Logo 
Search:

MOSS Forum

Ask Question   UnAnswered
Home » Forum » MOSS       RSS Feeds

Access Denied on WSS 3 upgraded sites

  Asked By: Damaris    Date: Sep 10    Category: MOSS    Views: 2684

This seems too easy. I'm almost embarassed to ask because I know I'm
missing something really simple.

We are testing an upgrade of our WSS 2 system to WSS 3. I'm
intentionally leaving most of the implementation details out because
i'm figuring within 30 seconds of posting this, someone will point
out to me what I'm overlooking.

We're doing a gradual upgrade and every site that we upgrade from WSS
2 to WSS 3 locks us (the administrators) out. In WSS 2, by virtue of
being part of domain group which is configured in the central
admin "Set SharePoint Administrator Group Account", everyone on our
team had access to all these sites. But as soon as a site collection
is upgraded to WSS3, we are not able to get into the site after the
upgrade. We get the "Access Denied. Currently logged in as:...."
error message.

We have ensured that the same domain group is in the WSS 3 "Farm
Administrators" group and we have even gone so far as to add each
team member individually to the "Farm Administrators" group, but to
no avail. After the upgrade, to get access to the site, we can go in
and take ownership of the site, add ourselves as administrators and
set the ownership back to its pre-upgrade values, but is that really
the way it is inteneded? We are all local admins on the web server,
we're in the Farm Administrators group.

I'm sure I am missing something very simple. Can someone point me in
the right direction? If this is not the expected behavior let me know
and I'll share some of the implementation details, etc.

Share: 

 

6 Answers Found

 
Answer #1    Answered By: Timothy Hall     Answered On: Sep 10

In the old version of sharepoint  everyone who was a local  admin on
the box had god access  to all sharepoint sites. THis was bad
because domain  admins could do whatever they wanted in sharepoint.
What I had to do was go through each site  logged in as whoever the
site collection owner was and add  the admin AD group  into the site
owners group for the site. If you are needing to do this for a lot
of sites  I suggest testing  this on one site to see if it works. And
if so, create a program that does this for all sites by looping
through all the site collections and adding your ad group to the
owners group. Should only take a couple of hours to write it. Then
log on to the server  that has sharepoint on it as the site
collection owner and execute (assuming you named all site collection
owners as the same account. I use a service account  for all my site
collection owners).

 
Answer #2    Answered By: Ian Powell     Answered On: Sep 10

I am familiar with this
security blunder which was fixed by Microsoft in:
http://support.microsoft.com/kb/892295/

This patch implemented a change which was then enforced with a new
propery "denymachineadminaccess". Apparently, this setting was a
temporary fix only intended for WSS 2 and was not carried forward
because using a "get" to retrieve this property on WSS 3 tells me
that the property doesn't even exist in WSS 3.

However, I would have thought that the "Farm Administrators" group
would have access  to WSS 3 sites. Is this not the case?

 
Answer #3    Answered By: Osvaldo Winters     Answered On: Sep 10

I am going to go ahead and withdraw my earlier suggestion and concur
with what Lolouise said go to this page in central admin
http://ServerName:#####/_admin/policy.aspx

 
Answer #4    Answered By: Kylie Gill     Answered On: Sep 10

That's exactly what I was looking for and my
problem is resolved.

 
Answer #5    Answered By: Irving Hurley     Answered On: Sep 10

We had the same problem and posted it to MS. Here is there answer to us:

The security system  has changed by migrating from SPS 2003 to MOSS 2007. Farm
Administrators will no longer have Access/Admin- Rights on Site Collections.
There are several ways granting access  to your Farm Administrators.

· Add the particular Farm Administrator to the Site Collection he needs
to access

· Add the Farm Administrators to a AD-Group and grant access via
Policies for web  Application

 
Answer #6    Answered By: Allyson Burgess     Answered On: Sep 10

What you are experiencing is the intended behavior. site  Collection
owners, by default, have limited access  rights to sites. It's part  of
the new security model in SharePoint.

 
Didn't find what you were looking for? Find more on Access Denied on WSS 3 upgraded sites Or get search suggestion and latest updates.




Tagged: