views:

26

answers:

1

I have a Sharepoint site (MOSS 2007 SP2) that all domain users seem to have read access to even if I remove all user permissions to the site. I have no problem granting users all levels of permissions. For example, I can grant userA full access to my site, but when I remove the user completely from the site they still have read access.

This is actually a subsite that does not inherit permissions from the parent. THis subsite also has subsites that either inherit or dont inherit permissions. Either way, the issue seems to exist on all subsites of the affected site.

What makes this even stranger is that if I run a sql query to show who has access to a site it displays the same users that are listed on the permissions page for the site. For example, I give a user "read" access to the site then run the query, that user will appear in the query results as having "read" access. Then I remove the user from the site permissions page and run the query again, that user is gone from the query results and the permissions page, but they still have "read" access to the site.

All users seem to have "read" access to this site and all its subsites even if they were never granted permissions to the site.Recently, I installed a microsoft security patch that fixes a known issue caused by installing SP2. This is a link to that issue and the patch that fixes it http://support.microsoft.com/kb/971620/ I am not sure if installing that patch was the cause of the issue. But if it is why would it affect just that particular subsite and its decendants? Has anyone encountered anything like this before?

A: 

Check if you do not have Read All policy under central administration

Vladi Gubler
Wouldnt that affect the entire web application? I do not have any policy for that web application giving full read to all users.
Mike B
well, that was a possibility :) Check maybe you have some group under site collection admins
Vladi Gubler
Turns out this was the answer! Initially I checked in Central Administration to see if Enable Anonymous Access was checked. It was not. What I didnt know was that this option shows/hides the "Anonymous Access" option for all sites/lists. Since it was unchecked I could not see this option under the settings int he permissions page for the affected site. The solution was to Enable anonymous access in Central admin (thereby making the Anonymous Access option visible at the site/list level)
Mike B
Then I was able to go back to the permissions page of the affected site and see that anonymous access was set to "read all" I changed it to "None" and unchecked "Enable Anonymous Access" in Central admin. That did it :)
Mike B

related questions