2/08/2010

SharePoint: Prevent users from adding “NT AUTHORITY\authenticated users” and other selected accounts to sites and groups.

 

Both 2007 and 2010 examples are here. The 2010 version is half way down the page....

 

Who is "NT AUTHORITY\Authenticated Users"?

The user "NT AUTHORITY\Authenticated Users" represents every account that can logon to your network. In the typical environment that would include employees, contractors, vendors with a "special account", anyone with Windows Authenticated access to the network.

 

SharePoint makes it too easy to add “NT AUTHORITY\authenticated users” to a site:

image

 

 

How to block accounts (SharePoint 2007 WSS and MOSS)

The following requires an edit to a LAYOUTS Application page. Best Practice or your governance policies may not permit this.

That said…

  1. Navigate to the 12 hive to ..\12\TEMPLATES\LAYOUTS
  2. Right-click copy / right-click paste  (to back it up, just in case)
  3. Open aclinv.aspx with Notepad or your favorite editor (one that will not mess the HTML in the page)
     
  4. Search and find “LinkAddAuthUsers” and comment out the ASP:LinkButton
     
  5. <!--
    <asp:LinkButton id="LinkAddAuthUsers" 
    Text="<%$Resources:wss,permsetup_addauthtitle%>" runat="server"
    CausesValidation="false" OnClick="LinkAddAuthUsers_Click" />
    —>
      
     
  6. Now to make sure they cannot still type it in (or any other account you want to block) add a JavaScript function to check for forbidden accounts and cancel the postback. Edit the IF statement to add any other accounts you want to block. This example blocks “NT AUTHORITY\authenticated users” and “Domain\domain users”.

    Add the following JavaScript at the end of the page just before the last line (</asp:Content>).

  7.  
    <script>
     // techtrainingnotes.blogspot.com/2010/02/sharepoint-prevent-users-from-adding-nt.html
     
    var clkfun;
     
    _spBodyOnLoadFunctionNames.push('HookUpCheckUsers');
     
     
    function HookUpCheckUsers()
    {
      var buttonname='ctl00$PlaceHolderMain$ctl02$RptControls$btnOK';
      // get the current onclick function
      clkfun = document.getElementById(buttonname).onclick;
      // and replace it with our function
      document.getElementById(buttonname).onclick=CheckUsers;
    }
     
    function CheckUsers()
    {
      var divname='ctl00_PlaceHolderMain_ctl00_ctl01_userPicker_upLevelDiv'
      if ( document.getElementById(divname).innerHTML.toLowerCase().indexOf('nt authority\\authenticated users') > -1  
        || document.getElementById(divname).innerHTML.toLowerCase().indexOf('domain\\domain users') > -1 )
      {
        alert("'NT AUTHORITY\\authenticated users' and 'Domain\\domain users' are not permitted");
        return false;  //cancel the postback
      }
      else
      { // call their function
        clkfun()
      }
    }
    </script>
     

Save your changes, go and try to add these accounts to a site.

 

Copy this file to each web front end server.
 

Test...
 

Add to your disaster recovery plan documentation!

 

 

How to block accounts (SharePoint 2010 November Beta 2)

The following requires an edit to a LAYOUTS Application page. Best Practice or your governance policies may not permit this.

That said…

  1. Navigate to the 14 hive to ..\14\TEMPLATES\LAYOUTS
  2. Right-click copy / right-click paste  (to back it up, just in case)
  3. Open aclinv.aspx with Notepad or your favorite editor (one that will not mess the HTML in the page)
     
  4. Add a JavaScript function to check for forbidden accounts and cancel the postback. Edit the IF statement to add any other accounts you want to block. This example blocks “NT AUTHORITY\authenticated users” and “Domain\domain users”.

    Add the following JavaScript at the end of the “PlaceHolderMain” content block, just before the </asp:Content> tag.
    (This is line 254 in my copy and the only </asp:Content> with a </table> just above it.)

    This code is identical to the 2007 version except for the ID of the button.


  5.  
    <script>
     // techtrainingnotes.blogspot.com/2010/02/sharepoint-prevent-users-from-adding-nt.html
     
    var clkfun;
     
    _spBodyOnLoadFunctionNames.push('HookUpCheckUsers');
     
     
    function HookUpCheckUsers()
    {
      var buttonname='ctl00_PlaceHolderMain_ctl01_RptControls_btnOK';
      // get the current onclick function
      clkfun = document.getElementById(buttonname).onclick;
      // and replace it with our function
      document.getElementById(buttonname).onclick=CheckUsers;
    }
     
    function CheckUsers()
    {
      var divname='ctl00_PlaceHolderMain_ctl00_ctl01_userPicker_upLevelDiv';
      if ( document.getElementById(divname).innerHTML.toLowerCase().indexOf('nt authority\\authenticated users') > -1  
        || document.getElementById(divname).innerHTML.toLowerCase().indexOf('domain\\domain users') > -1 )
      {
        alert("'NT AUTHORITY\\authenticated users' and 'Domain\\domain users' are not permitted");
        return false;  //cancel the postback
      }
      else
      { // call their function
        clkfun()
      }
    }
    </script>

 

Save your changes, go and try to add these accounts to a site.

 

Copy this file to each web front end server.
 

Test...
 

Add to your disaster recovery plan documentation!

 

.

9 comments:

Anonymous said...

I would like to add another group eg. Finance as a link and remove Add All authenticated users. I managed to remove the authenticated users per your blog, but cannot add finance. Do you have any insights on how to do this.

Thanks for your response.

Mike Smith said...

Sorry I don't. That's not just a regular textbox or textarea. There's some JavaScript there that intercepts each keystroke.

Kishore said...

Nice article.

In my situation, my customer don't want me to touch OOB pages. So
Can you please suggest me other good way to accomplish the same.

Mike Smith said...

The only other option is to edit the application master page and add a little JavaScript routine or CSS near the end of the file (just before </BODY>) to hide the link.

File:
/_layouts/application.master

<script>
var addauth = document.getElementById("ctl00_PlaceHolderMain_ctl00_LinkAddAuthUsers")
if (addauth)
{
addauth.style.display="none";
}
</script>

or

<style>
#ctl00_PlaceHolderMain_ctl00_LinkAddAuthUsers
{
display:none;
}
</style>

The above was typed from memory...

Mike

chowyo123 said...

Is there a way to limit which users can add users with a specific permission level? For example, only allow those in the Owners group to add users with Full Control. Perhaps gray out or hide the Full Control option unless a user belongs to the Owners group?

Mike Smith said...

chowyo123,

Security in SharePoint is pretty much an all other nothing situation and by default only Site Owners (or users given Full Control) can manage security. That said, I can think of a few things to try using the SharePoint Security Trimmed Control.

Mike

Sharika said...

Hi Mike,
Thanks for nice post. In my application new user can add only through provisioning process (I.e. We have custom workflow for adding new users & once its approved by owner then only the user will available in people picker), so want to block "all auth users" first but if it approved thru prov process then want to allow the same. Pls advise

Anonymous said...

Mike,
Can we lock this down so only site collection admins can add NT\AUTHORITY\authenicated users to the sites but not end users?

Thoughts?

Mike Smith said...

Anonymous,

Not from JavaScript. I don't know of a way to ID a Site Collection Admin from JS. In theory you could add some C# code in <% %> blocks to that page that would only add the JS above to the page if the user has the SPUser.IsSiteAdmin propery equals "True".

Mike

Note to spammers!

Spammers, don't waste your time... all posts are moderated. If your comment includes unrelated links, is advertising, or just pure spam, it will never be seen.