‘Limited access’ and default permission levels vs. lockdown mode (SharePoint 2010)

From a recent case, we were facing the following scenario:


SPS 2010 Server with SP1 and August 11 CU, OS: Server 2008 R2, all engl. and of course 64-bit .




1). Create a new site and a document library with the “publishing site template”

2). Upload a new Word 2010 document to the library.

3). Assign a user which has no permissions to the farm or content and grant it ‘Contribute’ rights to the document only (means: break permission inheritance on the Site, document library and the document).

4). Notice how the user gains ‘limited access‘ on the parent document library and web site.

5). Attempt to open the document as the restricted user via the direct URL (i.e.:  http://myserver/sites/Shared Documents/testdoc1.docx)

6). Notice how multiple authentication prompts are opened, yet the document can be opened after clicking ‘Cancel’ (the web application in my case is setup as Windows classic authentication, and Kerberos is enabled in the authentication provider).

7). Notice how the document cannot be edited unless the user has ‘View Application Pages‘ on the root web site.

The error message ‘A problem occurred while connecting to the server. If the problem continues, contact your administrator‘ is displayed when clicking the ‘Edit Document’ button in the yellow Word bar.


Now, when  reading the TechNet article here: http://technet.microsoft.com/en-us/library/cc288074.aspx In this documentation, it is mentioned that the ‘Limited Access’ permission level contains the ‘View Application Pages‘ permission.

When we use the same repro steps as above but using instead the “Team Site template”, everything is working as expected and we even can get into the document library by getting the intended view for only documents we’re permitted to (security trimming applies).


Initial Observations:

On  a first view, it seemed to be an inconsistent behavior in dependency of the used site template.
Team site:
Limited Access has “View application pages” even for subsites which are based on publishing site

Publishing Site:
Limited Access does not have “View application pages” even for sub sites which are based on team site



So what’s the reason/cause of this?  – well, after some research we found that this is not an inconsistent behavior between the two site templates in question but rather intended an therefore a “by design” behavior.

The reason is:

For publishing sites, the Lockdown mode is getting enabled if we activate the feature and removes the ‘View Application Pages‘ permission.


Analysis of the issue

For publishing sites, the Lockdown mode is enabled by default. This means that the ViewFormPagesLockDown field is responsible for this behavior reported above as it removes/adds the permissions if we activate/deactivate the feature.


Use lockdown mode  (Source: http://technet.microsoft.com/en-us/library/cc263468(office.12).aspx#section6)

Lockdown mode is a feature that you can use to secure published sites. When lockdown mode is turned on, fine-grain permissions for the limited access permission level are reduced. The following table details the default permissions of the limited access permission level and the reduced permissions when lockdown mode is turned on.

Permission Limited access — default Limited access — lockdown mode
List permissions: View Application Pages  
Site permissions: Browse User Information
Site permissions: Use Remote Interfaces  
Site permissions: Use Client Integration Features
Site permissions: Open

Lockdown mode is applied to sites under the following circumstances:

  • The Stsadm.exe command-line tool is used to turn lockdown mode on.
  • The Publishing Portal site template is applied to the site collection. By default, lockdown mode is turned on when this template is applied.

Consider using lockdown mode on published sites if greater security on these sites is a requirement. Additionally, if you applied the Publishing Portal site template, determine if lockdown mode is the desired configuration for these sites. If not, use the Stsadm.exe command-line tool to turn off lockdown mode.

The following table lists the Stsadm commands related to using lockdown mode.

Action Command
Turn on lockdown mode for a site collection stsadm -o activatefeature -url <site collection url> -filename ViewFormPagesLockDownfeature.xml
Turn off lockdown mode for a site collection stsadm -o deactivatefeature -url <site collection url> -filename ViewFormPagesLockDownfeature.xml



You can get the behavior you want by turning off lockdown mode with stsadm.
If you prefer some powershell commands, we can see some example PowerShell scripts for this here:  http://blogs.msdn.com/b/russmax/archive/2010/01/22/lockdown-mode-in-sharepoint-2010.aspx
i.e.:  get-spfeature -site http://sitecollectionURL    // If ViewFormPagesLockDown is listed, it’s enabled.

To toggle lockdown mode to off:   

$lockdown = get-spfeature viewformpageslockdown 
disable-spfeature $lockdown -url http://sitecollectionURL

Related Information: 


3 thoughts on “‘Limited access’ and default permission levels vs. lockdown mode (SharePoint 2010)

  1. Great article! Thanks and it solve one of my problems. However, this solution seems cannot solve the issue if the user with unique permission need to approve workflows. The user will stay get some error messages. Any advice will be welcome


  2. Thanks a lot for that post!!

    It helped us understand why users had access to documents in a document set but not to the document set landing page… our custom site def had been copied from the publishing portal site def!



Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s