List members of SharePoint Groups

Every SharePoint group has a setting to prevent users, who are not members of the group, to see who actually is a member. This setting works great when you use a browser to access the group. The setting can be configured on the property page of every SharePoint group.

2010-07-29 14h36\_21

As you can see, you’ll get a message telling you that you may not see the members of that particular group.

2010-07-29 14h39\_52

Now comes the interesting part.

If you use the SharePoint build-in web service to access this information, you’ll get it even if you are not a member of that particular group! The web service you’ll have to use is UserGroup (http://msdn.microsoft.com/en-us/library/ms772647%28office.12%29.aspx).

On the left side, you can see the request for a user with the login name DOMAIN\user. The response we get from a web service request to http://sharepointurl/_vti_bin/usergroup.asmx is on the right side. It responds with the user as member of the group, even if the group settings should prevent this. We should not see any member.

2010-07-29 14h53\_17

This fact was tested on a Microsoft Office SharePoint Server 2007 with SP2 and CU from this year (can’t remember which one). And if you would like to know with what tool I made the web service test, it is “soapUI” from http://sourceforge.net/projects/soapui/files.

Conclusion:

Even if you prevent users from seeing group members in SharePoint, you can’t be sure they can’t access this information on another way. I’ve not tests accessing this information with the object model, because if it works with a simple web service query, that’s enough for me to see the group memberships are not safe.