Sharepoint 2013 PermissionCheck - SID auflösen zu Ad-Gruppe

Hallo zusammen, folgendes Skript erstellt eine CSV Datei.
Beim SP2013 nutzen wir Claims Authentifzierung und leider stehen die Gruppen nicht mehr im Klartext da.

In der Spalte LoginName erscheint dann

c:0+.w|s-1-5-21-123456789-12345678-5555555

Ich würde gerne die SID wieder zurück auflösen zu einer Gruppe, am besten in einer zusätzlichen Spalte.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
#Script written and modified by Adnan Amin
#Blog: http:{{comment_single_line_double_slash:0}}
#twitter: @adnan_amin
#facebook: https:{{comment_single_line_double_slash:1}}
#facebook: https:{{comment_single_line_double_slash:2}}
#The initial idea was taken from another technet gallery script by Salaudeen Rajack at https:{{comment_single_line_double_slash:3}}
#Script written by Salaudeen only genrate report for a single person, where as below script generates acceess permissions details for all users.

Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

Function GetUserAccessReport($WebAppURL, $FileUrl)
{
 #Get All Site Collections of the WebApp
 $SiteCollections = Get-SPSite -WebApplication $WebAppURL -Limit All

#Write CSV- TAB Separated File) Header
"URL `t Site/List `t Title `t PermissionType `t Permissions  `t LoginName" | out-file $FileUrl  


	#Check Web Application Policies
	$WebApp= Get-SPWebApplication $WebAppURL

	foreach ($Policy in $WebApp.Policies) 
  	{
	 	#Check if the search users is member of the group
		#if($Policy.UserName -eq $SearchUser)
		  #	{
				#Write-Host $Policy.UserName
	 			$PolicyRoles=@()
		 		foreach($Role in $Policy.PolicyRoleBindings)
				{
					$PolicyRoles+= $Role.Name +";"  
				}
				#Write-Host "Permissions: " $PolicyRoles 
				
				"$($AdminWebApp.URL) `t Web Application `t $($AdminSite.Title)`t  Web Application Policy `t $($PolicyRoles) `t $($Policy.UserName)" | Out-File $FileUrl -Append  
			#}
 	 }
  
  #Loop through all site collections
   foreach($Site in $SiteCollections) 
    {
	  #Check Whether the Search User is a Site Collection Administrator
	  foreach($SiteCollAdmin in $Site.RootWeb.SiteAdministrators)
      	{
				"$($Site.RootWeb.Url) `t Site `t $($Site.RootWeb.Title)`t Site Collection Administrator `t Site Collection Administrator `t $($SiteCollAdmin.LoginName)" | Out-File $FileUrl -Append  
		
		}
  
	   #Loop throuh all Sub Sites
       foreach($Web in $Site.AllWebs) 
       {	
			if($Web.HasUniqueRoleAssignments -eq $True)
            	{
		        #Get all the users granted permissions to the list
	            foreach($WebRoleAssignment in $Web.RoleAssignments ) 
	                { 
	                  #Is it a User Account?
						if($WebRoleAssignment.Member.userlogin)    
							{
							  			#Get the Permissions assigned to user
									 	$WebUserPermissions=@()
									    foreach ($RoleDefinition  in $WebRoleAssignment.RoleDefinitionBindings)
									   	{
				                    	    $WebUserPermissions += $RoleDefinition.Name +";"  
				                       	}
										#write-host "with these permissions: " $WebUserPermissions 
										#Send the Data to Log file
										"$($Web.Url) `t Site `t $($Web.Title)`t Direct Permission `t $($WebUserPermissions)  `t $($WebRoleAssignment.Member.LoginName)" | Out-File $FileUrl -Append  
							}
					#Its a SharePoint Group, So search inside the group and check if the user is member of that group
					else  
						{
                        foreach($user in $WebRoleAssignment.member.users)
                            {
								    #Get the Group's Permissions on site 
									$WebGroupPermissions=@()
							    	foreach ($RoleDefinition  in $WebRoleAssignment.RoleDefinitionBindings)
							   		{
		                    	  		$WebGroupPermissions += $RoleDefinition.Name +";"  
		                       		}
									#write-host "Group has these permissions: " $WebGroupPermissions 
									
									#Send the Data to Log file
									"$($Web.Url) `t Site `t $($Web.Title)`t Member of $($WebRoleAssignment.Member.Name) Group `t $($WebGroupPermissions) `t $($user.LoginName)" | Out-File $FileUrl -Append  
							}
						}
               	    }
				}
				
				#********  Check Lists with Unique Permissions ********/
		            foreach($List in $Web.lists)
		            {
		                if($List.HasUniqueRoleAssignments -eq $True -and ($List.Hidden -eq $false))
		                {
		                   #Get all the users granted permissions to the list
				            foreach($ListRoleAssignment in $List.RoleAssignments ) 
				                { 
				                  #Is it a User Account?
									if($ListRoleAssignment.Member.userlogin)    
										{
										   
													#Get the Permissions assigned to user
												 	$ListUserPermissions=@()
												    foreach ($RoleDefinition  in $ListRoleAssignment.RoleDefinitionBindings)
												   	{
							                    	    $ListUserPermissions += $RoleDefinition.Name +";"  
							                       	}
													#write-host "with these permissions: " $ListUserPermissions 
													
													#Send the Data to Log file
													"$($List.ParentWeb.Url)/$($List.RootFolder.Url) `t List `t $($List.Title)`t Direct Permission1 `t $($ListUserPermissions)  `t $($ListRoleAssignment.Member)" | Out-File $FileUrl -Append  
										}
										#Its a SharePoint Group, So search inside the group and check if the user is member of that group
									else  
										{
					                        foreach($user in $ListRoleAssignment.member.users)
					                            {
													    #Get the Group's Permissions on site 
														$ListGroupPermissions=@()
												    	foreach ($RoleDefinition  in $ListRoleAssignment.RoleDefinitionBindings)
												   		{
							                    	  		$ListGroupPermissions += $RoleDefinition.Name +";"  
							                       		}
														#write-host "Group has these permissions: " $ListGroupPermissions 
														
														#Send the Data to Log file
														"$($Web.Url) `t List `t $($List.Title)`t Member of $($ListRoleAssignment.Member.Name) Group `t $($user.LoginName) `t $($user.LoginName)" | Out-File $FileUrl -Append  

												}
									}	
			               	    }
				            }
		            }
				}	
			}
					
		}

#Call the function to Check User Access

$datum=([datetime]::now).tostring("dd-MM-yyyy_HH-mm-ss")  
GetUserAccessReport "http://sp2013" "C\pfadzurdateie\SP2013_PermisionReport-$datum.csv"  

Bitte markiere auch die Kommentare, die zur Lösung des Beitrags beigetragen haben

Content-ID: 311482

Url: https://administrator.de/forum/sharepoint-2013-permissioncheck-sid-aufloesen-zu-ad-gruppe-311482.html

Ausgedruckt am: 14.04.2025 um 17:04 Uhr

4 Kommentare

Neuester Kommentar

To resolve a SID to it's account name use

1
(New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-11').Translate([System.Security.Principal.NTAccount])  

Regards

Hi Highload,

i want to try it with the Values

for Example

$SiteCollAdmin.Username -> $SiteCollAdmin.Displayname or $SiteCollAdmin.Name

It works with the SITE Admins.... but not with Lists.

???
it should be clear that if your string looks like this:

1
c:0+.w|s-1-5-21-123456789-12345678-5555555

you first have to split the string with '|' to extract the SID for using it with the above method !!

i change the script to

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

Function GetUserAccessReport($WebAppURL, $FileUrl)
{
 #Get All Site Collections of the WebApp
 $SiteCollections = Get-SPSite -WebApplication $WebAppURL -Limit All

#Write CSV- TAB Separated File) Header
"URL `t Site/List `t Title `t PermissionType `t Permissions  `t LoginName" | out-file $FileUrl  


	#Check Web Application Policies
	$WebApp= Get-SPWebApplication $WebAppURL

	foreach ($Policy in $WebApp.Policies) 
  	{
	 	#Check if the search users is member of the group
		#if($Policy.UserName -eq $SearchUser)
		  #	{
				#Write-Host $Policy.UserName
	 			$PolicyRoles=@()
		 		foreach($Role in $Policy.PolicyRoleBindings)
				{
					$PolicyRoles+= $Role.Name +";"  
				}
				#Write-Host "Permissions: " $PolicyRoles 
				
				"$($AdminWebApp.URL) `t Web Application `t $($AdminSite.Title)`t  Web Application Policy `t $($PolicyRoles) `t $($Policy.UserName)" | Out-File $FileUrl -Append  
			#}
 	 }
  
  #Loop through all site collections
   foreach($Site in $SiteCollections) 
    {
	  #Check Whether the Search User is a Site Collection Administrator
	  foreach($SiteCollAdmin in $Site.RootWeb.SiteAdministrators)
      	{
				"$($Site.RootWeb.Url) `t Site `t $($Site.RootWeb.Title)`t Site Collection Administrator `t Site Collection Administrator `t $($SiteCollAdmin.Displayname)" | Out-File $FileUrl -Append  
		
		}
  
	   #Loop throuh all Sub Sites
       foreach($Web in $Site.AllWebs) 
       {	
			if($Web.HasUniqueRoleAssignments -eq $True)
            	{
		        #Get all the users granted permissions to the list
	            foreach($WebRoleAssignment in $Web.RoleAssignments ) 
	                { 
	                  #Is it a User Account?
						if($WebRoleAssignment.Member.userlogin)    
							{
							  			#Get the Permissions assigned to user
									 	$WebUserPermissions=@()
									    foreach ($RoleDefinition  in $WebRoleAssignment.RoleDefinitionBindings)
									   	{
				                    	    $WebUserPermissions += $RoleDefinition.Name +";"  
				                       	}
										#write-host "with these permissions: " $WebUserPermissions 
										#Send the Data to Log file
										"$($Web.Url) `t Site `t $($Web.Title)`t Direct Permission `t $($WebUserPermissions)  `t $($WebRoleAssignment.Member.Displayname)" | Out-File $FileUrl -Append  
							}
					#Its a SharePoint Group, So search inside the group and check if the user is member of that group
					else  
						{
                        foreach($user in $WebRoleAssignment.member.users)
                            {
								    #Get the Group's Permissions on site 
									$WebGroupPermissions=@()
							    	foreach ($RoleDefinition  in $WebRoleAssignment.RoleDefinitionBindings)
							   		{
		                    	  		$WebGroupPermissions += $RoleDefinition.Name +";"  
		                       		}
									#write-host "Group has these permissions: " $WebGroupPermissions 
									
									#Send the Data to Log file
									"$($Web.Url) `t Site `t $($Web.Title)`t Member of $($WebRoleAssignment.Member.Name) Group `t $($WebGroupPermissions) `t $($user.Displayname)" | Out-File $FileUrl -Append  
							}
						}
               	    }
				}
				
				#********  Check Lists with Unique Permissions ********/
		            foreach($List in $Web.lists)
		            {
		                if($List.HasUniqueRoleAssignments -eq $True -and ($List.Hidden -eq $false))
		                {
		                   #Get all the users granted permissions to the list
				            foreach($ListRoleAssignment in $List.RoleAssignments ) 
				                { 
				                  #Is it a User Account?
									if($ListRoleAssignment.Member.userlogin)    
										{
										   
													#Get the Permissions assigned to user
												 	$ListUserPermissions=@()
												    foreach ($RoleDefinition  in $ListRoleAssignment.RoleDefinitionBindings)
												   	{
							                    	    $ListUserPermissions += $RoleDefinition.Name +";"  
							                       	}
													#write-host "with these permissions: " $ListUserPermissions 
													
													#Send the Data to Log file
													"$($List.ParentWeb.Url)/$($List.RootFolder.Url) `t List `t $($List.Title)`t Direct Permission1 `t $($ListUserPermissions)  `t $($ListRoleAssignment.Member.Displayname)" | Out-File $FileUrl -Append  
										}
										#Its a SharePoint Group, So search inside the group and check if the user is member of that group
									else  
										{
					                        foreach($user in $ListRoleAssignment.member.users)
					                            {
													    #Get the Group's Permissions on site 
														$ListGroupPermissions=@()
												    	foreach ($RoleDefinition  in $ListRoleAssignment.RoleDefinitionBindings)
												   		{
							                    	  		$ListGroupPermissions += $RoleDefinition.Name +";"  
							                       		}
														#write-host "Group has these permissions: " $ListGroupPermissions 
														
														#Send the Data to Log file
														"$($Web.Url) `t List `t $($List.Title)`t Member of $($ListRoleAssignment.Member.Name) Group `t $($user.LoginName) `t $($user.Displayname)" | Out-File $FileUrl -Append  

												}
									}	
			               	    }
				            }
		            }
				}	
			}
					
		}

#Call the function to Check User Access

$datum=([datetime]::now).tostring("dd-MM-yyyy_HH-mm-ss")  
GetUserAccessReport "http://sharepointserver" "pathandfilename-$datum.csv"  