Project Description
The SharePoint User Account Control (SPUAC) feature is a collection of Central Administration pages that provides a single view of everything a user can access in the entire farm and an interface to revoke access. SharePoint and nested domain group membership are considered.

Purpose
The main purpose for this feature is to allow an Administrator to determine exactly what a given user can access and revoke permissions as required. In other words, if you were logged in as that user, exactly what could you access in the farm?

Walkthrough
After deploying the solution, a new section is added to the Operations page in Central Administration

spuacOperations.png

You can view what access a user has by entering their domain account

spuacCheckAccess.png

A list is displayed of all the permissions that user has in the farm

spuacCheckAccessResult.png

Background
The motivation behind this project is to provide administrators a tool to see what a user can access and revoke as necessary. The SPUAC provides a level of confidence that is not afforded by the out of the box SharePoint administrative interfaces. Do you really know everywhere a user has access? What about implicit access through a domain group that is three, four or five levels deep?

There are actually several ways a user can be given permission to a securable in the farm and several nuances to be aware of. The following are some of the things to consider:
*Users can be granted access directly, by SharePoint groups (which cannot be nested) and domain groups (which can be nested)
*Users can be given permissions to many securables such as sites, lists, list items, the farm
*Some areas are accessible to everyone (NTAuthority\Authenticated Users) by default
*Some areas are accessible to server/domain adminstrators by default
*Grant user access to a list or list item in a site collection and they get limited access to the securable ancestors such as the site or list
*Grant a user access to a securable anywhere in a site collection, the user will appear in the All People list
*Web Application Policies can be used to grant or deny permissions to users or domain groups to an entire application, overriding permissions at the site level
*When a user is a site owner or secondary site owner, they are also added to the Site Collection Administrators group of that site
*When a user is removed as a site or secondary owner, they are also removed from the Site Collection Administrators
*You will get an error if you try to remove a site or secondary owner from the Site Collection Administrators group
*Grant a domain group access to a securable in a site collection, the group does not appear in the All People list, (but is present in the object model web.users)
*Delete a user from the All People list, all permissions to securables within the site collection are removed

Last edited Feb 21, 2009 at 6:18 PM by johnwpowell, version 8