Speaking at the Buckeye SPUG this Thursday

 

Buckeye SharePoint Users Group http://www.buckeyespug.com/SitePages/Home.aspx

July 17th - 5:30 pm @ the Microsoft Polaris Office

The Mystical SharePoint Super User and Auditor

A look into SharePoint User Policies, the creation of “super users” and how to take away powers from everyone else!

In this session we will explore SharePoint Permission Policies and User Policies to grant application wide permissions to selected users to create the often mentioned but rarely documented “Auditor” and “Super User” roles. We will also see how to use SharePoint’s only option to deny permissions to restrict even Full Control users from things like creating subsites.

See you there!

.

SharePoint PowerShell–Find all Broken Inheritance

The following applies to both SharePoint 2010 and SharePoint 2013 on premises, but not to Office 365.

One of the common SharePoint tasks when you need to do a security audit, document security or cleanup a farm before an upgrade, is to try to figure out where the Site Owners have broken inheritance and created unique permissions. You could visit every site, list, library, folder, list item and document, or you could let PowerShell do the work for you.

The following is one of the many scripts found in SharePoint® 2010 Security for the Site Owner and my PowerShell class "MS-55095 SharePoint 2010 and 2013 Auditing and Site Content Administration using PowerShell". (Sign up for the July class and get a free copy of the book!)

 

First find all of the Webs with broken inheritance:

Get-SPSite http://yourSiteUrl  | 
Get-SPWeb -Limit All | 
Where { $_.HasUniquePerm -AND $_.ParentWeb -NE $Null } | 
Select ServerRelativeUrl, {$_.ParentWeb.ServerRelativeUrl}

 

Then find all of the Lists and Libraries with broken inheritance:

Get-SPSite http://yourSiteUrl  | 
Get-SPWeb -Limit All | 
Select -ExpandProperty Lists |
Where { $_.HasUniqueRoleAssignments -AND -NOT $_.Hidden } | 
Select Title, ParentWebUrl

 

Then find all of the folders with broken inheritance:

Get-SPSite http://yourSiteUrl  | 
Get-SPWeb -Limit All | 
Select -ExpandProperty Lists | 
Select -ExpandProperty Folders | 
Where { $_.HasUniqueRoleAssignments } | 
Select Title, {$_.ParentList.ParentWebUrl + "/" +$_.ParentList.Title}

 

Then find all of the items with broken inheritance:

Get-SPSite http://yourSiteUrl  | 
Get-SPWeb -Limit All | 
Select -ExpandProperty Lists | 
Select -ExpandProperty Items | 
Where { $_.HasUniqueRoleAssignments } | 
Select Name, {$_.ParentList.ParentWebUrl + "/" +$_.ParentList.Title}

 

What if we wanted a nice single list as the output?

Each of the scripts above return different kinds of columns. As PowerShell is a bit picky about what it will merge into a single column we will have a little more work to merge everything into a single list. One solution is to build an array or collection in memory, but this could get quite large. Another solution is to dump everything in to a CSV file and then open the result in Excel.

Note: The following script uses Export-CSV with the –Append parameter, which is not available in PowerShell 2.0.

Changes to the script:

• Add something to the Selects to identify the source.
    Select "List Item", Url, {$_.Web.Url}
• Create custom columns so all of the results have the same column names.
• Output the results to a CSV file.
    | Export-CSV "c:\test\BrokenInheritanceReport.csv" –Append
• Read them back and apply any needed sorting.

The following is all one script!

---

$siteUrl = "http://urlToYourSite"
$savePath = "c:\test\BrokenInheritanceReport.csv"

Get-SPSite $siteUrl  | 
  Get-SPWeb -Limit All | 
  Where { $_.HasUniquePerm -AND $_.ParentWeb -NE $Null } | 
  Select @{Label="Securable"; Expression={"Web"}}, 
         @{Label="Item"; Expression={$_.ServerRelativeUrl}}, 
         @{Label="Parent"; Expression={$_.ParentWeb.ServerRelativeUrl}} |
  Export-CSV $savePath

Get-SPSite $siteUrl  | 
  Get-SPWeb -Limit All | 
  Select -ExpandProperty Lists | 
  Where { $_.HasUniqueRoleAssignments -AND -NOT $_.Hidden } | 
  Select @{Label="Securable"; Expression={"List"}}, 
         @{Label="Item"; Expression={$_.Title}}, 
         @{Label="Parent"; Expression={$_.ParentWebUrl}} |
  Export-CSV $savePath -Append

Get-SPSite $siteUrl  | 
  Get-SPWeb -Limit All | 
  Select -ExpandProperty Lists | 
  Where { -NOT $_.Hidden -AND $_.EntityTypeName -NE "PublishedFeedList" } | 
  Select -ExpandProperty Folders | 
  Where { $_.HasUniqueRoleAssignments } | 
  Select @{Label="Securable"; Expression={"Folder"}}, 
         @{Label="Item"; Expression={$_.Title}}, 
         @{Label="Parent"; Expression={$_.ParentList.ParentWebUrl + "/" +$_.ParentList.Title}} | 
  Export-CSV $savePath -Append

Get-SPSite $siteUrl  | 
  Get-SPWeb -Limit All | 
  Select -ExpandProperty Lists | 
  Where { -NOT $_.Hidden -AND $_.EntityTypeName -NE "PublishedFeedList" } | 
  Select -ExpandProperty Items | 
  Where { $_.HasUniqueRoleAssignments } | 
  Select @{Label="Securable"; Expression={"Item"}}, 
         @{Label="Item"; Expression={$_.Name}}, 
         @{Label="Parent"; Expression={$_.ParentList.ParentWebUrl + "/" +$_.ParentList.Title}} | 
  Export-CSV $savePath -Append


Import-CSV  $savePath | Sort Parent | Select *

# or open the CSV file in Excel and sort there.

---

New Book and New Class!

New book: SharePoint^® 2010 Security for the Site Owner

I was always looking for a SharePoint security resource to point people to. I found content for server administrators and for developers, but nothing for site owners. Finally I decided I could quickly put together a little book on the topic. Little did I know just how much I would end up writing, testing and rewriting to get this thing done!

It only took 2½ years to complete! Work on this book started with the creation of my blog site in 2007. Or maybe it started in 2006 with the students in my SharePoint classes when they asked questions about the obvious and not so obvious SharePoint security features. The actual writing started 2½ years ago.

Why a 2010 book in 2014? It took that long to write it. (I'm both slow and busy!) But… give me a few weeks and then you can get the 2013 version of the book.

You can order it now from Amazon.

 

New Class: MS-55095 SharePoint 2010 and 2013 Auditing and Site Content Administration using PowerShell

Starting with the PowerShell chapter from the security book, and adding another 100 or so scripts, I now have a class for on premises SharePoint 2010 and 2013 administrators, auditors and governance teams who need to query just about anything in SharePoint. The class handout is effectively a cheat sheet with over 175 PowerShell scripts plus the general patterns to create your own scripts.

For all of the details of the class see here: http://techtrainingnotes.blogspot.com/2014/06/new-sharepoint-powershell-course.html

For class schedules see here: http://www.maxtrain.com/Classes/ClassInfo.aspx?Id=119394 or call MAX Technical Training at 513-322-8888. This class is available both in Cincinnati, and remotely from anywhere. This class will soon be available to all Microsoft training centers as course 55095AC.

You will need core PowerShell skills for this class, so I'd recommend having attended either of these two classes: MS-10961 Automating Administration with Windows PowerShell or MS-50414 Powershell v2 for Administrators, or equivalent.

Bonus! When you register for the class, tell them that you heard about it from Mike, and we will get you a free copy of the security book!

 

.

Cincinnati SPUG – 6/26 – MVP Paul Stork Speaking about Yammer

 

MVP Paul Stork will be speaking at tonight's SharePoint user group. We will have pizza and door prizes at the meeting, and for those who cannot make it out, we will have remote access available for the first 20 people connecting.

• Visit the SPUG web site after 5:00 PM for connection details. http://www.CincinnatiSPUG.org­
• Please register at TechLife Cincinnati
• More info here: http://www.meetup.com/TechLife-Cincinnati/events/190150732/
• Get the word out!  @cincyspug