none
Search Results and Authenticated Users RRS feed

  • Question

  • We ran into a problem wherein only certain users were seeing search results.  It wasn't domain admin vs. domain user or contributor vs. limited access.  We were stumped.  A user could create a new post on a site, turn around and search on that same site and not find anything.

    So in comparing users, I found that some users had a certain security setting.  In the Security tab, if you selected Authenticated Users, the users who were not seeing search results did not have Read Permissions.  Selecting Read of course selects a lot of lesser permissions (read web, read exchange, etc).

    Search results are returned.

    Now, two things.  1) Why? and 2) Is this the way it SHOULD be set up?  I know new users don't have this permission in AD 2008 (they may have had it previously, which may explain why some of my users have it already.) and 3) (and this may be relegated to a windows networking forum) how can I allow all users Read permissions to the Authenticated Users group?  It's not a real group per se that can be set with inheritable settings.

    Thursday, July 12, 2012 7:08 PM

Answers

  • There are many things you could consider, I would only suggest:

    1. Do rely on SharePoint groups to handle permissions to content in SharePoint, this being the actual reason for their existence - to enable greater flexibility for non administrators, rather business users to handle Content security & permissions. You could use not only AD Users but also AD Groups inside SharePoint groups. Finally, is all about the permissions & security planning. If you haven't done so already please go to http://technet.microsoft.com/en-us/library/cc262451.aspx#section1 and attempt analysis of content usage, appropriate access permissions, etc.l

    2. Security inheritance in SharePoint is all about how sub-sites receives access permissions from Parent site (Top-Level site on the Site Collection), which by default is inherited downwards (unless the option "Unique Security" is used while a sub-site is created) which would create SharePoint Groups with appropriate permission levels per sub-site. This would not be affected really by your settings in AD, but rather by the membership of various AD Users to SharePoint groups.

    Friday, July 13, 2012 9:04 AM

All replies

  • There are multiple aspects to be considered here:

    1. Of course not seeing immediately results after posting is obviously due to crawling (full or incremental) has not been performed yet.

    2. Permissions - whenever security inheritance is broken then search is affected.

    3. Check at the level of the web application User Policy if by any chance "Authenticated Users" is not given Read Permissions which would basically ignore everything else, e.g. permissions at the site collection or sub-site level,  making results appear irrelevant of other permissions (of course when accessing the item you might get various exceptions)

    4. Make sure Lists/Libraries have been included in search (via List/Library settings), check Search Scopes and Content Sources (web applications URL) - optional (even though it seems more of a problem related to security than content).


    • Edited by C. MariusMVP Thursday, July 12, 2012 7:32 PM added point 4
    Thursday, July 12, 2012 7:30 PM
  • I should have said that a client posted to that site would only indicate that they have at least permissions to access that site and thus it wasn't necessarily a site permission that was causing the problems.  I realize uploading a document or creating a new post and then searching against that won't work until after a crawl.  Sorry for the confusion.

    As far as inheritance, and I'm talking about active directory, not sharepoint, this isn't inherited from anything.  And honestly I don't know if it could/should be.  That's part of my issue too.  We only have one domain so it's not as though we're building a lot of trusts.  If this can be set at an OU level and then everyone has it, great.  As far as I can tell, there's no negative impact.

    As of now, the policy of Web Application is NT Authority/Local Service, Search Crawling Account - Service Apps and Search Crawling Account - Content each having Full Read.

    Thursday, July 12, 2012 7:40 PM
  • There are many things you could consider, I would only suggest:

    1. Do rely on SharePoint groups to handle permissions to content in SharePoint, this being the actual reason for their existence - to enable greater flexibility for non administrators, rather business users to handle Content security & permissions. You could use not only AD Users but also AD Groups inside SharePoint groups. Finally, is all about the permissions & security planning. If you haven't done so already please go to http://technet.microsoft.com/en-us/library/cc262451.aspx#section1 and attempt analysis of content usage, appropriate access permissions, etc.l

    2. Security inheritance in SharePoint is all about how sub-sites receives access permissions from Parent site (Top-Level site on the Site Collection), which by default is inherited downwards (unless the option "Unique Security" is used while a sub-site is created) which would create SharePoint Groups with appropriate permission levels per sub-site. This would not be affected really by your settings in AD, but rather by the membership of various AD Users to SharePoint groups.

    Friday, July 13, 2012 9:04 AM
  • We were able to solve it by putting the search service account into the Windows Authorization Access Group.
    Friday, July 20, 2012 1:24 PM