I am writing a script to check if each site/subsite has unique or inherited permissions. I am having an issue where HasUniqueRole is not doing what it is supposed to do, it just returns true or false but when I write it to host, nothing is printed. Any ideas why this isn't functioning properly or does it need to be loaded in first? If I put it into an if else statement, it prints that any website has inherited permissions.
$site = Read-Host -Prompt "Enter website URL"
Connect-PnPOnline -Url $site -UseWebLogin
$currentSubwebs = Get-PnPSubwebs -Recurse
foreach ($currentSubweb in $currentSubWebs) {
$subWebTitle = $currentSubWeb.Title
Write-Host $subWebTitle -ForegroundColor Red
$subSiteURL = $currentSubweb.Url
Write-Host $subSiteURL -ForegroundColor Green
Write-Host $currentSubweb.HasUniqueRoleAssignments
}
Change
$currentSubwebs = Get-PnPSubwebs -Recurse
to
$currentSubwebs = Get-PnpSubwebs -Recurse -Includes HasUniqueRoleAssignments
Related
Hey Everyone so I am able to set the sharepoint sites sensitivity labels in my tenant by doing them individually using the following commands:
# Get the label (required ExchangeOnlineManagement module)
Connect-IPPSSession -userprincipalname wise#redacted
$c = Get-Credential wise#redacted
Connect-SPOService -Url https://redacted-admin.sharepoint.com -Credential $c -ModernAuth:$true -AuthenticationUrl https://login.microsoftonline.com/organizations
Set-SPOSite -identity {site_url} -SensitivityLabel:'{GUID of sens label here}'
And now I am trying to set a default label for all sites that have not been manually set by users with the following code, but its throwing the "Site already has a sensitivity label" message, meaning the if statement isnt triggering when ran from a site in a variable???
# Get the label (required ExchangeOnlineManagement module)
Connect-IPPSSession -userprincipalname wise#redacted
$c = Get-Credential wise#redacted
Connect-SPOService -Url https://redacted-admin.sharepoint.com -Credential $c -ModernAuth:$true -AuthenticationUrl https://login.microsoftonline.com/organizations
#Create a progress counter and fail counter
$count = 0
$fail = 0
#get all sites
write-host "Collecting site data" -ForegroundColor Yellow
$SiteCollections = Get-SPOSite -Limit All
write-host "Collecting site data - COMPLETED" -ForegroundColor Green
#get a count of total sites
$total = $SiteCollections.count
write-host "There are $total total sites." -ForegroundColor Green
foreach ($site in $SiteCollections){
$count++
try{
if ( $site.SensitivityLabel -eq '' ){
Set-SPOSite $site -SensitivityLabel:'{GUID}'
} else {
$label = $site.SensitivityLabel
Write-host "Site already has a sensitivity label: $label"
$site.Url | Out-File '.\Sites_already_labeled.txt' -Append
}
} catch {
$sitename = $site.Name
"Bad site: $sitename" | Out-File '.\Failed_change_sites.txt' -Append
$fail++
Write-Host "Failed site count = $fail" -ForegroundColor Blue
Write-Host "Failed site = $sitename" -ForegroundColor Blue
}
Write-Host "Processing Site $count of $total" -ForegroundColor Red
}
I have tested the if sens label = '' on singular sites and it does infact fufill the if statement so im completely lost.
Thanks ChatGPT!
It's likely that the issue is with the following line of code: if ( $site.SensitivityLabel -eq '' ). The SensitivityLabel property of a SharePoint Online site may not be an empty string when it has no label applied to it. Instead, it may be $null, so the if statement should be updated to if ( $site.SensitivityLabel -eq $null ).
(FIRST POST - I will do my best to summerize, forgive me ahead of time)
I have a SharePoint site with a list of sites to be deleted, problem is, some of the sites to be deleted have subsites that need to be deleted before the deletion can occure. I have a basic Powershell script that will delete the site as long as there are no subsites.
I am trying to come up with either a method to delete the subsites if the listed site to be deleted has subs or a way to catch the ones that have an error to enter data into a column on the same list or output a file AND to continue deleting the sites without subs.
Here is what I have so far:
#========================================================================#
# Delete confirmed sites #
#========================================================================#
function deleteSites_old ($url, $listName) {
$web = get-SPWeb $url
$list = $web.Lists[$listname]
$items = $list.items | Where-Object {($_['Status'] -eq 'Delete')}
Write-host "List $($list.title) has $($items.count) entries to be deleted"
foreach ($item in $items) {
$siteURL = $item["URL"]
$siteOwner = $itme["SiteOwner"]
write-host $siteURL $siteOwner
try {
write-host "Site deletion"
#Remove-SPWeb -Identity $siteURL -Recycle
}
catch [Microsoft.SharePoint.Powershell.SPCmdRemoveWeb] {
"There was a problem deleting web site $($siteURL)"
}
#Remove-SPWeb -Identity $siteURL -Recycle
#$ListItem["Status"] = "DELETED"
#$ListItem.update()
}
#DELETES THE INSTANCE
$web.Dispose()
}
Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue
$Site = '[URL]'
$list = "[List Name]"
deleteSites_old $Site $List
I am still testing so I have commented out as I continue. Thanks ahead of time, I did search the forum first but only found questions related to SPOnline or SP13 (with $ChildSites but couldn't get it to work for my environment)
I am using PowerShell PNP to try and read the permissions of a folder but the command Get-PnPFolder does not appear to include the permissions.
I tried the code listed here but the permissions collection are empty. https://sharepoint.stackexchange.com/questions/221118/retrieve-permissions-at-folder-and-file-level-in-powershell/221513 . This small sample below is what I used for testing.
$spserver = 'https://myportal.sharepoint.com/sites/mysite/'
Connect-PnPOnline –Url $spserver –UseWebLogin
$foldername = 'myFormLibraryName'
$folderObj = Get-PnPFolder -Url $foldername -Includes ListItemAllFields.RoleAssignments, ListItemAllFields.HasUniqueRoleAssignments
$folderObj.ListItemAllFields.HasUniqueRoleAssignments
$folderObj.ListItemAllFields.RoleAssignments
The results of the code will return "collection has not been initialized". How do I get a list of the permissions for a SharePoint folder?
I was not able to get the code to work with Get-PnPFolder and used the code below as an alternative.
$spserver = 'https://myportal.sharepoint.com/sites/mysite/'
Connect-PnPOnline –Url $spserver –UseWebLogin
$ctx=Get-PnPContext
$foldername = 'Documents'
$web = $ctx.Web
$list = $ctx.Site.RootWeb.Lists.GetByTitle($foldername)
$ctx.Load($list)
$ctx.ExecuteQuery()
Write-Host 'count is ' $list.ItemCount
$roleass = $list.RoleAssignments
$ctx.Load($roleass)
$ctx.ExecuteQuery()
Write-Host 'loaded'
foreach($rol in $roleass) {
$ctx.Load($rol.Member)
$ctx.ExecuteQuery()
Write-Host $rol.Member.Title
}
I have an issue with setting an ACL to a folder using PowerShell. It seems I was able to get through my code without any errors, but the folder still does not appear in the Security properties of the folder. The other articles I looked at seemed to have answers, but then comments, if any, that it didn't work, and after trying what the answers suggested, it did not result in the group appearing in the System properties of the folder.
My script so far is as follows:
$domain="DOMAIN"
$tldn="net"
$pathArr=#()
$pathArr+=$path1=Read-Host -Prompt "Enter first path"
$pathArr+=$path2=Read-Host -Prompt "Enter second path"
[int]$projectNumber=try { Read-Host -Prompt "Enter project number" } catch { Write-Host "Not a numeric value. Please try again."; exit }
[string]$mainFolder=[string]${projectNumber}+"_"+(Read-Host -Prompt "Please give the main folder name")
$projectNumberString=[string]$projectNumber
$projectName=Read-Host -Prompt "Please give the project name"
$fullProjectName="${projectNumberString}_${projectName}"
$pathArr+=$path3="$path1\$mainFolder"
$pathArr+=$path4="$path2\$mainFolder"
$pathArr+=$path5="$path3\$fullProjectName"
$pathArr+=$path6="$path4\$fullProjectName"
# Region: Create organizational units in Active Directory
# Names
$ouN1="XYZOU"
$ouN2="ABCOU"
# Paths
$ouP0="DC=$domain,DC=$tldn"
$ouP1="OU=$ouN1,$ouP0"
$ouP2="OU=$ouN2,$ouP1"
Write-Host "Checking for required origanization units..."
try
{
New-ADOrganizationalUnit -Name $ouN1 -Path $ouP1
New-ADOrganizationalUnit -Name $ouN2 -Path $ouP2
}
catch
{
Out-Null
}
EDIT
As per Mickey's comment, I added this code to test the path of $path6'
if ( Test-Path -Path "$path6" )
{
Write-Host "$path6"
Write-Host "Path exists."
}
else
{
Write-Host "Path does not exist."
}
The result was that the path wrote to the host and said Path exists..
Write-Host "Creating AD Group..."
[string]$group="BEST_${projectNumberString}"
$groupdomain="$domain\$group"
$ADGroupParams= #{
'Name' = "$group"
'SamAccountName' = "$group"
'GroupCategory' = "Security"
'GroupScope' = "Global"
'DisplayName' = "$group"
'Path' = "OU=MyBusinessOU,DC=$domain,DC=$tldn"
'Description' = "Test share"
}
$secgroup=New-ADGroup #ADGroupParams
# Region: Set permissions
Write-Host "Setting permissions..."
# get permissions
$acl = Get-Acl -Path $path6
# add a new permission
$InheritanceFlags=[System.Security.AccessControl.InheritanceFlags]”ContainerInherit, ObjectInherit”
$FileSystemAccessRights=[System.Security.AccessControl.FileSystemRights]"Traverse","Executefile","ListDirectory","ReadData", "ReadAttributes", "ReadExtendedAttributes","CreateFiles","WriteData", 'ContainerInherit, ObjectInherit', "CreateDirectories","AppendData", "WriteAttributes", "WriteExtendedAttributes", "DeleteSubdirectoriesAndFiles", "ReadPermissions"
$InheritanceFlags=[System.Security.AccessControl.InheritanceFlags]”ContainerInherit, ObjectInherit”
$PropagationFlags=[System.Security.AccessControl.PropagationFlags]”None”
$AccessControl=[System.Security.AccessControl.AccessControlType]”Allow”
$permission = "$groupdomain", "$InheritanceFlags", "$PropagationFlags", "$AccessControl"
$rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $permission
$acl.SetAccessRule($rule)
# set new permissions
$acl | Set-Acl -Path $path6
I tried Set-Acl -ACLObject:$acl -Path:$path6 and that didn't work either.
Again, I am not getting any errors at all.
I am running PowerShell 4.0 in PowerShell ISE on Windows Server 2012 R2. I am logged in as Administrator.
If you have any ideas, I am open to them. To be clear, my goal is to add the $groupdomain to a folder called path6, and have the ACLs outlined here applied to that group.
Thank you for your help in advance.
I'm deploying apps using Import-SPAppPackage and Install-SPApp. I'd like to be able to use Set-AppPrincipalPermission to set permissions but I can't get it working.
I'm uploading a SharePoint-hosted app to SharePoint using the PowerShell cmdlets Import-SPAppPackage and Install-SPApp. This is working fine for SharePoint-hosted apps that do not require additional permissions.
However, one app needs read access to the site, so this is declared in the manifest. And it works fine when run through Visual Studio - on first launch, it correctly asks to trust the app for read access to the site.
When I add this app via PowerShell, it has no opportunity to ask. The install continues without problems, but then the app doesn't work. (It fails with a permissions problem, which is absolutely the correct behavour since the permissions haven't yet been granted.)
I can fix the permissions by going to the Site Contents, clicking on the '...' for the problem app, choosing 'Permissions' and then clicking the link that says 'If there's something wrong with the app's permissions, click here to trust it again'.
But I really want to just be able to do the whole deployment via PowerShell.
The Set-AppPrincipalPermission cmdlet should allow me to set the permissions, but I can't get it to work. Specifically, I can't get a handle on the app principal that was automatically created when the app was deployed, so I can't pass this app principal to Set-AppPrincipalPermission.
The app principal has a name of the form 'i:0i.t|ms.sp.int|#' and it is listed on /_layouts/15/appprincipals.aspx. When I use Get-SPAppPrincipal with it, all I get is:
Get-SPAppPrincipal : The app principal could not be found.
I haven't seen any examples of using Get-SPAppPrincipal for any SharePoint-hosted apps - they all seem to be for provider-hosted apps. They also all seem to just use an app principal ID built from the client ID and the realm ID, but my SharePoint-hosted app doesn't have a client ID.
Is it possible to get the app principal of a SharePoint-hosted app and use it to set the permissions via PowerShell? Am I doing something wrong, or is there another approach?
I struggled the same problem like you and finally found an answer in these two blogs:
Blog with a nice Install, Update and Delete Script
Here is a nice post about "pressing" the "Trust It" Button via PowerShell Link
And because I know how lazy programmers like me are, feel free to use this merged script to Install Apps:
param
(
[string]$Web = $(throw '- Need a SharePoint web site URL (e.g. "http://portal.contoso.com/")'),
[string]$Source = "ObjectModel"
)
Write-Host -ForegroundColor White "-------------------"
Write-Host -ForegroundColor White "| App Installer |"
Write-Host -ForegroundColor White "-------------------"
Write-Host -ForegroundColor White "- "
#Global vars
$AppPackageName = "App.app";
#Loads powershell settings
Write-Host -ForegroundColor White "- Load Powershell context.."
$0 = $myInvocation.MyCommand.Definition
$dp0 = [System.IO.Path]::GetDirectoryName($0)
#Loads the SharePoint snapin
Write-Host -ForegroundColor White "- Load SharePoint context.."
$ver = $host | select version
if ($ver.Version.Major -gt 1) {$host.Runspace.ThreadOptions = "ReuseThread"}
if ((Get-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue) -eq $null) {
Add-PSSnapin "Microsoft.SharePoint.PowerShell";
}
[void][System.Reflection.Assembly]::Load("Microsoft.SharePoint, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c")
#Imports the App package
Write-Host -ForegroundColor White "- Import app package '$AppPackageName'..."
$appPath = "C:\Projects\App\App\bin\Debug\app.publish\1.0.0.0" + "\" + $AppPackageName;
if ($Source.Equals("ObjectModel", [System.StringComparison]::InvariantCultureIgnoreCase)) {
$sourceApp = ([microsoft.sharepoint.administration.spappsource]::ObjectModel);
}
elseif ($Source.Equals("Marketplace", [System.StringComparison]::InvariantCultureIgnoreCase)) {
$sourceApp = ([microsoft.sharepoint.administration.spappsource]::Marketplace);
}
elseif ($Source.Equals("CorporateCatalog", [System.StringComparison]::InvariantCultureIgnoreCase)) {
$sourceApp = ([microsoft.sharepoint.administration.spappsource]::CorporateCatalog);
}
elseif ($Source.Equals("DeveloperSite", [System.StringComparison]::InvariantCultureIgnoreCase)) {
$sourceApp = ([microsoft.sharepoint.administration.spappsource]::DeveloperSite);
}
elseif ($Source.Equals("RemoteObjectModel", [System.StringComparison]::InvariantCultureIgnoreCase)) {
$sourceApp = ([microsoft.sharepoint.administration.spappsource]::RemoteObjectModel);
}
$spapp = Import-SPAppPackage -Path "$appPath" -Site $Web -Source $sourceApp -Confirm:$false -ErrorAction SilentlyContinue -ErrorVariable err;
if ($err -or ($spapp -eq $null))
{
Write-Host -ForegroundColor Yellow "- An error occured during app import !"
throw $err;
}
Write-Host -ForegroundColor White "- Package imported with success."
#Installs the App
Write-Host -ForegroundColor White "- Install the APP in web site..."
$app = Install-SPApp -Web $Web -Identity $spapp -Confirm:$false -ErrorAction SilentlyContinue -ErrorVariable err;
if ($err -or ($app -eq $null)) {
Write-Host -ForegroundColor Yellow "- An error occured during app installation !"
throw $err;
}
$AppName = $app.Title;
Write-Host -ForegroundColor White "- App '$AppName' registered, please wait during installation..."
$appInstance = Get-SPAppInstance -Web $Web | where-object {$_.Title -eq $AppName};
$counter = 1;
$maximum = 150;
$sleeptime = 2;
Write-Host -ForegroundColor White "- Please wait..." -NoNewline;
$url = "$($Web)_layouts/15/appinv.aspx?AppInstanceId={$($appInstance.Id)}"
$ie = New-Object -com internetexplorer.application
try
{
$ie.visible=$true
$ie.navigate2($url)
while ($ie.busy)
{
sleep -milliseconds 60
}
$trustButton = $ie.Document.getElementById("ctl00_PlaceHolderMain_BtnAllow")
$trustButton.click()
sleep -Seconds 1
Write-Host "App was trusted successfully!"
}
catch
{
throw ("Error Trusting App");
}
while (($appInstance.Status -eq ([Microsoft.SharePoint.Administration.SPAppInstanceStatus]::Installing)) -and ($counter -lt $maximum))
{
Write-Host -ForegroundColor White "." -NoNewline;
sleep $sleeptime;
$counter++;
$appInstance = Get-SPAppInstance -Web $Web | where-object {$_.Title -eq $AppName}
}
Write-Host -ForegroundColor White ".";
if ($appInstance.Status -eq [Microsoft.SharePoint.Administration.SPAppInstanceStatus]::Installed) {
Write-Host -ForegroundColor White "- The App was successfully installed.";
$appUrl = $appInstance.AppWebFullUrl;
Write-Host -ForegroundColor White "- The App is now available at '$appUrl'.";
Write-Host -ForegroundColor White "- (Don't forget to add app host name in your host file if necessary...).";
Write-Host -ForegroundColor White "- "
}
else {
Write-Host -ForegroundColor Yellow "- An unknown error has occured during app installation. Read SharePoint log for more information.";
}
Figured out a way other than using IE.
Basically just using powershell to call SPAppPrincipalPermissionsManager.AddAppPrincipalToWeb
$rootUrl = "https://ur-sp.com"
$urlSiteName = "ur-site"
$web = Get-SPWeb "$rootUrl/$urlSiteName"
$appPrincipalManager = [Microsoft.SharePoint.SPAppPrincipalManager]::GetManager($web)
$applicationEndPointAuthorities = new-object System.Collections.Generic.List[string]
$applicationEndPointAuthorities.Add("$rootUrl/$urlSiteName");
$symmetricKey = New-Object System.Security.SecureString;
$datetimeNow = [System.DateTime]::Now
$credential = [Microsoft.SharePoint.SPAppPrincipalCredential]::CreateFromSymmetricKey($symmetricKey,$datetimeNow,$datetimeNow)
$creationParameters =New-Object Microsoft.SharePoint.SPExternalAppPrincipalCreationParameters($appid,$appFriendlyName,$applicationEndPointAuthorities,$credential)
$appPrincipal = $appPrincipalManager.CreateAppPrincipal($creationParameters)
$appPrincipalPermissionsManager = New-Object -TypeName
Microsoft.SharePoint.SPAppPrincipalPermissionsManager -ArgumentList $web
$r = $appPrincipalPermissionsManager.AddAppPrincipalToWeb($appPrincipal, 3)
3 is of SPAppPrincipalPermissionKind enum, and I don't think its value really matters.
This will do the full trust part via powershell:
$targetWeb = Get-SPSite "http://dev.my.com"
$clientID = "82ea34fc-31ba-4e93-b89a-aa41b023fa7e"
$authRealm = Get-SPAuthenticationRealm -ServiceContext $targetWeb
$AppIdentifier = $clientID + "#" + $authRealm
$appPrincipal = Get-SPAppPrincipal -Site $targetWeb.RootWeb -NameIdentifier $AppIdentifier
Set-SPAppPrincipalPermission -Site $targetWeb.RootWeb -AppPrincipal $appPrincipal -Scope SiteCollection -Right FullControl
More info here:
http://lixuan0125.wordpress.com/2013/11/18/register-and-install-app-through-powershell/