Analyzing Site Properties
The Site Properties analysis provides information about one or more sites in your farm, including:
·the account that created the site as well as the date and time when the site was created and last updated
·the size of the site
·whether the site has unique permissions
·users with Full Control permissions for the site.
·audit settings that are/are not enabled for the site (with the option of including only sites for which auditing has been enabled at the site collection level)
·a list of site features (with the option of including activated features only and/or hidden features)
This feature is not available at the farm (tenant) scope.
To generate a Site Properties analysis:
1Select the object(s) you want to include in your analysis.
2Choose Configuration > Site Properties.
3Specify the following parameters for your analysis:
a)If you want to Show activated features only, check this box.
NOTE: If you leave this box unchecked, all installed features will be listed beneath each site, and those that are currently activated will be flagged. If you check this box, all installed features will be listed once, at the top of the result set, and only activated features will be listed beneath each site.
b)If you want to limit results to sites for which one or more features are activated/deactivated:
§Select the appropriate option from the Limit Report to Sites with the following features: drop-down.
§From the Selected Feature(s): list, select the feature(s) you want to include/exclude (you can select multiple features using the [CTRL] or [SHIFT] key in the conventional manner).
NOTE: If you select multiple features, results will include sites for which any one or more of those features has been activated/deactivated.
c)If you want to Include hidden features, check this box.
NOTE: Hidden features are those that are not visible in the SharePoint Site Features list. (Hidden features are activated from a command line, using custom code, or through the dependency of another feature.)
d)If you want to Include only sites with auditing enabled at the site collection level, check this box.
NOTE: If you check this box, results will include sites that inherit audit settings from the parent site collection. See also Managing Audit Settings.
e)If you want to Include only sites with auditing enabled at the site level, check this box.
NOTE: The only audit setting that can be enabled directly for a site is Opening or downloading documents, viewing items in lists, or viewing item properties via the ControlPoint action Manage Audit Settings.
Now you can:
·run the operation immediately (by clicking the [Run Now] button)
OR
·schedule the operation to run at a later time or on a recurring basis.
OR
·save the operation as XML Instructions that can be run at a later time.
Site Properties analysis results list each site within the scope of your analysis.
REMINDER: If you chose to show activated features only, an expandable list of all Installed Site Features displays at the top of the result set, with only activated features displaying beneath each site. (Otherwise, the full set of installed site features will display beneath each site.)
When expanded, the following information displays for each site:
·the account that the site was Created By
·the site's Size (in KB)
·the date and time when the site was Created and Last Updated
·whether the site has Unique Permissions
·whether the site has been configured to Allow RSS Feeds
·the Language used by the site
·a list of users with Full Control permissions (that is, users considered to be site Owners).
·All of the available Audit Settings, with settings that are currently enabled for the site identified with a plus sign (+). Audit settings that are inherited from the parent site collection are also flagged with >.
·Site collection Features. Hidden features (if included) and Activated features are flagged.
Analyzing List Properties
The List Properties analysis provides information about one or more lists in your farm, including:
·the properties of the list, including versioning and advanced settings
·audit settings that are/are not enabled for the list.
This feature is not available at the farm (tenant) scope.
To generate a List Properties analysis:
1Select the object(s) you want to include in your analysis.
2Choose Configuration > List Properties.
3If you want results to include only lists that meet one or more specific criteria, specify one or more of the parameters described in the following table.
|
If you want results to include only lists... |
Then ... |
|---|---|
|
whose name contains a specific text string |
enter the text string in the List Name contains field. |
|
that have a particular version setting |
select from the Versions Setting drop-down. |
|
of one or more specific types |
select from the List Types drop-down. |
Now you can:
·run the operation immediately (by clicking the [Run Now] button)
OR
·schedule the operation to run at a later time or on a recurring basis.
OR
·save the operation as XML Instructions that can be run at a later time.
The top level of the analysis lists each Web application, site collection, site, and list within the scope of your analysis, along with the list's Base Type.
When expanded, the following information is displayed for each list:
·list Properties, including versioning and advanced settings detail
·all of the available Audit Settings, with settings that are currently enabled for the list identified by a plus sign (+).
NOTE: Audit settings that are inherited from the site collection are flagged with >.
·list Columns settings
Analyzing Users and Permissions
ControlPoint provides the following tools that allow you to examine permissions of SharePoint users throughout your farm:
·Site Permissions shows the permissions of users for selected sites
·Site List Permissions shows user permissions for individual lists and list items within a site.
An additional analysis, Comprehensive Permissions, show permissions for all sites, lists, and optionally list items within a single result set.
NOTE: In addition to showing user permissions at the individual site level, all Site Permissions analyses include any Web application policy permissions users may have.
Finding Orphaned Domain Users
If you are using Active Directory as the authentication method for your SharePoint Online environment, the Orphaned Domain Users analysis lists users who currently have permissions in SharePoint but are no longer valid in the Active Directory.
NOTE: Currently, ControlPoint cannot expand the membership of Office 365 groups. Therefore, these users cannot be evaluated.
Users Evaluated as Potential Orphans
ControlPoint evaluates users as potential orphans if they are disabled in and/or deleted from Active Directory but are found in:
·a SharePoint permission entry at any level (site, subsite, list, library, folder, or item)
·a site collection's All People list, and/or
·a Site Collection Administrator's list.
ControlPoint does not evaluate names in Web application policies, the Farm Administrator list, or any custom SharePoint list that may contain user names.
Users That Are Not Reported as Orphans
ControlPoint does not report a user as being orphaned if it is considered valid by SharePoint (that is, if a user who is not in the All People list can still be validated by the SharePoint People Picker). Active Directory entries that are considered valid by SharePoint (and therefore are not reported as orphaned by ControlPoint) include:
·expired accounts, and
·locked accounts (i.e., accounts for which the allowable threshold for failed login attempts has been exceeded).
To generate an Orphaned Domain Users analysis:
1Select the object(s) you want to include in your analysis.
2Choose Users and Security > Orphaned Domain Users.
3Specify the parameters for your analysis.
Note that you have the option of limiting your results only to users who are either disabled in or have been deleted from Active Directory. If you accept the default option, Show all orphans, both types of users will be included.
4If you want ControlPoint to automatically delete all users returned by the analysis on the home farm, check the Automatically delete users after analysis has run (in home farm only). Note that, in a multi-farm environment, this action cannot be carried out on a remote farm.
CAUTION: If you check this box, ControlPoint will automatically submit one or more Delete User jobs to the ControlPoint scheduler. The number of jobs submitted depends on the number of users to be deleted, and the number of users processed in a job is determined by the ControlPoint Setting OrphanDeleteBatchSize. The first job will be scheduled to run 30 minutes after the analysis has finished processing. Because this action cannot be undone, you may want to back up user permissions before running the operation. (You also have the option of deleting jobs before they have run via the Schedule Monitor.)
Now you can:
·run the operation immediately (by clicking the [Run Now] button)
OR
·schedule the operation to run at a later time or on a recurring basis.
OR
·save the operation as XML Instructions that can be run at a later time.
When expanded, a list of rights for each orphaned user displays the same information as the User Rights section of the Site Permissions analysis.
Disabled Accounts as Orphans
Users whose accounts have been disabled (or disabled and renamed) in the Active Directory are normally considered orphans by both SharePoint and ControlPoint and are annotated as such in analysis results. This annotation is intended to help you in evaluating whether or not such users really should be considered orphans in accordance with you organization's policies.
If an account has been both disabled and renamed, the annotation will include the original name, followed by the string DISABLED, RENAMED; and the new name. (ControlPoint will not consider a renamed account orphaned if it is also active, expired, or locked.)
NOTE: Although it is not a common practice, it is possible for restricted reads and other permissions to be placed on entries in the Active Directory. This can affect ControlPoint's ability to detect disabled accounts. Specifically, if an account has been disabled AND cannot be read by the ControlPoint Service Account, then both SharePoint and ControlPoint will treat that account as valid (not an orphan).
To delete orphaned user permissions from analysis results:
Use the information in the following table to determine the appropriate action to take.
CAUTION: If you have any doubt as whether a user is truly orphaned, it is recommended that before you delete permissions, you verify his/her existence and status in the Active Directory.
|
If you want to delete permissions for ... |
Then ... |
|---|---|
|
a specific orphaned user |
click a User hyperlink to initiate a ControlPoint Delete User Permissions action. The Delete User Permissions page opens in a separate browser window, with the Delete Users field pre-filled with the selected user(s). Note that you need to run the action without validating the user, as the account now longer exists in Active Directory. |
|
all orphaned users as an interactive tasks |
click the Delete All hyperlink at the top of the analysis results section. |
