Limited-access user permission lockdown mode Feature in SharePoint

What is limited-access user permission lockdown mode?

In SharePoint, users are assigned to the “Limited Access” permission level automatically when the account is granted exclusive access (unique permission) only to resources such as list/library/document, etc within the site, but not directly to the site itself. E.g. When you grant access to a List in SharePoint, they’ll be granted “Limited Access” permission at the site level. 

When publishing a SharePoint site to the Internet, we need a mechanism for effectively locking down the SharePoint site. In this case, locking down SharePoint just means that users in a “limited access” role will be unable to access application pages, thus minimizing the attack surface on a SharePoint site. When this feature is enabled, users assigned to the Limited Access permission level will not have the ability to access pages within the environment. E.g. http://Intranet.SharePoint/_layouts/viewlsts.aspx page shows all content of the site, and lockdown mode can turn it off!

Limited Access User Permission Lockdown Mode feature available in both SharePoint 2016 and in SharePoint Online. By using this feature, you can allow your authenticated users to log on to a SharePoint site while still securing application pages in your environment.

Lockdown Application Pages in SharePoint:

SharePoint 2013 brought this feature in interface via site feature “Limited-access user permission lockdown mode feature”.

  • Go to Site Settings >> Site collection features  >> Activate/deactivate “Limited-access user permission lockdown mode” feature to restrict/allow anonymous users to access application pages.disable Limited-access user permission lockdown mode feature in sharepoint

How to disable limited-access user permission lockdown mode using PowerShell?

To enable or disable the Limited Access User Permission Lockdown Mode feature from all site collections and via PowerShell, here is the script:

Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

#Site collection Variable

#Get all site collections on the web app and disable the feature
Get-SPWebApplication $WebAppURL |  Get-SPSite | ForEach-Object {
  Get-SPFeature -Site $_ | Where { $_.DisplayName -eq "ViewFormPagesLockDown"} | Disable-SPFeature -Url $_.Url -Confirm:$false; Write-host -f Green "Disabled the Feature on $($_.URL)"

Salaudeen Rajack

Salaudeen Rajack is a SharePoint Architect with Two decades of SharePoint Experience. He loves sharing his knowledge and experiences with the SharePoint community, through his real-world articles!

Leave a Reply