pixel0815
02.08.2016
view1508
view4
0
Goto Top

Sharepoint 2013 PermissionCheck - SID auflösen zu Ad-Gruppe

gelöstFrageEntwicklungBatch, Shell
Hallo zusammen, folgendes Skript erstellt eine CSV Datei.
Beim SP2013 nutzen wir Claims Authentifzierung und leider stehen die Gruppen nicht mehr im Klartext da.

In der Spalte LoginName erscheint dann

c:0+.w|s-1-5-21-123456789-12345678-5555555

Ich würde gerne die SID wieder zurück auflösen zu einer Gruppe, am besten in einer zusätzlichen Spalte.

#Script written and modified by Adnan Amin
#Blog: http:{{comment_single_line_double_slash:0}}
#twitter: @adnan_amin
#facebook: https:{{comment_single_line_double_slash:1}}
#facebook: https:{{comment_single_line_double_slash:2}}
#The initial idea was taken from another technet gallery script by Salaudeen Rajack at https:{{comment_single_line_double_slash:3}}
#Script written by Salaudeen only genrate report for a single person, where as below script generates acceess permissions details for all users.

Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

Function GetUserAccessReport($WebAppURL, $FileUrl)
{
 #Get All Site Collections of the WebApp
 $SiteCollections = Get-SPSite -WebApplication $WebAppURL -Limit All

#Write CSV- TAB Separated File) Header
"URL `t Site/List `t Title `t PermissionType `t Permissions  `t LoginName" | out-file $FileUrl  


	#Check Web Application Policies
	$WebApp= Get-SPWebApplication $WebAppURL

	foreach ($Policy in $WebApp.Policies) 
  	{
	 	#Check if the search users is member of the group
		#if($Policy.UserName -eq $SearchUser)
		  #	{
				#Write-Host $Policy.UserName
	 			$PolicyRoles=@()
		 		foreach($Role in $Policy.PolicyRoleBindings)
				{
					$PolicyRoles+= $Role.Name +";"  
				}
				#Write-Host "Permissions: " $PolicyRoles 
				
				"$($AdminWebApp.URL) `t Web Application `t $($AdminSite.Title)`t  Web Application Policy `t $($PolicyRoles) `t $($Policy.UserName)" | Out-File $FileUrl -Append  
			#}
 	 }
  
  #Loop through all site collections
   foreach($Site in $SiteCollections) 
    {
	  #Check Whether the Search User is a Site Collection Administrator
	  foreach($SiteCollAdmin in $Site.RootWeb.SiteAdministrators)
      	{
				"$($Site.RootWeb.Url) `t Site `t $($Site.RootWeb.Title)`t Site Collection Administrator `t Site Collection Administrator `t $($SiteCollAdmin.LoginName)" | Out-File $FileUrl -Append  
		
		}
  
	   #Loop throuh all Sub Sites
       foreach($Web in $Site.AllWebs) 
       {	
			if($Web.HasUniqueRoleAssignments -eq $True)
            	{
		        #Get all the users granted permissions to the list
	            foreach($WebRoleAssignment in $Web.RoleAssignments ) 
	                { 
	                  #Is it a User Account?
						if($WebRoleAssignment.Member.userlogin)    
							{
							  			#Get the Permissions assigned to user
									 	$WebUserPermissions=@()
									    foreach ($RoleDefinition  in $WebRoleAssignment.RoleDefinitionBindings)
									   	{
				                    	    $WebUserPermissions += $RoleDefinition.Name +";"  
				                       	}
										#write-host "with these permissions: " $WebUserPermissions 
										#Send the Data to Log file
										"$($Web.Url) `t Site `t $($Web.Title)`t Direct Permission `t $($WebUserPermissions)  `t $($WebRoleAssignment.Member.LoginName)" | Out-File $FileUrl -Append  
							}
					#Its a SharePoint Group, So search inside the group and check if the user is member of that group
					else  
						{
                        foreach($user in $WebRoleAssignment.member.users)
                            {
								    #Get the Group's Permissions on site 
									$WebGroupPermissions=@()
							    	foreach ($RoleDefinition  in $WebRoleAssignment.RoleDefinitionBindings)
							   		{
		                    	  		$WebGroupPermissions += $RoleDefinition.Name +";"  
		                       		}
									#write-host "Group has these permissions: " $WebGroupPermissions 
									
									#Send the Data to Log file
									"$($Web.Url) `t Site `t $($Web.Title)`t Member of $($WebRoleAssignment.Member.Name) Group `t $($WebGroupPermissions) `t $($user.LoginName)" | Out-File $FileUrl -Append  
							}
						}
               	    }
				}
				
				#********  Check Lists with Unique Permissions ********/
		            foreach($List in $Web.lists)
		            {
		                if($List.HasUniqueRoleAssignments -eq $True -and ($List.Hidden -eq $false))
		                {
		                   #Get all the users granted permissions to the list
				            foreach($ListRoleAssignment in $List.RoleAssignments ) 
				                { 
				                  #Is it a User Account?
									if($ListRoleAssignment.Member.userlogin)    
										{
										   
													#Get the Permissions assigned to user
												 	$ListUserPermissions=@()
												    foreach ($RoleDefinition  in $ListRoleAssignment.RoleDefinitionBindings)
												   	{
							                    	    $ListUserPermissions += $RoleDefinition.Name +";"  
							                       	}
													#write-host "with these permissions: " $ListUserPermissions 
													
													#Send the Data to Log file
													"$($List.ParentWeb.Url)/$($List.RootFolder.Url) `t List `t $($List.Title)`t Direct Permission1 `t $($ListUserPermissions)  `t $($ListRoleAssignment.Member)" | Out-File $FileUrl -Append  
										}
										#Its a SharePoint Group, So search inside the group and check if the user is member of that group
									else  
										{
					                        foreach($user in $ListRoleAssignment.member.users)
					                            {
													    #Get the Group's Permissions on site 
														$ListGroupPermissions=@()
												    	foreach ($RoleDefinition  in $ListRoleAssignment.RoleDefinitionBindings)
												   		{
							                    	  		$ListGroupPermissions += $RoleDefinition.Name +";"  
							                       		}
														#write-host "Group has these permissions: " $ListGroupPermissions 
														
														#Send the Data to Log file
														"$($Web.Url) `t List `t $($List.Title)`t Member of $($ListRoleAssignment.Member.Name) Group `t $($user.LoginName) `t $($user.LoginName)" | Out-File $FileUrl -Append  

												}
									}	
			               	    }
				            }
		            }
				}	
			}
					
		}

#Call the function to Check User Access

$datum=([datetime]::now).tostring("dd-MM-yyyy_HH-mm-ss")  
GetUserAccessReport "http://sp2013" "C\pfadzurdateie\SP2013_PermisionReport-$datum.csv"
ShareTeilen
Auf Facebook teilen Auf Twitter teilen Auf Reddit teilen Auf Linkedin teilen

Content-ID: 311482

Url: https://administrator.de/contentid/311482

Ausgedruckt am: 24.11.2024 um 12:11 Uhr

4 Kommentare
Neuester Kommentar
Goto Top
129813
129813 02.08.2016 um 11:32:01 Uhr
Goto Top
To resolve a SID to it's account name use
(New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-11').Translate([System.Security.Principal.NTAccount])
Regards
pixel0815
pixel0815 02.08.2016 um 11:43:55 Uhr
Goto Top
Hi Highload,

i want to try it with the Values

for Example

$SiteCollAdmin.Username -> $SiteCollAdmin.Displayname or $SiteCollAdmin.Name

It works with the SITE Admins.... but not with Lists.
129813
129813 02.08.2016 aktualisiert um 11:47:37 Uhr
Goto Top
???
it should be clear that if your string looks like this:
c:0+.w|s-1-5-21-123456789-12345678-5555555
you first have to split the string with '|' to extract the SID for using it with the above method !!
pixel0815
pixel0815 02.08.2016 um 13:41:21 Uhr
Goto Top
i change the script to

Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

Function GetUserAccessReport($WebAppURL, $FileUrl)
{
 #Get All Site Collections of the WebApp
 $SiteCollections = Get-SPSite -WebApplication $WebAppURL -Limit All

#Write CSV- TAB Separated File) Header
"URL `t Site/List `t Title `t PermissionType `t Permissions  `t LoginName" | out-file $FileUrl  


	#Check Web Application Policies
	$WebApp= Get-SPWebApplication $WebAppURL

	foreach ($Policy in $WebApp.Policies) 
  	{
	 	#Check if the search users is member of the group
		#if($Policy.UserName -eq $SearchUser)
		  #	{
				#Write-Host $Policy.UserName
	 			$PolicyRoles=@()
		 		foreach($Role in $Policy.PolicyRoleBindings)
				{
					$PolicyRoles+= $Role.Name +";"  
				}
				#Write-Host "Permissions: " $PolicyRoles 
				
				"$($AdminWebApp.URL) `t Web Application `t $($AdminSite.Title)`t  Web Application Policy `t $($PolicyRoles) `t $($Policy.UserName)" | Out-File $FileUrl -Append  
			#}
 	 }
  
  #Loop through all site collections
   foreach($Site in $SiteCollections) 
    {
	  #Check Whether the Search User is a Site Collection Administrator
	  foreach($SiteCollAdmin in $Site.RootWeb.SiteAdministrators)
      	{
				"$($Site.RootWeb.Url) `t Site `t $($Site.RootWeb.Title)`t Site Collection Administrator `t Site Collection Administrator `t $($SiteCollAdmin.Displayname)" | Out-File $FileUrl -Append  
		
		}
  
	   #Loop throuh all Sub Sites
       foreach($Web in $Site.AllWebs) 
       {	
			if($Web.HasUniqueRoleAssignments -eq $True)
            	{
		        #Get all the users granted permissions to the list
	            foreach($WebRoleAssignment in $Web.RoleAssignments ) 
	                { 
	                  #Is it a User Account?
						if($WebRoleAssignment.Member.userlogin)    
							{
							  			#Get the Permissions assigned to user
									 	$WebUserPermissions=@()
									    foreach ($RoleDefinition  in $WebRoleAssignment.RoleDefinitionBindings)
									   	{
				                    	    $WebUserPermissions += $RoleDefinition.Name +";"  
				                       	}
										#write-host "with these permissions: " $WebUserPermissions 
										#Send the Data to Log file
										"$($Web.Url) `t Site `t $($Web.Title)`t Direct Permission `t $($WebUserPermissions)  `t $($WebRoleAssignment.Member.Displayname)" | Out-File $FileUrl -Append  
							}
					#Its a SharePoint Group, So search inside the group and check if the user is member of that group
					else  
						{
                        foreach($user in $WebRoleAssignment.member.users)
                            {
								    #Get the Group's Permissions on site 
									$WebGroupPermissions=@()
							    	foreach ($RoleDefinition  in $WebRoleAssignment.RoleDefinitionBindings)
							   		{
		                    	  		$WebGroupPermissions += $RoleDefinition.Name +";"  
		                       		}
									#write-host "Group has these permissions: " $WebGroupPermissions 
									
									#Send the Data to Log file
									"$($Web.Url) `t Site `t $($Web.Title)`t Member of $($WebRoleAssignment.Member.Name) Group `t $($WebGroupPermissions) `t $($user.Displayname)" | Out-File $FileUrl -Append  
							}
						}
               	    }
				}
				
				#********  Check Lists with Unique Permissions ********/
		            foreach($List in $Web.lists)
		            {
		                if($List.HasUniqueRoleAssignments -eq $True -and ($List.Hidden -eq $false))
		                {
		                   #Get all the users granted permissions to the list
				            foreach($ListRoleAssignment in $List.RoleAssignments ) 
				                { 
				                  #Is it a User Account?
									if($ListRoleAssignment.Member.userlogin)    
										{
										   
													#Get the Permissions assigned to user
												 	$ListUserPermissions=@()
												    foreach ($RoleDefinition  in $ListRoleAssignment.RoleDefinitionBindings)
												   	{
							                    	    $ListUserPermissions += $RoleDefinition.Name +";"  
							                       	}
													#write-host "with these permissions: " $ListUserPermissions 
													
													#Send the Data to Log file
													"$($List.ParentWeb.Url)/$($List.RootFolder.Url) `t List `t $($List.Title)`t Direct Permission1 `t $($ListUserPermissions)  `t $($ListRoleAssignment.Member.Displayname)" | Out-File $FileUrl -Append  
										}
										#Its a SharePoint Group, So search inside the group and check if the user is member of that group
									else  
										{
					                        foreach($user in $ListRoleAssignment.member.users)
					                            {
													    #Get the Group's Permissions on site 
														$ListGroupPermissions=@()
												    	foreach ($RoleDefinition  in $ListRoleAssignment.RoleDefinitionBindings)
												   		{
							                    	  		$ListGroupPermissions += $RoleDefinition.Name +";"  
							                       		}
														#write-host "Group has these permissions: " $ListGroupPermissions 
														
														#Send the Data to Log file
														"$($Web.Url) `t List `t $($List.Title)`t Member of $($ListRoleAssignment.Member.Name) Group `t $($user.LoginName) `t $($user.Displayname)" | Out-File $FileUrl -Append  

												}
									}	
			               	    }
				            }
		            }
				}	
			}
					
		}

#Call the function to Check User Access

$datum=([datetime]::now).tostring("dd-MM-yyyy_HH-mm-ss")  
GetUserAccessReport "http://sharepointserver" "pathandfilename-$datum.csv"
gelöstFrageEntwicklungBatch, Shell
Mehr von pixel0815pixel0815Update NTFS ACL eines Verzeichnissespixel0815 - 1 Kommentarpixel0815Umbau Skript für NTFS ACLs nach CSV Vorgabepixel0815 - 2 Kommentarepixel0815Citrix Workspace - Nachträglich StoreFront hinzufügenpixel0815 - 6 Kommentarepixel0815Powershell Suche einen Stringpixel0815 - 4 Kommentare
Heiß diskutiert
superfun2k24Sophos SFOS 20 DNAT funktioniert nichtsuperfun2k24 - 26 Kommentareuser217Kaufberatung Hardware - Hyper-V Cluster 3 Nodesuser217 - 25 KommentarePharaunIntel-E810 QSFP28 to Mikrotik QSPF+ mit 40Gbit VerbindungPharaun - 24 Kommentareprplemk2Testumgebung bauen (Grundlegend)prplemk2 - 19 KommentaremaisenkaiserSwitch ohne STP ins Netzwerkmaisenkaiser - 15 KommentareTJ.Hooker74Dom.Admin-Passwort ändern - Auswirkungen auf EX, HCW, AADCTJ.Hooker74 - 15 KommentareJudgelgZertifikate in die Exchange Online GAL hochladenJudgelg - 13 KommentareUnluckyProccess1999Creo 4.0 Lizenz Server (LMTOOLS)UnluckyProccess1999 - 13 KommentareleberkaeseFB7590 ISDN Fax-Funktionleberkaese - 13 KommentaremaxMicrosoft plant für 2025 mehrere Preiserhöhungenmax - 11 KommentareDarkened1645Bildqualität der Windows Remotedesktop-Sitzung verbessernDarkened1645 - 11 KommentareZZaaiiggaaDigitales Archiv - wie?ZZaaiiggaa - 11 Kommentare