Adding Users to WSS 3.0 Site in HMC 4.0 Exposes Users in All Organizations

If you followed our deployment guide to the letter, then chance are your WSS 3.0 setup isn’t 100%. There’s a big problem with the deployment guide for WSS that can break “multi-tenancy.” Here’s how you can check if you are broken and how you can fix the problem.

The Test

  1. Log into an MPS-provisioned WSS site as the organization admin.

  2. Click the Site Actions drop-down and choose Site Settings

  3. Click People and Groups.

  4. Click New.

  5. Underneath the text box labeled “Users/Groups” click the little book icon (the Browse button)

  6. Type something generic like ‘a’ and hit Enter

If you see users from other organizations, you’ve got a problem. What you should see is only users in the organization that owns the WSS site, as well as some of the built-in accounts and groups (unfortunately WSS is limited so we can’t filter out those built-in accounts).

The Fix

This problem is created by the unneeded and incorrect Step 8 in procedure DWSH.1 in the HMC 4.0 deployment guide. That procedure instructs you to add the SharePoint_AppID, SharePointSrchSvc, and SharePointSrchCrl accounts to the Windows-based Hosting Service Accounts group. So to fix the problem you will need to remove these accounts from the Windows-based Hosting Service Accounts group and then restart IIS on your WSS front ends.

Comments (2)

  1. paul says:

    We have received another solution that others maybe interested in:

    On WSS run this command:

    stsadm -o setproperty -url [website of new sharepoint site] -pn peoplepicker-onlysearchwithinsitecollection -pv yes

    You may have to navigate to find the stsadm command if you didnt add WSS commands into your path…