Becky Bertram's Blog
Perspectives from a SharePoint developer

This blog has moved. You can find the new blog on Savvy Technical Solution's Web site, at You will be redirected to the following page in 10 seconds:

Becky Bertram's Blog > Posts > SharePoint Administration Toolkit 4.0 Permission Tools
September 11
SharePoint Administration Toolkit 4.0 Permission Tools
Being a SharePoint developer and not a SharePoint admin, I must admit, I don't usually take the time to examine each new Adminsitrative Toolkit that gets released, but something in the latest release caught my eye: the "Check Effective Permissions" tool. This is part of the "Permission Reporting" solution package that you can install as part of the Administrative Toolkit. (For instructions on installing PermissionReporting.wsp, see the TechNet article about installing the Admin Toolkit.) Once you install the "Security Report" feature at the Farm level, new options are instantly available to you on the Site Settings page for each of the Site Collections in your farm.
As you probably know, permissions in SharePoint tend to be more "additive" than "subtractive", meaning you rarely deny a user rights to something; instead, a user starts out with essentially zero rights, and you gradually grant the user more and more permissions to carry out various tasks. However, this can get sticky because a user can be a member of an Active Directory group or an FBA role, and that group or role can belong to a SharePoint Group. If a user shows up in more than one group, it can be hard to know what level of permissions a user "effectively" has. Enter the "Check Effective Permissions" tool.
SharePoint Administrative Toolkit 4.0 Check Effective Permissions tool
I like the fact that the tool takes into account FBA users and roles as well as Active Directory users and groups. It would be nice if this view gave more detailed view about item level permissions that a particular user might have other than saying "Given Directly", but I suppose the query would have gotten ridiculously huge for this page if they had included that info here.
Luckily, the folks at Microsoft have given us an alternative tool that helps us view Item Level Permissions and broken inheritance. If you click on the "Compare Permissions" link in the Site Settings, you'll be taken to a tree view for your site collection, which indicates which assets have unique permissions by showing you a "star" icon.
SharePoint Toolkit 4.0 Compare Permissions tool
However, this tool doesn't show you item level permissions, either. It just shows you the permissions that have been assigned to that list or site. If you want a report, you can go to the "Broken Inheritance" report page. This page allows you to generate an XML report of all the items that have broken inheritance, and which rights have been assigned to those items. The nice thing about this report is that it runs as a background process in a SharePoint timer job, so you don't have to worry about totally bogging down your server processing or having an IIS timeout.
SharePoint Administrative Toolkit 4.0 Broken Inheritance Report
Here are the official help files for all three tools:
Note: I ran into some significant issues when installing the Toolkit because you need to install the April 2009 Cumulative Update in addition to SP2. Although I thought I had installed it, apparently it didn't install correctly, and it didn't increment the version number of Microsoft.SharePoint.dll. You can't activate the Permissions feature (called "Security Report") at the farm level if that version number isn't higher than the April CU number. Take a look at the notes at the bottom of the TechNet article I mentioned in the first paragraph to see the version number you need to have to activate the Security Report feature.


Xavor SharePoint Admin tool

There is an excellent SharePoint admin tool from Xavor on the block. It’s free and can really ease the pain for regular day to day SharePoint troubleshooting tasks. There is no need to open SharePoint farm and use stsadm for administrative activities. Some mostly used functions of stsadm are easily available right within SharePoint main website through very nice Action Menu based user interface.  Only administrators can access these functions. Some of the functions you can perform using SharePoint power tools are;  1. Check User Security 2. Check Group Security 3. Get List Information like its ID, template, size etc 4. Web Information 5. Bulk Add Web Part 6. Bulk Delete Web Part   You can get these goodies free of cost right from Xavor website -> here  
 on 10/20/2009 4:33 PM

File Share

I am looking for a tool that I can scan my file server directory and see what permissions are applied to my shares. I have recently come accross a share that should have limited access and it was open to everyone. Do you have any segestion on any tools that I can get to do a directory scan?
 on 11/1/2009 2:08 PM

Permission Reporting

Hi, Can you HELP me! I have installed all the the necessary pre-requistes required for the Persmission Reporting tool from the admin tool kit. but when activating the feature using STSADM i get the April CU needs to be installed first. I have checked and downloaded the hotfixes for OCtober and April and recently the Feb 2011 Cu also but the error still happens. My version of sharepoint server stays at   please please help me!
 on 3/24/2011 3:33 PM

The following factors also affect

The middle section of the Effective Permissions report may be a result of settings in Central Administration / Application Management / Policy for Web Application.
 on 4/11/2012 8:43 PM

Add Comment

Items on this list require content approval. Your submission will not appear in public views until approved by someone with proper rights. More information on content approval.

Comment Title *

Body *

Your Name

Your E-mail Address

Your Website

Type the Web address: (Click here to test)  

Type the description: 

Are you spamming my blog? *

This field is here in an attempt to stop spammers from entering comments. Enter a number, any number