Both 2007 and 2010 examples are here. The 2010 version is half way down the page....
Who is "NT AUTHORITY\Authenticated Users"?
The user "NT AUTHORITY\Authenticated Users" represents every account that can logon to your network. In the typical environment that would include employees, contractors, vendors with a "special account", anyone with Windows Authenticated access to the network.
SharePoint makes it too easy to add “NT AUTHORITY\authenticated users” to a site:
How to block accounts (SharePoint 2007 WSS and MOSS)
The following requires an edit to a LAYOUTS Application page. Best Practice or your governance policies may not permit this.
That said…
- Navigate to the 12 hive to ..\12\TEMPLATES\LAYOUTS
- Right-click copy / right-click paste (to back it up, just in case)
- Open aclinv.aspx with Notepad or your favorite editor (one that will not mess the HTML in the page)
- Search and find “LinkAddAuthUsers” and comment out the ASP:LinkButton
- Now to make sure they cannot still type it in (or any other account you want to block) add a JavaScript function to check for forbidden accounts and cancel the postback. Edit the IF statement to add any other accounts you want to block. This example blocks “NT AUTHORITY\authenticated users” and “Domain\domain users”.
Add the following JavaScript at the end of the page just before the last line (</asp:Content>).
<!--
<asp:LinkButton id="LinkAddAuthUsers"
Text="<%$Resources:wss,permsetup_addauthtitle%>" runat="server"
CausesValidation="false" OnClick="LinkAddAuthUsers_Click" />
—>
<script>
// techtrainingnotes.blogspot.com/2010/02/sharepoint-prevent-users-from-adding-nt.html
var clkfun;
_spBodyOnLoadFunctionNames.push('HookUpCheckUsers');
function HookUpCheckUsers()
{
var buttonname='ctl00$PlaceHolderMain$ctl02$RptControls$btnOK';
// get the current onclick function
clkfun = document.getElementById(buttonname).onclick;
// and replace it with our function
document.getElementById(buttonname).onclick=CheckUsers;
}
function CheckUsers()
{
var divname='ctl00_PlaceHolderMain_ctl00_ctl01_userPicker_upLevelDiv'
if ( document.getElementById(divname).innerHTML.toLowerCase().indexOf('nt authority\\authenticated users') > -1
|| document.getElementById(divname).innerHTML.toLowerCase().indexOf('domain\\domain users') > -1 )
{
alert("'NT AUTHORITY\\authenticated users' and 'Domain\\domain users' are not permitted");
return false; //cancel the postback
}
else
{ // call their function
clkfun()
}
}
</script>
Save your changes, go and try to add these accounts to a site.
Copy this file to each web front end server.
Test...
Add to your disaster recovery plan documentation!
How to block accounts (SharePoint 2010 November Beta 2)
The following requires an edit to a LAYOUTS Application page. Best Practice or your governance policies may not permit this.
That said…
- Navigate to the 14 hive to ..\14\TEMPLATES\LAYOUTS
- Right-click copy / right-click paste (to back it up, just in case)
- Open aclinv.aspx with Notepad or your favorite editor (one that will not mess the HTML in the page)
- Add a JavaScript function to check for forbidden accounts and cancel the postback. Edit the IF statement to add any other accounts you want to block. This example blocks “NT AUTHORITY\authenticated users” and “Domain\domain users”.
Add the following JavaScript at the end of the “PlaceHolderMain” content block, just before the </asp:Content> tag.
(This is line 254 in my copy and the only </asp:Content> with a </table> just above it.)
This code is identical to the 2007 version except for the ID of the button.
<script>
// techtrainingnotes.blogspot.com/2010/02/sharepoint-prevent-users-from-adding-nt.html
var clkfun;
_spBodyOnLoadFunctionNames.push('HookUpCheckUsers');
function HookUpCheckUsers()
{
var buttonname='ctl00_PlaceHolderMain_ctl01_RptControls_btnOK';
// get the current onclick function
clkfun = document.getElementById(buttonname).onclick;
// and replace it with our function
document.getElementById(buttonname).onclick=CheckUsers;
}
function CheckUsers()
{
var divname='ctl00_PlaceHolderMain_ctl00_ctl01_userPicker_upLevelDiv';
if ( document.getElementById(divname).innerHTML.toLowerCase().indexOf('nt authority\\authenticated users') > -1
|| document.getElementById(divname).innerHTML.toLowerCase().indexOf('domain\\domain users') > -1 )
{
alert("'NT AUTHORITY\\authenticated users' and 'Domain\\domain users' are not permitted");
return false; //cancel the postback
}
else
{ // call their function
clkfun()
}
}
</script>
Save your changes, go and try to add these accounts to a site.
Copy this file to each web front end server.
Test...
Add to your disaster recovery plan documentation!
.