As many people know, the SharePoint My Site is open by default. When a user gets a My Site provisioned, SharePoint conveniently creates a Personal Documents library (only accessible to the user) and Shared Documents/Shared Pictures libraries (accessible to anyone in the organization).

Here lies the problem -- when a user creates a new library or list to store content it will inherit the permissions from it's parent (which is public by default). The user needs to remember to restrict access before storing their personal and perhaps confidential content in this new list.

Many people shy away from the usage of My Site's for this very problem. The following post will explain how to flip the permissions so the My Site is locked down by default and users have to open it up when they want someone to come visit.

Step 1: Configuring My Site Settings in Central Administration

• Start SharePoint 3.0 Central Administration on one of your web front-end ("WFE") servers
• Navigate to your Shared Service Provider ("SSP")

• Click on My Site settings, scroll to the bottom, and remove Authenticated Users from the Default Reader Site Group and Click Ok

Step 2: Provisioning the My Site

When a new My Site has been provisioned (after the changes to My Site Settings) the user of the My Site will need to open some of the libraries back up for some functionality to work correctly (such as the Profile Picture).

• Navigate to your My Site URL, which will start the process of creating your My Site
• Once your My Site has been created, navigate to the Shared Documents library

• Click on the Settings button and then Document Library Settings
• Click on Permissions for this document library under the Permissions and Management section
• Click on Actions and then Edit Permissions and you will get the following dialog box warning you that you are about to break the permission inheritance, click Ok

• Click on the New button from the toolbar
• Click on the Add all authentication users link which will add the authentication users group to the empty text box to the right

• Select the Read - can view only option under the Give Permission section
• Scroll to the bottom and uncheck the Send welcome e-mail to the new users checkbox and then click Ok

At this point you have basically given all authenticated users in the company access to your Shared Documents library with read access.

IMPORTANT: Now repeat this process for the Shared Pictures library. If you skip this step, then the profile picture feature of the My Site will not work.

Once you have made the adjustments above any new list or library will be locked down by default.

I hope you find this post useful.

Paul Liebrand

A new and often misunderstood feature of Microsoft Office SharePoint Server ("MOSS") 2007 is the concept of user memberships. The user membership information is rendered through a few different surfaces within the SharePoint environment.

The following is a list of places the membership information is used and surfaced:

1. Users My Site

2. Top Navigation Bar via the My Links / My SharePoint Sites

3. Office 2007 Client applications via the Open / Save dialog box

The membership feature was added to MOSS to make it easier for users to find the sites they work on often. Once it is implemented and setup correctly, this feature works extremely well.

Membership Functionality Requirements

In order for the MOSS membership functionality to be active and working you need to insure you have the following things in place:

1. An established Shared Service Provider ("SSP") with all your web applications associated to it.
2. My Sites need to be enabled and each individual needs to set it as their default by clicking the "Set as default My Site" in the top right corner of My Site screen.
3. A full Office Search crawl schedule (this is the process that actually updates the membership information).
4. The users need to added to the group that is associated with the Members of this Site group setting. The group that is assigned to this setting can be determined by navigating to the site, clicking Site Actions / Site Settings / People and Group / Actions / Setup Groups.

Please note that simply just adding someone to the site will not work with the membership functionality; they need to be explicitly added to the group associated with the Members of this Site group  setting.

During my adventures with trying to understand this membership feature I discovered a SQL query that you can run which will output all the site membership information for a specified user.

Simply connect to your SQL server and the database associated with your SSP and execute this query:

I hope this helps.