Sunday, January 25, 2015

Delete Button Missing in SharePoint Column? Here is How to Delete them.

How to delete a Column when Delete Button is missing:
Unable to delete list column in SharePoint since there is no delete button in field properties? In some cases, columns added through "Add existing columns" doesn't provide the option to delete! To make them deletable, just revert these two properties: AllowDeletion & Sealed
sharepoint column no delete button - sharepoint list sealed and non-deletable columns
Here is how to delete SharePoint list column programmatically with PowerShell: 
#Get the Web
$web = Get-SPWeb "http://sharepoint.crescent.com/sites/pmo"

#Get the List
$list = $web.Lists["Design Documents"]

#Get the column
$column = $list.Fields["Category"]

#Disable Delete
$column.AllowDeletion = $true
$column.Sealed = $false
$column.Update()

#To delete a SharePoint list column in PowerShell, use: $column.Delete() 

$web.Dispose() 
sharepoint column delete button missing
We can also make fields to Sealed, So that nobody can change the field settings.

SharePoint Manager tool  can be used to set these properties. Just navigate to the site, list or library and set the "AllowDeletion" property to false, save the changes. This hides delete option in SharePoint list. sharepoint list column enable disable delete option

Here is my another post to make a column non-deletable: How to Prevent SharePoint List or Columns from Deletion

You might also like:
SharePoint Usage Reports
Usage reports, collaboration and audit for SharePoint.
Five Challenges in SharePoint Security
...And How to Solve Them. Free White Paper
*Sponsored


Tuesday, January 20, 2015

Copy Permissions from One User to Another in SharePoint using PowerShell

Permission management in SharePoint is always a complex task especially on large environments. Granting permissions in SharePoint becomes cumbersome when you are in a situation to clone an existing user's access rights. Consider this scenario: You have an existing user in a department granted access to various SharePoint web applications, sites, lists, files, etc. and when a new user joins to this department, You-SharePoint Administrator get the requirement of adding new user to all of the places with same access rights as the existing team member!

How will you compare access rights of an existing team member and grant access in bulk? He may be granted permission on various levels with different access rights. It would become very time-consuming to find and grant same level of permissions to multiple users on multiple SharePoint objects. Existing user may be grated access as part of:
  • Farm Administrator group and/or as part of web application policies
  • Member of Site collection administrator group
  • Permissions granted at site level either as part of SharePoint group or with direct permissions
  • Permissions granted to list or libraries by breaking inheritance 
  • Access rights may be via List item or folder level permissions.
In short, permissions can be granted at the following levels in SharePoint:
sharepoint copy permissions from one user to another
Well, To copy permissions from one user to another user on above levels, I've written this PowerShell script - It just scans all possible levels for given source user's access rights and grants permission to the target user.

PowerShell script to clone SharePoint User Permissions:
Important: You must run this script as Farm Administrator! Otherwise, you'll get "Access Denied" error!!
This script iterates through each levels as in the above image and copies permissions between given users at List Item/Folder, Lists, site, Site Collection, Web Application and Farm levels. Just change the parameters for variables $SourceUserl, $TargetUser and $WebAppURL accordinly and run the script. You'll find the script outputs logs on the screen, on wherever it copies permissions.

Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

#Function to copy user permissions 
Function Copy-UserPermissions($SourceUserID, $TargetUserID, [Microsoft.SharePoint.SPSecurableObject]$Object)
{
 #Determine the given Object type and Get URL of it
    Switch($Object.GetType().FullName)
 {
  "Microsoft.SharePoint.SPWeb"  { $ObjectType = "Site" ; $ObjectURL = $Object.URL; $web = $Object }
  "Microsoft.SharePoint.SPListItem" 
  { 
   if($Object.Folder -ne $null)
   {
     $ObjectType = "Folder" ; $ObjectURL = "$($Object.Web.Url)/$($Object.Url)"; $web = $Object.Web
   }
   else
   {
    $ObjectType = "List Item"; $ObjectURL = "$($Object.Web.Url)/$($Object.Url)" ; $web = $Object.Web
   }
  }
  #Microsoft.SharePoint.SPList, Microsoft.SharePoint.SPDocumentLibrary, Microsoft.SharePoint.SPPictureLibrary,etc
  default { $ObjectType = "List/Library"; $ObjectURL = "$($Object.ParentWeb.Url)/$($Object.RootFolder.URL)"; $web = $Object.ParentWeb }
 }

 #Get Source and Target Users
 $SourceUser = $Web.EnsureUser($SourceUserID)
 $TargetUser = $Web.EnsureUser($TargetUserID)

 #Get Permissions of the Source user on given object - Such as: Web, List, Folder, ListItem
 $SourcePermissions = $Object.GetUserEffectivePermissionInfo($SourceUser)

 #Iterate through each permission and get the details
 foreach($SourceRoleAssignment in $SourcePermissions.RoleAssignments)
 {
  #Get all permission levels assigned to User account directly or via SharePOint Group
  $SourceUserPermissions=@()
        foreach ($SourceRoleDefinition in $SourceRoleAssignment.RoleDefinitionBindings)
        {
   #Exclude "Limited Accesses"
   if($SourceRoleDefinition.Name -ne "Limited Access")
   {
          $SourceUserPermissions += $SourceRoleDefinition.Name
   }
        }
 
  #Check Source Permissions granted directly or through SharePoint Group
  if($SourceUserPermissions)
  {
   if($SourceRoleAssignment.Member -is [Microsoft.SharePoint.SPGroup])   
   {
    $SourcePermissionType = "'Member of SharePoint Group - " + $SourceRoleAssignment.Member.Name +"'"
    
    #Add Target User to the Source User's Group
    #Get the Group
    $Group = [Microsoft.SharePoint.SPGroup]$SourceRoleAssignment.Member
     
    #Check if user is already member of the group - If not, Add to group
    if( ($Group.Users | where {$_.UserLogin -eq $TargetUserID}) -eq $null )
    {
      #Add User to Group
      $Group.AddUser($TargetUser)
      #Write-Host Added to Group: $Group.Name
    }     
   }
   else
   {
    $SourcePermissionType = "Direct Permission"
    
    #Add Each Direct permission (such as "Full Control", "Contribute") to Target User
    foreach($NewRoleDefinition in $SourceUserPermissions)
    {    
      #Role assignment is a linkage between User object and Role Definition
      $NewRoleAssignment = New-Object Microsoft.SharePoint.SPRoleAssignment($TargetUser)
      $NewRoleAssignment.RoleDefinitionBindings.Add($web.RoleDefinitions[$NewRoleDefinition])
         
      $object.RoleAssignments.Add($NewRoleAssignment)
      $object.Update()     
    }      
   }
   $SourceUserPermissions = $SourceUserPermissions -join ";"  
   Write-Host "***$($ObjectType) Permissions Copied: $($SourceUserPermissions) at $($ObjectURL) via $($SourcePermissionType)***"
  }   
 } 
}

Function Clone-SPUser($SourceUserID, $TargetUserID, $WebAppURL)
{
 ###Check Whether the Source Users is a Farm Administrator ###
 Write-host "Scanning Farm Administrators Group..." 
   #Get the SharePoint Central Administration site
   $AdminWebApp = Get-SPwebapplication -includecentraladministration | where {$_.IsAdministrationWebApplication}
    $AdminSite = Get-SPWeb $AdminWebApp.Url
    $AdminGroupName = $AdminSite.AssociatedOwnerGroup
    $FarmAdminGroup = $AdminSite.SiteGroups[$AdminGroupName]
 
 #enumerate in farm adminidtrators groups
    foreach ($user in $FarmAdminGroup.users)
    {
     if($User.LoginName.Endswith($SourceUserID,1)) #1 to Ignore Case
     {
       #Add the target user to Farm Administrator Group
    $FarmAdminGroup.AddUser($TargetUserID,"",$TargetUserID , "")
    Write-Host "***Added to Farm Administrators Group!***"
     }     
    }

 ### Check Web Application User Policies ###
 Write-host "Scanning Web Application Policies..." 
  $WebApp = Get-SPWebApplication $WebAppURL   
 
  foreach ($Policy in $WebApp.Policies)
  {
      #Check if the search users is member of the group
     if($Policy.UserName.EndsWith($SourceUserID,1))
       {
       #Write-Host $Policy.UserName
    $PolicyRoles=@()
       foreach($Role in $Policy.PolicyRoleBindings)
       {
        $PolicyRoles+= $Role
       }
   }
  }
  #Add Each Policy found
  if($PolicyRoles)
  {
   $WebAppPolicy = $WebApp.Policies.Add($TargetUserID, $TargetUserID)
   foreach($Policy in $PolicyRoles)
   {
    $WebAppPolicy.PolicyRoleBindings.Add($Policy)
   }
   $WebApp.Update()
   Write-host "***Added to Web application Policies!***"
  }
  
 ### Drill down to Site Collections, Webs, Lists & Libraries, Folders and List items ###
 #Get all Site collections of given web app
 $SiteCollections = Get-SPSite -WebApplication $WebAppURL -Limit All

 #Convert UserID Into Claims format - If WebApp is claims based! Domain\User to i:0#.w|Domain\User
    if( (Get-SPWebApplication $WebAppURL).UseClaimsAuthentication)
    {
        $SourceUserID = (New-SPClaimsPrincipal -identity $SourceUserID -identitytype 1).ToEncodedString()
  $TargetUserID = (New-SPClaimsPrincipal -identity $TargetUserID -identitytype 1).ToEncodedString()
    }
 
 #Loop through all site collections 
    foreach($Site in $SiteCollections)
    {
  #Prepare the Target user 
  $TargetUser = $Site.RootWeb.EnsureUser($TargetUserID)
 
     Write-host "Scanning Site Collection Administrators Group for:" $site.Url
  ###Check Whether the User is a Site Collection Administrator
     foreach($SiteCollAdmin in $Site.RootWeb.SiteAdministrators)
        {
      if($SiteCollAdmin.LoginName.EndsWith($SourceUserID,1))
      {
          #Make the user as Site collection Admin
           $TargetUser.IsSiteAdmin = $true
           $TargetUser.Update()
       Write-host "***Added to Site Collection Admin Group***"
      }     
    }
  
  #Get all webs
  $WebsCollection = $Site.AllWebs
  #Loop throuh each Site (web)
  foreach($Web in $WebsCollection)
  {
       if($Web.HasUniqueRoleAssignments -eq $True)
             {
     Write-host "Scanning Site:" $Web.Url
    
     #Call the function to Copy Permissions to TargetUser
     Copy-UserPermissions $SourceUserID $TargetUserID $Web    
    } 
    
    #Check Lists with Unique Permissions
    Write-host "Scanning Lists on $($web.url)..."
    foreach($List in $web.Lists)
    {
              if($List.HasUniqueRoleAssignments -eq $True -and ($List.Hidden -eq $false))
                 {
      #Call the function to Copy Permissions to TargetUser
      Copy-UserPermissions $SourceUserID $TargetUserID $List 
     }
    
     #Check Folders with Unique Permissions
     $UniqueFolders = $List.Folders | where { $_.HasUniqueRoleAssignments -eq $True }                    
                    #Get Folder permissions
                    foreach($folder in $UniqueFolders)
        {
      #Call the function to Copy Permissions to TargetUser
                                                Copy-UserPermissions $SourceUserID $TargetUserID $folder      
                    }
    
     #Check List Items with Unique Permissions
     $UniqueItems = $List.Items | where { $_.HasUniqueRoleAssignments -eq $True }
                    #Get Item level permissions
                    foreach($item in $UniqueItems)
        {
      #Call the function to Copy Permissions to TargetUser
      Copy-UserPermissions $SourceUserID $TargetUserID $Item  
                    }
    }
  }
 }
 Write-Host "Permission are copied successfully!"
 
}
#Define variables for processing
$WebAppURL = "http://sharepoint.crescent.com"

#Provide input for source and Target user Ids
$SourceUser ="Crescent\TonyW"
$TargetUser ="Crescent\Salaudeen"

#Call the function to clone user access rights
Clone-SPUser $SourceUser $TargetUser $WebAppURL
 

Copy User Permissions at list level:
This script is broken into two functions: Copy-UserPermissions and Clone-SPSuer for convenience. Lets say, you want to copy permissions at list level, then you can utilize the Copy-UserPermission function as:
 
$WebURL = "http://sharepoint.crescent.com/sites/sales"

$web = Get-SPWeb $WebURL

$SourceUser ="i:0#.w|Crescent\TonyW"
$TargetUser ="i:0#.w|Crescent\Salaudeen"

$list = $Web.Lists["Invoice"]

#$folder = $list.Folders[0]
#$ListItem = $list.Items[0]

#Call the function to copy user permissions programmatically at LIST level
Copy-UserPermissions $SourceUser $TargetUser $list

This script just clone's user permissions at list level (copies at only list level, no drill-down to Folders and Items!).

Please note, This script doesn't clone permissions which are granted via Active Directory Security groups!


You might also like:
SharePoint Usage Reports
Usage reports, collaboration and audit for SharePoint.
Five Challenges in SharePoint Security
...And How to Solve Them. Free White Paper
*Sponsored


Saturday, January 10, 2015

SharePoint 2013 Patch (Service Pack-CU-Hotfix) Installation Guide - Step by Step

So you want to maintain your SharePoint environment healthy, secure, stable and up to date by installing latest patches? Well, this article walks through the various steps involved in installing patches for your SharePoint 2013 environment.

SharePoint 2013 patching best practices
Before proceeding , Lets consider some of the best practices for SharePoint 2013 patching. I would strongly recommend patching your development/test SharePoint farms first before proceeding with the production environment. Make sure Dev/Test environments are thoroughly tested, all custom/third-party components are fully functional. Watch those environments, Identify and address common issues and then schedule the maintenance window for your SharePoint 2013 production farm.

Always, Its a good idea to stay one CU behind the current release (or 3 to 6 Moths behind latest patch) for production environments to avoid any potential issues that may be introduced by a new CU. Simply installing the latest updates is not a best practice and may put your environment at risk. Take snapshot backups of your SharePoint servers before applying updates. (That's why I'm a big fan of SharePoint server visualization!). This will help when things don’t go right.

Downtime Mitigation: If you have a TEST environment (or call it QA/Pre-Production) closer to production, you can backup-restore SharePoint content databases, make them read-only, change the publishing servers to point TEST farm as Production farm during this maintenance window. Keep your user community aware of this maintenance window. Plan and send out a proper e-mail communication about the scheduled maintenance. SharePoint 2013 provides an excellent way SharePoint 2013 Maintenance Window Notifications

It is no longer required to install the SharePoint Foundation patches before proceeding with SharePoint Server patches.

SharePoint 2013 patch procedure
At high level, SharePoint 2013 patching process is done as follows:
  1. Get your current farm patch level
  2. Download SharePoint 2013 service pack/CU/Hot-fix
  3. Install binaries on SharePoint Servers
  4. Run the SharePoint Products Configuration Wizard
  5. Verify the updated build number of your SharePoint farm.

Step 1: Get SharePoint 2013 Patch Level

There are many ways to find SharePoint build numbers including PowerShell (more info:  How to find SharePoint Farm Build Version Number/Patch Level ). Here is the easiest way to find SharePoint patch level:
  • Go to your SharePoint 20103 Central Administration site. 
  • From the Central Administration, navigate to System Settings >> Manage Servers in this Farm
  • From the Servers in this Farm page, under the Farm information section, you will see the SharePoint Farm Build Version.
sharepoint 2013 check sharepoint patch level
To match the build number with SharePoint 2013 patch, use Todd Klindt's blog: http://www.toddklindt.com/blog/Lists/Posts/Post.aspx?ID=346

Step 2: SharePoint 2013 patch download
To start with SharePoint 2013 patching, We must download the relevant patches first!. The major difference in downloading patches for SharePoint 2013 and its previous versions is: You don't have to download and install patches for both SharePoint Foundation and SharePoint Server, if you are running with SharePoint 2013 server. You can just download and install SharePoint Server patch alone!!

To download SharePoint 2013 service packs, hot-fixes and cumulative updates(CU), head on to Microsoft SharePoint updates site: http://technet.microsoft.com/library/dn789211(v=office.14)
You have to download the relevant patch depending on your SharePoint environment version/edition and patch level.
Download all patches to a network location so that you do not have to download for every server in the farm!

Step 3: Install SharePoint patch Binaries
The next step is to install service pack/patches to all SharePoint servers (except the database server). You can start with SharePoint App Server(s) that host Central Administration first.
  • Browse to the location where you downloaded patches. 
  • Start the patching process by double clicking the installers (you may have to extract the downloaded binaries!). Accept the license agreement and click on "Continue".
sharepoint 2013 service pack installation
  •  You should see the installation progress window. You may asked to reboot the server to complete patch installation.
  •  Wait for the installation is complete message.

Install Patches on All other servers in the Farm:
You must install any patch on every server in your SharePoint farm including WFE and App servers. SharePoint 2013 Products Configuration Wizard is good enough to detect and prevent you from proceeding, If you try to run SharePoint 2013 Products Configuration Wizard without installing binaries on all servers.
sharepoint 2013 patch management
Install all other required binaries before proceeding with the next step.

Step 4: Run SharePoint 2013 Products Configuration Wizard
Once binaries are installed on all SharePoint servers, The next step is run SharePoint 2010 Products Configuration Wizard.
  • Go to start >> Search "SharePoint products configuration wizard" and run PSConfig wizard as administrator. Click on Next to continue.
sharepoint 2013 foundation patch
  • You will get a warning message saying few services will be restarted during this upgrade process. Click Yes and then Click Next
  •  SharePoint products configuration wizard will run through the upgrade process. Wait for the wizard to complete.
  •  When the wizard is completed, click Finish.
sharepoint 2013 patching best practices
Repeat this patch procedures in rest your SharePoint Servers in the farm.

Run SharePoint 2013 Products Configuration Wizard ONE Server at a time:
We have to run SharePoint 2013 products configuration wizard in all other servers. Although SharePoint patch installation can happen simultaneously, I would suggest you run SharePoint Products Configuration Wizard only on ONE sever at a time! Start from App Server which hosts central admin, Once its completed move on to other app servers and then SharePoint web front ends. SharePoint 2013 patching process may take about 30 minutes on each server.

If you try to run the wizard simultaneously, You'll get to see SharePoint 2013 places a lock until the configuration gets completed on the other server already running the wizard.

Step 5: Verify Installation for SharePoint 2013 Service Pack:
We have successfully installed patches in our SharePoint 2013 environment. To verify patching and make sure installation is successful lets check the farm's build number. There are many ways to find SharePoint build number (more info:  How to find SharePoint Farm Build Version Number/Patch Level ). Here is the easiest one:
  • Go to your SharePoint 20103 Central Administration site. 
  • From the Central Administration, navigate to System Settings >> Manage Servers in this Farm
  • From the Servers in this Farm page, under the Farm information section, you will see the Configuration Database Version.
sharepoint 2013 service pack version number
Make sure your new build number is matching with the patch your have just installed. Also, check "Manage Servers in this Farm" page in Central administration. This page will also tell you if you need to run the SharePoint Products Configuration Wizard on a server to complete the update process. Make sure every server in your SharePoint farm is upgraded and displays status as "No Action Required".
SharePoint 2013 patch status page:
You can check the patch status on each and every individual server with "Manage patch status page" (Central Administration >> Upgrade and Migration >> Check product and patch installation status.
sharepoint 2013 patch status page
"Check upgrade status" page gives insights on detailed upgrade status information.
sharepoint 2013 patch status page
Don't just stop by SharePoint 2013 service pack installation. But apply Windows Server OS patches and SQL Server patches on regular maintenance windows.

SharePoint 2013 Service installation failed?
In case of failure, review the error log presented to determine the source . Simply re-running the products configuration wizard worked for me any times! or you may have to run psconfig command instead of running the wizard.
psconfig -cmd upgrade -inplace b2b -wait
 
What is the difference between service pack, Cumulative updates and hot fixes (or patches)?
  • Hotfix/patch is a update addressing a specific problem/bug/security issue. On Demand - normally not for everyone, you should only apply the patch if you're having the specific problem it addresses. Microsoft publishes a corresponding KB article for every hotfix that is released for every Microsoft product. 
  • Cumulative Updates  - As their name suggest, they are cumulative in content so they include a collection previously released hotfixes to date. Hotfixes and CUs are not always publicly released.  You'll get a link to download these hotfixes and CUs on requesting via Microsoft site. 
  • Service pack is a collection of CUs (and patches). It rolls together all patches that have come along over a given period of time. - Usually contains new features and available to public.
Every Hotfix, CU, Service pack you install, will increment the version/build number of your SharePoint Farm.

Last but not least: Its a good idea to have a maintenance page during scheduled down times in SharePoint: Maintenance Page for SharePoint - Quick way to Implement  

You might also like:
SharePoint Usage Reports
Usage reports, collaboration and audit for SharePoint.
Five Challenges in SharePoint Security
...And How to Solve Them. Free White Paper
*Sponsored


Monday, January 5, 2015

SharePoint 2013 User Permission Analysis & Reporting using PowerShell

Analysing SharePoint permissions for a particular user is often a common task in SharePoint administration. Generally, How do we check what permissions a user has on SharePoint content? By getting into site or list settings page and check permissions for the particular user, isn't it? Well, You may want to analyze the particular user's permissions for your entire SharePoint environment.  How about that? Each and every SharePoint site, list, library, folder and list items may have unique permissions. It can even go more challenging when you have multiple SharePoint farms.

Well, PowerShell is the life saver! Here is my permission reporting solution to scan and provide a report to view a user's permission on the SharePoint web application. With this script, you can analyze and track the security effectively! Check what permissions on an account has been granted in all places in SharePoint. This PowerShell script scans below areas to retrieve a specific user's access rights:
  • Farm administrator's group
  • Central administration web application policies
  • Site collection administrators 
  • Scans all site collections and sub-sites with unique permissions in which user has access.
  • Scans all lists and libraries with unique permissions in which user has access.
  • Scans all folders and list Items which has permissions in the site in which user has access.
Just change the Input variables section and provide parameters for User Id, Web Application and Report path variables and run the script in PowerShell.

After generating a SharePoint permissions report, this script generates a CSV file, which can be export as excel file to allows the further research and analyze outside of a SharePoint environment. It gets data such as:  Object, Title, URL, Permission Type, Permissions as in the below screenshot.
PowerShell Script to Generate User Permission Report in SharePoint 2010/2013

Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

#Function to retrieve Permission data
Function Get-PermissionInfo([String]$UserID, [Microsoft.SharePoint.SPSecurableObject]$Object)
{
 #Object Array to hold Permission data
    $PermissionDataCollection = @()

 #Determine the given Object type and Get URL of it
    switch($Object.GetType().FullName)
 {
  "Microsoft.SharePoint.SPWeb"  { $ObjectType = "Site" ; $ObjectURL = $Object.URL }
  "Microsoft.SharePoint.SPListItem" 
  { 
   if($Object.Folder -ne $null)
   {
     $ObjectType = "Folder" ; $ObjectURL = "$($Object.Web.Url)/$($Object.Url)" 
   }
   else
   {
    $ObjectType = "List Item"; $ObjectURL = "$($Object.Web.Url)/$($Object.Url)" 
   }
  }
  #Microsoft.SharePoint.SPList, Microsoft.SharePoint.SPDocumentLibrary, "Microsoft.SharePoint.SPPictureLibrary",etc
  default { $ObjectType = "List/Library"; $ObjectURL = "$($Object.ParentWeb.Url)/$($Object.RootFolder.URL)" }
 }
 
 #Get Permissions of the user on given object - Such as: Web, List, Folder, ListItem
 $UserPermissionInfo = $Object.GetUserEffectivePermissionInfo($UserID)
 #Iterate through each permission and get the details
 foreach($UserRoleAssignment in $UserPermissionInfo.RoleAssignments)
 {
  #Get all permission levels assigned to User account directly or via SharePOint Group
  $UserPermissions=@()
        foreach ($UserRoleDefinition in $UserRoleAssignment.RoleDefinitionBindings)
        {
   #Exclude "Limited Accesses"
   if($UserRoleDefinition.Name -ne "Limited Access")
   {
          $UserPermissions += $UserRoleDefinition.Name
   }
        }
 
  #Determine Permissions granted directly or through SharePoint Group
  if($UserPermissions)
  {
   if($UserRoleAssignment.Member -is [Microsoft.SharePoint.SPGroup])   
   {
     $PermissionType = "Member of SharePoint Group: " + $UserRoleAssignment.Member.Name     
   }
   else
   {
    $PermissionType = "Direct Permission"
   }
   $UserPermissions = $UserPermissions -join ";"  
 
   #Create an object to hold storage data
         $PermissionData = New-Object PSObject
         $PermissionData | Add-Member -type NoteProperty -name "Object" -value $ObjectType
   $PermissionData | Add-Member -type NoteProperty -name "Title" -value $Object.Title
         $PermissionData | Add-Member -type NoteProperty -name "URL" -value $ObjectURL  
   $PermissionData | Add-Member -type NoteProperty -name "Permission Type" -value $PermissionType
   $PermissionData | Add-Member -type NoteProperty -name "Permissions" -value $UserPermissions
   $PermissionDataCollection += $PermissionData
  }   
 } 
 Return $PermissionDataCollection
}

#Function to Generate Permission Report
Function Generate-PermissionReport($UserID, $WebAppURL, $ReportPath)
{
    #Output Report location, delete the file, If already exist!
    if (Test-Path $ReportPath)
     {
        Remove-Item $ReportPath
     }
  
   #Write Output Report CSV File Headers
  "Object, Title, URL, Permission Type, Permissions" | out-file $ReportPath

 ###Check Whether the Search Users is a Farm Administrator ###
 Write-host "Scanning Farm Administrators..." 
   #Get the SharePoint Central Administration site
   $AdminWebApp = Get-SPwebapplication -includecentraladministration | where {$_.IsAdministrationWebApplication}
    $AdminSite = Get-SPWeb $AdminWebApp.Url
    $AdminGroupName = $AdminSite.AssociatedOwnerGroup
    $FarmAdminGroup = $AdminSite.SiteGroups[$AdminGroupName]
 
 #enumerate in farm adminidtrators groups
    foreach ($user in $FarmAdminGroup.users)
    {
     if($user.LoginName.Endswith($UserID,1)) #1 to Ignore Case
     {
       "Farm, $($AdminSite.Title), $($AdminWebApp.URL), Farm Administrators Group, Farm Administrator" | Out-File $ReportPath -Append
     }     
    }
 
 ### Check Web Application User Policies ###
 Write-host "Scanning Web Application Policies..." 
  $WebApp = Get-SPWebApplication $WebAppURL
 
  foreach ($Policy in $WebApp.Policies)
  {
      #Check if the search users is member of the group
     if($Policy.UserName.EndsWith($UserID,1))
       {
       #Write-Host $Policy.UserName
        $PolicyRoles=@()
       foreach($Role in $Policy.PolicyRoleBindings)
       {
        $PolicyRoles+= $Role.Name +";"
       }
   #Send Data to CSV File
      "Web Application, $($WebApp.Name), $($WebApp.URL), Web Application Policy, $($PolicyRoles)" | Out-File $ReportPath -Append
   }
  }

 #Convert UserID Into Claims format - If WebApp is claims based! Domain\User to i:0#.w|Domain\User
    if($WebApp.UseClaimsAuthentication)
    {
        $ClaimsUserID = (New-SPClaimsPrincipal -identity $UserID -identitytype 1).ToEncodedString()
    }
 
 #Get all Site collections of given web app
 $SiteCollections = Get-SPSite -WebApplication $WebAppURL -Limit All

 #Loop through all site collections 
    foreach($Site in $SiteCollections)
    {
     Write-host "Scanning Site Collection:" $site.Url
  ###Check Whether the User is a Site Collection Administrator
     foreach($SiteCollAdmin in $Site.RootWeb.SiteAdministrators)
        {
      if($SiteCollAdmin.LoginName.EndsWith($ClaimsUserID,1))
      {
       "Site Collection, $($Site.RootWeb.Title), $($Site.RootWeb.Url), Site Collection Administrators Group, Site Collection Administrator" | Out-File $ReportPath -Append
      }     
    }
  
  #Get all webs
  $WebsCollection = $Site.AllWebs
  #Loop throuh each Site (web)
  foreach($Web in $WebsCollection)
  {
       if($Web.HasUniqueRoleAssignments -eq $True)
             {
     Write-host "Scanning Site:" $Web.Url
    
     #Get Permissions of the user on Web
     $WebPermissions = Get-PermissionInfo $ClaimsUserID $Web
     
     #Export Web permission data to CSV file - Append
     $WebPermissions |  Export-csv $ReportPath  -notypeinformation -Append 
    } 
    
    #Check Lists with Unique Permissions
    Write-host "Scanning Lists on $($web.url)..."
    foreach($List in $web.Lists)
    {
              if($List.HasUniqueRoleAssignments -eq $True -and ($List.Hidden -eq $false))
                 {
      #Get Permissions of the user on list
                        $ListPermissions = Get-PermissionInfo $ClaimsUserID $List
      
      #Export Web permission data to CSV file - Append
      $ListPermissions |  Export-csv $ReportPath -notypeinformation -Append       
     }
    
     #Check Folders with Unique Permissions
     $UniqueFolders = $List.Folders | where { $_.HasUniqueRoleAssignments -eq $True }                    
                    #Get Folder permissions
                    foreach($folder in $UniqueFolders)
        {
                        $FolderPermissions = Get-PermissionInfo $ClaimsUserID $folder
    
      #Export Folder permission data to CSV file - Append
      $FolderPermissions |  Export-csv $ReportPath -notypeinformation -Append    
                    }
    
     #Check List Items with Unique Permissions
     $UniqueItems = $List.Items | where { $_.HasUniqueRoleAssignments -eq $True }
                    #Get Item level permissions
                    foreach($item in $UniqueItems)
        {
                        $ItemPermissions = Get-PermissionInfo $ClaimsUserID $Item
      
      #Export List Items permission data to CSV file - Append
      $ItemPermissions |  Export-csv $ReportPath -notypeinformation -Append    
                    }
    }
  }
 }
 Write-Host Permission Report Generated successfully!
}

#Input Variables
$WebAppURL = "http://intranet.crescent.com"
$Userid ="Crescent\Salaudeen" 
$ReportPath = "D:\Reports\PermissionRpt.csv"

#Call the function to generate user access report
Generate-PermissionReport $Userid $WebAppURL $ReportPath
You can also download the script from Technet gallery: SharePoint Permission Report: Check Access Rights for a Specific User

This script is broken into two functions. So that you can use the first function: Get-PermissionInfo to get permissions data scoped to a site collection permission report/site. Above script scoped at a particular web application. You can call the same function on all your web application to get the entire SharePoint permissions reports.

PowerShell Scripts to generate SharePoint Permission Reports:
Here is my list of PowerShell scripts to create various reports for SharePoint permission auditing.

3rd Party Tools:
There are many tools in the market to analyze, audit SharePoint user permissions (and more features naturally!). Here are some:


You might also like:
SharePoint Usage Reports
Usage reports, collaboration and audit for SharePoint.
Five Challenges in SharePoint Security
...And How to Solve Them. Free White Paper
*Sponsored


Tuesday, December 30, 2014

SharePoint 2013 Composed Looks Feature

Themes are the quick and easiest way to apply branding to SharePoint sites. Themes got changed over time in SharePoint's history. Now in SharePoint 2013, Themes are redesigned as "Composed Look" feature. As it sounds "Composed" look, it simply defines theming by combining design elements: Master page - AKA site layout, Color theme, Font schemes and background images.

No more thmx - PowerPoint themes which was introduced in SharePoint 2010, these themes can't be used in SharePoint 2013.

How to Apply composed look in SharePoint 2013? :
You can get the option to change SharePoint 2013 themes via "Change the Look" link from the Site Settings menu. Same is available under Look and Feel group of Site settings page.
 Change the look wizard and shows a thumbnail view of available designs. These designs are defined in a special list: "Composed Looks".
 

SharePoint 2013 Apply composed look:
To apply a composed look, Click on:
  • Site Settings >> Change the Look 
  • Select the new look to apply
  • Click on "Try it out" link >> SharePoint will give you the preview of your SharePoint site with the new theme 
  • Once you confirm by "Yes, Keep it", the new look and feel is applied to your SharePoint 2013 site.

Create composed look in SharePoint 2013:

In Short: To Create and Apply your custom theme in SharePoint 2013, There are three steps: 
Step 1: Create and upload theme elements: Master Pages, spcolor, spfonts, etc. to SharePoint.

Step 2: Register your Theme: Create a list item in "Composed Looks" list populating your theme artifacts. This will make your theme available in the design gallery at http://your-site-url/_layouts/15/designgallery.aspx

Step 3: Apply theme: You can apply theme from Site settings - Change the Look. You can also apply theme programmatically.
As illustrated above image, To create a custom composed look in SharePoint 2013, We need these artifacts ready. BTW, These design elements are reusable - Meaning can be used in any number of custom theme (or call it "Composed Look")!
  • Master Page - AKA - Site Layout
  • Color palette - AKA - Theme
  • Font scheme  - Optional
  • Background image  - Optional
Master Page URL - A reference to either a default or custom master page which is already uploaded to the master page gallery. This master page must accompanying a .preview file with the exact name - (with the .preview extension instead of .master). Otherwise, you won't get composed look preview.

Color Palette:
Color palette is nothing more than an normal XML file with a .spcolor extension. By default, color palette contains 89 Color slots of Key-Value pair.
E.g.
<s:color name="FooterBackground" value="7F333333" />
Where the first two digits: 7F represents the Transparency (optional) and rest for HEX value of the color.
  
SharePoint 2013 Color Palette Tool:
While editing the .spcolor file can be done with SharePoint Designer or notepad, Microsoft offers a nifty tool to make it simple. You can download color palette tool for SharePoint 2013 from Microsoft: http://www.microsoft.com/en-us/download/details.aspx?id=38182
This tool also lets you open a OOTB color palette and modify the colors. Once you built your customized color palette, You can upload it to the Theme Gallery (Site settings >> Themes >> 15 (Shortcut:  /_catalogs/theme/15/ ) and use it in a composed look. This gallery generally resides on the root web level and has theme files, Color palette and font schema inside 15 folder.

Font scheme:  (Optional)
SPFont File - This file contains all the font definitions for the Composed Look. The font scheme is also an XML file with a .spfont extension. There are 7 font slots with names such as title, navigation, and small-
heading. Font schemes can be easily edited with any Text editor or SharePoint designer.(Download any existing font scheme and do your changes)

Upload your .spfont file under: Site Settings > Themes > 15 > add new document then use that link to
the .spfont file in your Composed Look item.
Please note: The .spfont and .spcolor files must be in the /_catalogs/theme/15 folder, NOT in a sub-folder!
Color Pallette and Font Scheme reference: http://msdn.microsoft.com/en-us/library/office/jj945889.aspx

Background Image (Optional) - The image that will cover the entire background of your SharePoint pages.

Once you have all these artifacts ready, The next step is: Making an entry in Composed Looks list to pack it as a theme!

The "Composed Looks" List:

As the name suggests, This library contains all composed looks. This list actually contains master page URL, image URL, theme(color palette) URL, Font Scheme URL and Display Order. So, all of them together is a theme.

You can launch this list by: Site settings >> under "Web Designer Galleries" Group >> Composed looks:
Once you have the above artifacts ready and uploaded to respective folders, To make your own Composed Look, go to:
  • Site Settings > Composed looks under the Web Designer Galleries heading 
  • Click on add new item.  
  • From there you simply fill out the form giving the title, name and URLs to your custom Master Page (which may have custom CSS files linked inside) and other artifacts.
Once you have the entry for your theme in this list you can see your composed look/theme available on "Change Look" page.

You might also like:
SharePoint Usage Reports
Usage reports, collaboration and audit for SharePoint.
Five Challenges in SharePoint Security
...And How to Solve Them. Free White Paper
*Sponsored


You might also like:

Related Posts Plugin for WordPress, Blogger...