Jun 15, 2008

security in central admin site

The previous section described how the user web site works. But how do you modify the inner guts of WSS? You may remember that I said that the account used during the installation will initially also be the only account that can access the Central Administration web site. But this is not completely true!

Assume that Anna is the only user who can access the Administration web site. In other words, she is the SharePoint Goddess. By mistake, you happen to delete her user account. Quickly you try to repair the damage before anyone notices, so you create a new user account, with the exact same name and password. Will Anna still be able to use the Administration web site? No! Because when you created a new account, it got a new Security ID (SID), although with the same name. But SharePoint has granted administrative access to the old SID for Anna, so she cannot get in.

How do you solve this? Well, you can't unless you do a restore of the user account, that is, restore the complete Active Directory database, and this is not an easy task. Is there an easier way? Yes! Your escape route out of this misery is the fact that every user who is a member of the local Administrators group of the WSS server automatically has full and unlimited access to the Central Administration tool! The solution is to add Anna's new account to this group.

The important thing for you to understand that everyone - every user and every member of any domain group - who is a member of the local Administrators group is a SharePoint God or Goddess. And by default, the domain group Domain Admins is always a member of the local Administrator group in every computer in the domain. This results in the fact that every member of Domain Admins has full access to the Central Administration tool. But not to any of the user sites in WSS! This is different from WSS 2.0, where members of the local Administrator group had full access to every site, both administrative and user sites! So, the security is better in WSS 3.0. However, any user who can access the Central Administrator tool can also add themselves as Owners to any user site, so note that only trusted people should be members of the local Administrator group!