Vanishing SharePoint Permissions

Question

SharePoint groups started to disappear- totally randomly, within a single site collection. I am pretty sure they are not deleted because we have few site collection admins with knowledge.

happens like this: Site A has members, owners and visitors group. we realized that owners and visitors have been removed. The groups are vanished from People and Groups as well! On the other instance, Site B,all groups have been removed / vanished and an individual person name was added to permissions.

I enabled the auditing and all I have from the report is 12 groups deleted on a saturday night in easter holiday at 11Pm by 3 different users in same minute. there is no way that users connected the same minute and deleted this groups. Does anyone has an idea what might be happening, I have never seen such a thing.

There are no custom timer jobs, content deployments etc. to cause this behaviour. Every week users are coming to tell me their groups are vanishing. And I am far away from finding a root cause.  I did a massive investigation, went through ULS logs searched every keyword I can think of, no trace and now I am out of ideas. help!

---

ceren

Answer 1

Hello Cerenn,

Just to get some extra information. Do the sites in your example (Site A & B) have unique permissions or do they inherit their permissions from the root? 

In other words, what kind of hierarchy of permissions and inherited permissions do you have within the single site collection?

Answer 2

All sites that has disappearing permissions have UNIQUE permissions. none of them inherits. 

There are some sites which are inheriting and some are not inheriting.. It depends on the site usage really. And this does not happen on all non-inheriting sites, totally random. At first I thought someone was accidentally deleting them but on a saturday nigth at 11 pm by 3 different users, in same minute- impossible.

I am going through the ULS logs to see what happened in that minute but lots of entries- Excel Services and Profile Syncronization things mostly, couldn't relate it to that :(

---

ceren

Answer 3

Sounds like some kind of timer job or maybe something with the Profile synchronization. Strange but interesting issue.

Did it only happen during easter. Or did it happen on more occasions?

Btw, which build of SharePoint do you have (which SP or CU?)

Answer 4

If it is a timer job- why the groups seem to be deleted by the user accounts? I expect they will be deleted by a service account.

The users are complaining about this issue more than a month, the first time we thought it was a user mistake, unintentional or accidental delete.. but it is obviously not.

Here is the build version, Get-spfarm.buildversion result:

Major  Minor  Build  Revision
-----  -----  -----  --------
14     0      6029   1000

---

ceren

Answer 5

Just a clue: expiration policy jobs are scheduled to run at 11pm on Saturdays by default.

 

---

-- Ilya

Answer 6

Hi can you please tell me what these jobs do?

---

ceren

Answer 7

Today the Master Page Gallery permissions have vanished into thin air. Users started to get 'access denied' when they tried to edit pages and after a quick investigation I found out that Master Page Library on site collection level had no permissions at all. nothing..

I have fixed this now but what deletes this really? Why does this permissions vanish? the only thing in audit log is:

And it is from yesterday morning. I do not understand what this means and not sure if this caused the master page gallery permissions to vanish.

2012-04-19T09:59:03

Security Role Bind Update

<roleid>-1</roleid><principalid>12</principalid><scope>80D22BD8-9F7B-4CBA-ACD1-22C998E739E4</scope><operation>ensure removed</operation>

---

ceren

Answer 8

Hi,

I am not sure whether it is related. You may have a look at this article:

http://trayontheweb.com/2009/12/10/fix-security-groups-and-distribution-lists-are-missing-users-from-child-domains-within-sharepoint/

Hope it helps.

Best Regards,

Sally Tang

Answer 9

Hi,

I'm seeing a similar issue with one of my environments. SP Groups are randomly dissapearing at 00:00 Sundays (that's 23:00 GMT). It appears as it would have been deleted by a regular user, however we excluded that the user would have deleted these groups.

There are a lot of timer jobs running at 00:00, but the best candidates would be the Health Jobs (which are scheduled by default every Sunday on 00:00). However, we couldn't exactly pinpoint the responsible timer job until now.

We're on build 14.0.6109.5002.

How is your investigation going?

Andrei

Answer 10

No news.. We are still investigating but kind of stuck here. The groups disappeared 23:04 PM two weeks ago. Then last week an active directory user group sitting inside a sharepoint site visitors group disappeared. No trace in logs.. Desperate for a solution!

---

ceren

Answer 11

It seems that this happened again, 21 april on 23 PM - this time there is my user and 2 other users, deleted a total of 14 groups at 23:02PM. This is definitely a timer job gone wrong!

I have checked the timer job schedules and this 2 jobs are running weekly on Saturday 11 PM:

Expiration policy: This job processes items that are due for a retention action, such as deleting items passed their expiration date.

 

Change log: The Change Log records many different types of changes made to SharePoint sites. This timer job is used to periodically delete old entries from the log.

So which one is deleting this sharePoint groups and why deleting it with different account names? As far as I know SP groups does not expire!

Andrei, are any of this 2 timer jobs scheduled on the time you have lost your groups?

---

ceren

Answer 12

We are experiencing similar issue, were you able to resolve this issue. This issue has been driving us crazy. Appreciate it if you can share how you resolved this issue.

Answer 13

Hi,

I am experiencing also similar behavior - I have a multi-tenant SP2010 environment, and it happens that sharepoint groups (usually "default" visitors, members and admins groups, never the custom groups) get deleted randomly on one of (random) tenant sites. I have audit logs enabled, and can track that system account deleted the groups at exactly same moment (all three groups). This has happened several times... FEB 2012 CU installed. 

Answer 14

Hi guys,

This problem (at least in my case) looks like a Sharepoint bug, but I was able to solve my case using a workaround.

The case in which members, owners and visitors group was removed was caused by following process:

1. I have a root site collection under which I also had a sub site. Both root web site and the sub site had same Sharepoint groups (I'll call them "Readers", "Contributors" and "Admins" just to demonstrate the issue) - and for the sub site I was using these groups for site's default groups:  members (--> "Contributors"), owners (--> "Admins") and visitors (--> "Readers") group (as configured e.g. through /_layouts/permsetup.aspx).

2. I removed the sub site (and since SP2010 sp1 the sub site was send to the recycle bin)

3. I have 30 days retention period (default) in recycle bin after which the timer job (I had it running on Sunday morning right after midnight) cleans +30 days content from recycle bin.

4. Thus after 30days+n days till next Sunday, when the timer job was run, my "Readers", "Contributors" and "Admins" Sharepoint Groups were also removed from the root web site (when the sub site was removed from the recycle bin).

I repeated this process manually, by creating root web site, sub site and similar group setting. Then I deleted the subsite, after which I also removed it from recycle bin (just like the recycle bin timer job was doing): the result was that the Sharepoint groups were removed from the root web site as well.

Therefore, I developed a workaround for this purpose:

1. Before removing the sub web site, I set up unique members, owners and visitors groups for the sub web site (and make sure that sub web site does not have any privileges for the groups that I am using on root site level).

2. I delete the sub web site, after which I remove the site from the recycle bin as well.

As a result of this no groups are removed from the root web site.

I hope this helps someone of you!

Answer 15

Yes, Microsoft returned the exact the same answer to us, Ahis.

We are now waiting for them to tell us if this is a bug or 'by design' :)

---

ceren

Answer 16

I was able to reproduce this from the restore of a content db where this happened, but I'm unable to reproduce this in my test enviroment.  Do you know if this is for a particular site template?  I'd like to be able to document this as much as possible.

Answer 17

Hi all,

we've identified the cause and a workaround. To sum it up:

The problem: Some SharePoint groups and their associated permissions are removed, when a subsite with custom permissions (created through code in our case) is deleted from the recycle bin (manually or through the Recycle bin timer job).

The cause: While assigning permissions to the problematic subsite, SharePoint automagically assings some SharePoint site groups as "CreatedAssociateGroups" to it. When the subsite is sent to the recycle bin, these groups are also marked for deletion. When the subsite is deleted, the groups are deleted with it. You can identify the groups which will be deleted via PowerShell:

The Workaround: Set the vti_createdassociatedgroups property for the subsite to empty and the groups won't get deleted when the subsite does

$web.AllProperties["vti_createdassociategroups"]=""
$web.Update()

Andrei