Project Description
Block SharePoint Designer access for an entire web application except for a designated Active Directory group. You can restrict SPD users of any permission level, including site collection owners and even the SharePoint service account! Two .wsp files add & deploy an HttpModule.

Included are two .wsp files, plus source code (C#, Visual Studio .NET 2005).


1. Add and Deploy BlockSPDHttpModule.wsp to the solution store in SharePoint Central Administration > Operations > Solution Management. This activates a hidden Farm-level Feature copying BlockSPDHttpModule.dll to the GAC on every SharePoint server in the farm.

2. Then Add and Deploy DeployBlockSPD.wsp. This installs a WebApplication-level Feature. Do not activate it yet.

3. Create an Active Directory group and populate it with your permitted SharePoint Designer users. Get the SID of that AD group. (Tip: Add yourself to the group, then logoff your workstation/logon, launch a command prompt and type whoami /groups)

4. On each SharePoint server in the farm, create a registry key at HKEY-LOCAL-MACHINE/SOFTWARE/BlockSPD. Modify the value of (Default) and enter the SID of your AD group.

5. Right-click your BlockSPD key, go to Permissions and add your AD group, granting it Full Control of the key. Then click the Advanced button. Check Replace permission entries on all child objects with entries shown here that apply to child objects. Then click OK twice to close both dialogs.

6. In SharePoint Central Administration, go to Application Management > Manage Web Application Features. Activate Deploy Block SPD on the web application of your choice.

7. If you are using SharePoint Designer, close it. Re-launch it, go to File > Open Site and attempt to open your site. Members of the AD group should be granted the same access as before. If you are not in the group you may see a dialog entitled Remote Web Site Editing Options. No matter which option you choose you should be denied access to the site, regardless of your web or site-collection permissions.

Note: Only one AD group can be defined. i.e. You cannot choose different AD groups for different web applications.

This code was tested on Microsoft Office SharePoint Server 2007 using SharePoint Designer 2007. It will likely work with Windows SharePoint Services 3.0. It will likely block FrontPage 2003, as well.

About Me: My name is Michelle Dexheimer, and I am a Technical Manager and SharePoint developer at Tribridge, Inc., a Microsoft Gold Partner in SharePoint and Dynamics products.
  • THIS CODE IS PROVIDED "AS IS". NEITHER TRIBRIDGE, INC. NOR I WARRANT THIS CODE IN ANY WAY. Although I have taken care to test and troubleshoot this code and adhere to known best practices wherever possible, this product is unsupported. Please use and deploy at your own risk. You may freely use and adapt this code for your own use as long as proper credit is given.

Last edited Apr 10, 2009 at 10:21 PM by MichelleDexheimer, version 10