need to retire an account – not sure what permissions people have?

With the best will in the world, you may have planned and structured your SharePoint permissions very well. However, ultimately it will end up with unique permissions assigned to individuals everywhere.  This leads to a lack of understanding of which users have permissions to what objects in SharePoint.

You may have carefully considered the implications of using SharePoint Groups vs Active Directory groups to organise your users.  Most organisations tend to favour Active Directory groups, and either assign the AD groups permissions directly, or they assign the AD groups permissions via a SharePoint Group. To begin with, this works well! It is then true that removing a user from the AD group will affectively remove their permission from SharePoint.  However, as time goes on, you will find users have been granted unique permissions to Sites, Lists, Folders and List Items or Documents.  Why?  Because at the time, it is quicker and easier to grant  a user permissions to an object that they require permissions to in order for them to carry out their work.

Let’s assume that you have thirty site collections, and each site collection has one hundred sites.  Each site has on average one thousand list items or documents.  This is considered a small SharePoint environment.  There is now the potential to have three million items.  When a user leaves the organisation, can you be sure that their permissions have been removed from all three million items?  SharePoint doesn’t offer a quick way to check each of these items or for that matter each site.

DeliverPoint on the other hand does.  DeliverPoint provides a Unique Permissions report that can be run on each Web Application, Site Collection, or Site. The report will use the selected object as the scope and then provide you with a unique permissions report right down to the list item.

Below you can see a screenshot of a Unique Permissions report for the user “Brett”.


This report is ran against a user account or domain group and will provide everything that the selected user has access to and tells you how they were granted access in the first place.  You can see from the top of the report that the user account Brett has permissions assigned to it as an individual as well as being a member of Domain Groups and SharePoint Groups. if you have therefore forgotten to remove the user from a domain group, DeliverPoint will make it obvious.


The unique Site Permissions, List Permissions and List Item Permissions sections explain to me where I still have access:


SharePoint 2010 provides you with a Check Permission option which can be used on an object at a time.  However, it would take a long time to go through 3 million items! 🙂

DeliverPoint 2007 or DeliverPoint 2010 is available to trial for 30 days from:

If you would like a demonstration of the product, please don’t hesitate to contact us on


Leave a comment