SharePoint 2007 to SharePoint 2010 Farm Migration. Phase 2 – Security Analysis

Introduction

In the current series I’d like to describe how to analyse the SharePoint Farm and prepare it for the SharePoint 2010 migration. We will review the following 3 sections:

  1. Farm Architecture and Configuration Analysis
  2. User and Group Analysis (current)
  3. Farm Migration

This section describes the user analysis and permission analysis. But first of all – why do we need to analyze users and permissions when we only migrating data?! Can’t our users be migrated automatically?!

The answer is yes and no – users will be migrated automatically, but migration is hardly planning for the sake of migration and usually you are building a new application and trying to fix existing issues. Users, Groups and Permissions are needed to be reorganized and to be fixed before moving content to new environment.

The areas we need to look at are the following:

  • number of users and group
  • how users are organized in groups
  • permissions – users, groups, broken inheritance
  • dead users

SharePoint OOTB functionality doesn’t cover all our needs, so we are going to use several 3rd partly tools to gather the necessary information.

Tools

Additionally, you need to use the following STSADM commands

There are two approaches to collect required information – using commercial “ARK for SharePoint 2007” reporting tool that covers almost all our needs  or using several free tools to get the same information. We can achieve almost the same via “enumuser/enumgroups/enumroles” command of STSADM, but we need to count the items manually.

The limitation of the majority of free tools is that they don’t provide web-application level information across all site collections. The advantage of “ARK for SharePoint” is that it generates reports for all web applications in our farm.

In this post I’d like to describe the steps of how to get all information without using commercial tools.

Number of Users & Groups

  1. Users & Groups number – “Bamboo SharePoint Analyser” –> Farm->Servers->Web Applications->Site Collections –> Web sites and the values are in parentheses for “Users”, “Groups” and “Administrators” image
  2. Site Administrators – use “Bamboo SharePoint Analyzer” of Central Administration
  3. Groups across site collections – use “Xavor SharePoint Admin tool” –> Show Group Security image

Users & Groups Association

  1. Farm Administrators – Use Central Administration –>Operations-> Update Farm Administrators Group or  “Bamboo SharePoint Analyzer” 
  2. Users by Group – ARK for SharePoint provides full info across all web applications. Alternative free solution is to use “Permission Report” tool functionality (Site Settings -> “Broken Inheritance Reports Jobs”) that generates Excel spreadsheet for the Site with the user’s and its groups. 

Permissions

  1. Broken inheritance can be found via “Access Checked” tool that shows SharePoint items where permission is broken, but tool doesn’t show what exactly is broken and list of changes. Reports are supported.image
  2. Broken inheritance Diff can be viewed with “SharePoint Administration Toolkit” and its “Compare Permissions Sets” report that shows the permissions difference between the current and root items, and also the details about permission changes . Reports are supported.image
  3. User rights – “Check User Access” report of “Access Checker” show the rights for the users across SharePoint elements, including the items where user don’t have access
  4. Group rights – “Check Effective Permissions” of “SharePoint Administration Toolkit” shows the items accessible by this group

Unfortunately,all previous tools don’t provide web-applications scope reports and item-level reports. It means that you can’t iterate through all site collections and find the List items or specific pages where user has no access. To get such information use “Xavor SharePoint Admit Tool” that provides reports across web application (but no functionality to save them)

image(red – user has no permissions)

Dead Users

When you install and configure the new farm you probably create several test users and groups that should be deleted in the end. Sometimes administrators create such users and then forget to delete them. So,“dead” accounts is a quite common scenario. When you start a new migration you don’t want such users/groups in your new farm and you need to find all of them and delete.

I don’t know any free tools that provide such functionality. And there are only a couple of the commercial tools that allow to do this: DeliverPoint and ControlPoint

Creating the report

The logical outcome of the Security Analysis is the Word document that highlights the security issues, but unfortunately this is not always feasible. Consider the medium farm with 5000 users 300 groups and 400 sites with 30% of broken inheritance. You can physically create the word document but how are you going to analyse the 200 pages document?!

The real Analysis is usually a “multithreaded” task, when you check users’ rights, discuss the grouping with DC admins, fix the broken permissions and etc.

Depending on the content size documenting the following quantative information is recommended:

  • Farm Administrators
  • Number of users
  • Number of groups across web application and per site collection
  • Broken inheritance report per site collections and items (depends how much broken items you have)
  • Users/AD per Groups (definitely for AD, but depends on number of users)

Unfortunately, it’s hard to define the template for this step, because security analysis is very individual for the farm, and usually you end up with several files – documents describing quantative info, excel spreadsheets with users, groups and permissions, html files describing the broken permission inheritance.

Resume

Security analysis might be a daunting task depending on the level of your permissions customization and user’s assignment to groups. The recommendation is to perform the draft analysis on backup instance where you can experiment with different tools and find all security breaches, and after that fix issues on production.

7 Comments »

  1. Andy Said,

    November 3, 2009@ 10:45 pm      Reply

    Great tips on doing a SharePoint farm migration. The imminent arrival is exciting but there are logistical issues when upgrading, you addressed some of these here. Have you thought about joining the SharePoint conversation on Facebook? Check it out at http://www.facebook.com/office

    Keep up the great posts!

    Cheers,
    Andy
    MSFT Office Outreach Team

  2. laflour Said,

    November 3, 2009@ 11:07 pm      Reply

    I will join. But wonder to hear the logical issues I missed

  3. Andy Said,

    November 9, 2009@ 10:14 pm      Reply

    I didn”t express myself as well as I could have, I didn”t mean to imply that you missed anything. Sorry about that! Thanks again for the great (and thorough) post and for joining on Facebook.

    Best,
    Andy
    MSFT Office Outreach

  4. Mark Said,

    December 1, 2009@ 3:23 am      Reply

    I”d like to ask what are the advantages of sharepoint 2010 over sharepoint 2007 and sharepoint 2003?Thanks

  5. laflour Said,

    December 1, 2009@ 6:38 am      Reply

    The changes are quite significant. You can find some info about SP2010 and SP2007 on my site wwww.sharepoint-sandbox.com

  6. Saif Khan Said,

    February 17, 2010@ 8:55 am      Reply

    Dear Michael,

    Thank you for pointing out the issue of not being able to save in Xavor SharePoint Admin Tool. We have recently added an Export to Excel feature in the tool in order to help users save those reports. You can now save reports as well.

    Thanks.

  7. Sandro Said,

    July 5, 2010@ 2:15 pm      Reply

    Hi Michael,

    thank you for your guidance! However, the link to part 3 is not there, have you not published it yet?

    Best regards


RSS feed for comments on this post · TrackBack URI

Leave a Comment