…And prevent SID Mismatches along the way by disabling the user
Let me start by explaining the wrong way, and why it is wrong. Simply removing a user from a group and/or deleting them from Active Directory (AD) or your Management Tool of choice will not be sufficient.
While it’s true that when you remove a user from AD, they will no longer have access to the site, but suppose you need to recreate this user in the future. Maybe they took a Leave of Absence, or quit and returned later. Whatever the case, what you have done is create an SID mismatch since the user still exists in SharePoint. A SID is the Security Identifier and is stored in the Object-SID (objectSID) property of a User or Group object.
This is important to know because SharePoint users are given permission with this same attribute stored in their User Profile. When the AD User Object is recreated, it will no longer have the same SID, thus causing the SID mismatch. This means, while it may appear that the user is added and has permission to the site or resource to you (The Admin), the user will not be allowed to log in as though they do not have permission.
It is never necessary to delete an AD User. Simply right click the object and choose ‘Disable’.
Now, if you remove the user from a single group or remove their permission, you are potentially still allowing this user access to your site since permission may still be present elsewhere that were not removed.
Remove a SharePoint user to prevent access to any company resources:
- Locate the User in Active Directory, right click the User Object and choose Disable. This step alone does it, but let’s be thorough. You are likely paying for each User CAL that is on your site anyway.
- Load your SharePoint Site and go to Site Actions – Site Settings – People and Groups on your Top Level Domain.
- When you locate the user, checkmark their line item, go to ‘Actions’ at the top ribbon and choose ‘Delete from Site Collection’.
- Pro Tip: Let’s manipulate your URL. After ‘MembershipGroupId=’, there is a number which indicates which list (Group) you are viewing. Since there is no ‘All Items’ link available, we can force it by changing this value to 0 (zero). It will load every User from every Group that has been created for the Site Collection.
- To test that the user no longer has access, go to Site Actions–Site Permissions
- See next screenshot for reference. In the ribbon, click on Check Permissions.
- Type the username, click the Check Now button.
- If the user has no permissions, you will see the error as shown in the screenshot or “No Exact Match was found for ‘user’” in SharePoint 2010.
- If it places a black underline under the name, click Check Now and it will tell you where and what permissions they have. This can be used anytime, not just for this process.
So now, when Bobby gets rehired (the job market is rough right now), you can easily add him back to the site. Of course, you did let him go for a reason…