My SharePoint Sites displays a link that you no longer have access to

Under My LInks, My SharePoint Sites, you see a link to a site, but when you click on the link, you are directed to the Access Denied page.  It's possible, you may be running into this scenario:

  1. Sub site is setup to inherit permissions from the parent
  2. Users were in the Members group of the parent site. 
  3. The Profile Synchronization job ran and added the link to the subsite in My SharePoint Sites.
  4. Break permissions inheritance on the sub site.  This copies all the permissions into the sub site
  5. Remove all the parent groups from the permissions on the sub site

Let's look at a quick example.  You have a site collection at http://server/sites/teamsite.  You then have a sub web at /sites/teamsite/project1 that inherits permissions from TeamSite.  The Profile Synchronization timer job runs at the top of the hour and the users in the TeamSite Members group now have a link under My SharePoint Sites for TeamSite and Project1.  Under Project1, you do the following:

  1. Click Site Actions | Site Settings
  2. Click People and Groups
  3. Click Site Permissions
  4. Click the Actions menu, then Edit Permissions
  5. Click OK on the dialog.  At this point, Project1 has a copy of the permissions from TeamSite.
  6. On the Permissions page, select all the groups, click the Actions menu, select Remove User Permissions.  This removes all the TeamSite groups and users from the permissions of the site.

At this point, Project1 no longer has the TeamSite SharePoint groups; however, Project1's Viewers, Members, and Owners groups still reference them.  When the Profile Synchronization timer job runs, it's unable to determine which users are Members of the sub web and doesn't make any changes.  This results in the Project1 link showing up in your My SharePoint Sites menu, but you don't actually have access to the site.  Another symptom of this problem is that when you display the Open or Save As dialog in an Office application, you get prompted for authentication daily.  This is a result of the Office client synchronizing the My SharePoint Sites information.  See this post for more info on how that works.  There is also a fix in the Office 2007 Client Hotfix Update from June that avoid the Office clients from prompting for authentication.  KB Article 970950.

To fix this issue, you have to assign a SharePoint Group as the Members group on the sub web and all nested subwebs.  This allows the Profile Synchronization job to determine which users are Members and clean up the links on the server-side.  Once the link is cleaned up on the server-side, the Office client will sync up the next day and remove the link as well.  In my testing, if you do not have the above Office hotfix, you will get one last prompt on the client before the link is cleaned up.

  1. Browse the subsite
  2. Click Site Actions | Site Settings
  3. Click People and Groups
  4. Settings menu | Set Up Groups
  5. Create 3 new groups for this subsite associated with Viewers, Members, and Owners
  6. Repeat for the other sub webs under this particular sub web.