Sharepoint 2010 users strangely removed from Sharepoint Group (Expert Advise required)

sharepoint.stackexchange https://sharepoint.stackexchange.com//questions/36911

Question

Since 3 months client portal was working fine suddenly due to some network problem we restarted SharePoint server, after that some Active directory users complained system was inaccessible, where after checking we found previously existing users where strangely not present in share point group, sadly audit log report was not enabled so we could not figure out what happened.

My question is:

1- Is it SharePoint 2010 bug ?

2- Is problem could be from Active directory ?

3- Any user have manually performed this action, though usually they don't access server ?

Now client is asking report why this happened and we are clueless ..any help will be highly appreciated...

Was it helpful?

Solution

Salman,

Under the circumstances below are the following things I can suggest you.

  1. Role of Active Directory- Well under any circumstances , users being removed from a SharePoint group has nothing to do with Active Directory. The reason being SharePoint internally maintains user details inside user information list for every site collection. Their properties are managed through User Profile Service application and it is updated through synchronization with the AD. So even if a user is removed from the AD , he/she may fail to login but their details still reside inside sharepoint user information list and their membership remains in tact for any SharePoint groups they have been added.

  2. Compliance - Only users can be removed from the SharePoint if "manage permissions" access rights are given to certain individual users. A site collection administrator , a user or group with full control on the site can also remove specific users from any sharepoint group. This is done explicitly and nothing "automated" should trigger this.

  3. Tools - I would suggest use LogBinder and install its agent in one of the WFEs for your farm. Run the tool against the site collection where this incident has occured. This tool essentially builds up information level logs and dumps in the event viewer and tells about everything that has been done in the site so far from permissions changes , page/list/library updation,etc. It will read past ULS logs(provided you have them saved in the 14 hive) and report accordingly. Sort the log based on time and match it to the time of incident. You should get a better picture from there on.

  4. Communication - Present a case for the client why logging and reporting is important. Audits needs to be done on production farm which is an essential business rule no matter how big or small the firm is. Suggest compliance and governance strategies for SharePoint and try evaluating tools like DocAve Auditor or RSA envision with logbinder for SharePoint,etc.

Licensed under: CC-BY-SA with attribution
Not affiliated with sharepoint.stackexchange
scroll top