While SharePoint Online and OneDrive share a lot of commonalities, they begin to diverge when it comes to permissions and administration. An administrator in SharePoint online can access everything by default. Sites and document libraries can be adjusted to restrict even admin access–especially if users are allowed to make their own sites, but this can be circumvented easily in the SharePoint admin page. Add yourself as a site owner, and you’re good to go.
OneDrive does not make it easy. Users, by default, are the only ones with full control of their personal OneDrive. Administrators have to create a link in the admin center to access user files.
Once you follow the admin portal link, it will take you to the users file area. That link added you as a Site Collection Administrator on the user’s OneDrive. Slightly more confusing is depending on where you click, it can switch between your profile, the users profile, new OneDrive view and old OneDrive view. The user also has access to their Second Stage Recycle Bin. This is an administrator only area in SharePoint online–and for good reason. If users want to permanently delete files, they can in OneDrive. There is a restore option for OneDrive under the gear icon, but it’s not bullet proof.
Originally, I tried to find a way to restrict access to Second Stage Recycle Bin in users’ OneDrives. There is no over-arching administrative way to do this. But, I did find a cheeky way to accomplish the goal.
In the search/URL bar switch the onedrive.aspx segment of the URL to settings.aspx. If we’re using the PuppyStampede company example it will look like:
This looks identical to the “advanced” area in SharePoint.
Under Site Permissions and Site Collection Administrators, remove the user and add yourself. Make sure under Site Permissions to give yourself full control and not the default Contribute permission. Now, change the settings.aspx to viewlsts.aspx. This is the site contents view of the users OneDrive. This will be pretty important in the next article when we write a company wide DLP policy in the compliance center. For now, click the three dots next to documents and select settings.
Select permissions for this document library.
There shouldn’t be any users or permissions in here. We need to add the user back to their document library. Grant permissions to the user–full control is fine at this point. This will be the only area they are allowed in anymore. Now, when that user goes to their OneDrive, the only accessible area will be the main Document Library folder. No more recycle bin, no site settings, no Second Stage Recycle bin.
Now, I realize this would be arduous at scale, and, if users delete something, they won’t have access to first stage recycle bin–which could create quite a few HelpDesk tickets. Could this process be scripted out? Possibly. But, I am not a huge fan of the SharePoint module. This scenario could work with C-Suite employees who handle lots of sensitive data.
In Part 2 of the article, I’m going to go over the Compliance Center method of adding Data Rention to users’ OneDrives. It’s fairly straightforward and applies to all users in the organization. If you’re asking, then why even both with the first method? First, it’s fun. Second, the Data Retention policy creates a copy of each document that is deleted, and depending on the environment and your storage capacity, this could create issues in the long term. More on that in the next article, though.