Chat now with support
Chat with Support

Metalogix ControlPoint 8.1 - for Office 365 Administration Guide

Getting Started with ControlPoint Searching for SharePoint Sites Managing SharePoint Objects Managing Metadata Managing SharePoint User Permissions Data Analysis and Reporting Scheduling a ControlPoint Operation Saving, Modifying and Executing Instructions for a ControlPoint Operation Provisioning SharePoint Site Collections and Sites Using Sensitive Content Manager to Analyze SharePoint Content for Compliance Using ControlPoint Sentinel to Detect Anomalous Activity About Us

Finding Orphaned Domain Users

If you are using Active Directory as the authentication method for your SharePoint Online environment, the Orphaned Domain Users analysis lists users who currently have permissions in SharePoint but are no longer valid in the Active Directory.  

Users Evaluated as Potential Orphans

ControlPoint evaluates users as potential orphans if they are disabled in and/or deleted from Active Directory but are found in:

·a SharePoint permission entry at any level (site, subsite, list, library, folder, or item)

·a site collection's All People list, and/or

·a Site Collection Administrator's list.

ControlPoint does not evaluate names in Web application policies, the Farm Administrator list, or any custom SharePoint list that may contain user names.

Users That Are Not Reported as Orphans

ControlPoint does not report a user as being orphaned if it is considered valid by SharePoint (that is, if a user who is not in the All People list can still be validated by the SharePoint People Picker).  Active Directory entries that are considered valid by SharePoint (and therefore are not reported as orphaned by ControlPoint) include:

·expired accounts, and

·locked accounts (i.e., accounts for which the allowable threshold for failed login attempts has been exceeded).

To generate an Orphaned Domain Users analysis:

1Select the object(s) you want to include in your analysis.

2Choose Users and Security > Orphaned Domain Users.

3Specify the parameters for your analysis.

Note that you have the option of limiting your results only to users who are either disabled in or have been deleted from Active Directory.  If you accept the default option, Show all orphans, both types of users will be included.

Orphaned Users DROPDOWN

4If you want ControlPoint to automatically delete all users returned by the analysis on the home farm, check the Automatically delete users after analysis has run (in home farm only).  Note that, in a multi-farm environment, this action cannot be carried out on a remote farm.

Orphaned USER AUTO DELETE

CAUTION: If you check this box, ControlPoint will automatically submit one or more Delete User jobs to the ControlPoint scheduler. The number of jobs submitted depends on the number of users to be deleted, and the number of users processed in a job is determined by the ControlPoint Setting OrphanDeleteBatchSize. The first job will be scheduled to run 30 minutes after the analysis has finished processing. Because this action cannot be undone, you may want to back up user permissions before executing the operation. (You also have the option of deleting jobs before they have run via the Schedule Monitor.)

Now you can either:

·run the operation immediately (by clicking the [Run Now] button)

OR

·schedule the operation to run at a later time or on a recurring basis.

OR

·save the operation as XML Instructions that can be executed at a later time.

When expanded, a list of rights for each orphaned user displays the same information as the User Rights section of the Site Permissions analysis.

Disabled Accounts as Orphans

Users whose accounts have been disabled (or disabled and renamed) in the Active Directory are normally considered orphans by both SharePoint and ControlPoint and are annotated as such in analysis results.  This annotation is intended to help you in evaluating whether or not such users really should be considered orphans in accordance with you organization's policies.

If an account has been both disabled and renamed, the annotation will include the original name, followed by the string DISABLED, RENAMED; and the new name.  (ControlPoint will not consider a renamed account orphaned if it is also active, expired, or locked.)

NOTE:  Although it is not a common practice, it is possible for restricted reads and other permissions to be placed on entries in the Active Directory.  This can affect ControlPoint's ability to detect disabled accounts.  Specifically, if an account has been disabled AND cannot be read by the ControlPoint Service Account, then both SharePoint and ControlPoint will treat that account as valid (not an orphan).

To delete orphaned user permissions from analysis results:

Use the information in the following table to determine the appropriate action to take.

CAUTION:  If you have any doubt as whether a user is truly orphaned, it is recommended that before you delete permissions, you verify his/her existence and status in the Active Directory.

If you want to delete permissions for ...

Then ...

a specific orphaned user

click a User hyperlink to initiate a ControlPoint Delete User Permissions action.

Orphaned User LINK TO DELETE

The Delete User Permissions page opens in a separate browser window, with the Delete Users field pre-filled with the selected user(s).  Note that you need to run the action without validating the user, as the account now longer exists in Active Directory.

all orphaned users as an interactive tasks

click the Delete All hyperlink at the top of the analysis results section.

 

Analyzing Site Permissions

The Site Permissions analysis lets you examine the permissions that one or more users have for selected sites, including external users.

To generate a Site Permissions analysis:

1Select the object(s) you want to include in your analysis.

2Choose Users and Security > Site Permissions.

3Specify the parameters for your analysis.

Note that, In addition to the "standard" parameters, you have the option to Group by Sites (the default) or Users.

Now you can either:

·run the operation immediately (by clicking the [Run Now] button)

OR

·schedule the operation to run at a later time or on a recurring basis.

OR

·save the operation as XML Instructions that can be executed at a later time.

The top level of the User Rights section lists the Web application(s) within the scope of your analysis.  

When expanded, a list of users with permissions for the site collection or site displays, along with the following information:

·the login name of the SharePoint User

·the user's permission level(s), as indicated by a plus sign (+) in the applicable column(s), which may include:

§the site collection's Admin group

§the five default SharePoint permission levels:

§Full Control

§Design

§Contribute

§Read

§Limited.

NOTE:  If a user has a template-specific or custom permission level, it is recorded in the Other column.  

Site Permissions CP Online RESULTS EXPANDED

By default, the report lists:

·users with direct permissions, and

·users with membership through SharePoint groups.

The Display Name/Group column shows the display name of each user whose permissions are direct or through membership in a SharePoint group.  If a display name does not exist for the user, the user's login name will display in brackets < >.

Note that in the following example, the external user is identified by his external email address.

Site Permissions EXTERNAL USER

 

Analyzing Site Lists Permissions

The Site Lists Permissions analysis lets you examine the permissions of users for individual lists within a selected site, including external users.

NOTE:  List permissions are also included as part of the Comprehensive Permissions analysis.  You can also view permissions for items within a selected list by running a Permissions by List Item analysis.

To generate a Site Lists Permissions analysis:

1Select the site whose list permissions you want to analyze.

NOTE:  You can only analyze list permissions for one site at a time.  If you multi-select, only the site on which you right-clicked will apply.

2Choose Users and Security > Site Lists Permissions.  Use the information in the following table to determine the appropriate action to take.

3Specify the parameters for your analysis.

Now you can either:

·run the operation immediately (by clicking the [Run Now] button)

OR

·schedule the operation to run at a later time or on a recurring basis.

OR

·save the operation as XML Instructions that can be executed at a later time.

The top level of the Site Lists Permissions analysis shows all of the lists used on the site, along with the following information:

·the Security type (Inherited or Unique)

·the number of Items in the list

·the number of Items with Unique Permissions.

NOTE:  If you chose to Show unique permissions only, results will include any list that contains items with unique permissions (even if the list itself has inherited permissions).

List Permissions by Site RESULTS

When expanded, the following information displays for each list:

·each User with permissions to the List item(s)

·if applicable, the SharePoint Group via which the user has permissions (users who have direct access are appropriately identified)

·the number of Accessible Items for that user, and

·the user's permission level(s).  A plus sign (+) displays in the applicable column(s), which may include any of the five default SharePoint permission levels:

§Full Control

§Design

§Contribute

§Read

§Limited.

NOTE:  If a user has a template-specific or custom permission level, it is recorded in the Other column.

List Permissions by Site EXPANDED

Note that in the following example, the external user is identified by his external email address.

Site Permissions EXTERNAL USER

 

 

Analyzing Permissions by List Item

The Permissions by List Item analysis lets you examine user permissions for folders and items within selected lists.

NOTE:  List item permissions are also included as part of Comprehensive Permissions analysis.  

To generate a Permissions by List Item analysis:

1Select the list(s) whose item permissions you want to analyze.

2Choose Users and Security > Permissions by List Item.

3If you want to analyze only specific items within the selected scope, select the items you want to analyze.

4Specify the parameters for your analysis.

Now you can either:

·run the operation immediately (by clicking the [Run Now] button)

OR

·schedule the operation to run at a later time or on a recurring basis.

OR

·save the operation as XML Instructions that can be executed at a later time.

The first row of the result set includes the following information about the list itself:

·an icon that identifies the list type (document library, calendar, task list, etc.).

·the name of the list

·the List Security type (Inherited or Unique)

·the number of Items in the list

·the number of Items with Unique Permissions.

When the first row is expanded, each user with permissions for the list is displayed, along with the following information:

·the name of the SharePoint User

·the number of Accessible Items (that is, the number of items within the list for which the user has permissions)

·the user's permission level(s) for the list itself, as indicated by a plus sign (+) in the applicable column(s), which may include:

§the site collection's Admin group

§the five default SharePoint permission levels:

§Full Control

§Design

§Contribute

§Read

§Limited.

NOTE:  If a user has a template-specific or custom permission level, it is recorded in the Other column.

Permissions by List Item LIST EXPANDED

The remaining rows contain detailed permissions information for each folder and item within the list.

Click a list, folder, or item name to open the SharePoint Permissions page.

Note that in the following example, the external user is identified by his external email address.

Site Permissions EXTERNAL USER

 

Related Documents