believe there is an easy way to have a user's information be created *by* them. I think, by definition, the user information is generated by the account that added the user object to the site collection/subsite.<BR/><BR/>The only way I can think of (rather than specifically allowing no one from the Members group to see the user list) of making it hard for the users to see People and Groups is to take it out of the Quick Launch bar. Then they'd have to really search for it to get to the Users and Groups information. What do you think?Callahanhttps://www.blogger.com/profile/10988386747336082475noreply@blogger.comtag:blogger.com,1999:blog-4347283170930524749.post-49000506447604485732008-08-05T13:56:00.000-04:002008-08-05T13:56:00.000-04:00Hi,Thanks for the prompt response! If I can't...Hi,<BR/><BR/>Thanks for the prompt response! If I can't change the "Created" attribute, is there a way to completely purge the record from the database so that if I login again, the correct "Created" attribute can be created? Right now, if I remove it by "Delete User from Site Collection", the record is gone but if I login using that account again, the old "Created" attribute is still there.<BR/><BR/>Or alternatively, what's the normal practice for setting up a WSS site so that users can not browse the entire user list via People and Groups->All People?<BR/><BR/>Thanks.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4347283170930524749.post-77487550261434266752008-08-04T14:53:00.000-04:002008-08-04T14:53:00.000-04:00Hi HK,There is as good as anywhere to ask.The shor...Hi HK,<BR/><BR/>There is as good as anywhere to ask.<BR/><BR/>The short answer to your question is: No.<BR/><BR/>The reason is, when an account is created, it's created by someone with administrative rights. Thus the record was created (and therefore owned) by the administrator. There is no out-of -box way of overcoming that, that I know of.<BR/><BR/>Although, now that you've brought it up, I'll keep pecking at it. ; ) If I find anything, I'll post it here.Callahanhttps://www.blogger.com/profile/10988386747336082475noreply@blogger.comtag:blogger.com,1999:blog-4347283170930524749.post-3567963826209206302008-08-04T14:06:00.000-04:002008-08-04T14:06:00.000-04:00Hi,Just purchased your book and have a question ab...Hi,<BR/><BR/>Just purchased your book and have a question about Sharepoint security. Is this where I should ask?<BR/><BR/>Basically, I've created a basic WSS site and want clients to have access to subsites but I do not want them to be able to browse "All People" in the "People and Groups" list. I set People and Groups->List Settings->Advanced->Item-level Permissions to "Only their own" and that seem to work. But then I ran into this weird issue where if that client didn't login in first and I set access for them, their User Information record is set to "Created at [date/time] by Administrator". If this happens, that login can not access their own information because the system thinks that they don't own the record. Is there a way to change the "Created at" information to their login so the system will allow access?<BR/><BR/>Thanks.Anonymousnoreply@blogger.com