Archive

Archive for the ‘SharePoint Advancements’ Category

SharePoint 2010: Adding SAML Claim permission for All Authenticated Users using PowerShell.

February 1, 2017 Leave a comment

I recently had to convert one of my SharePoint 2010 Web Applications from using Windows Claims/NTLM to use SAML Claims, removing the need for NTLM authentication by using a Claims Provider (ADFS) for authentication. When doing so permissions on the SALM Claims Web Application broke because it was still leveraging the Windows Claims Permissions. Since the NTLM permission was removed at the Web Application level, and to meet the DISA STIG requirement Anonymous Access permissions were also removed; this in return restricted access to users who used to have “read” rights to the Portal. To fix this problem I had to grant the “read” permissions for the SAML Claims ‘All Authenticated Users’ to all Site Collections / Sites so these users can once again gain access. Below is how I accomplished this using PowerShell.

————————————————————————–

$webApp = Get-SPWebApplication "[WEB APPLICATION URL]"
$sts = Get-SPTrustedIdentityTokenIssuer "[CLAIMS PROVIDER TOKEN ISSUER NAME]"

$PermLevels = @{}

"URL `t" + "userName `t" + "userLogin `t" + "userEmail `t" + "permissionLevel `t" + "SAMLClaim" >> User_Permissions_AllAuthenticatedUsers.csv

foreach ($web in $webApp | Get-SPSite -Limit All | Get-SPWeb -Limit All)
{

	foreach ($role in $web.Roles)
	{
		$permmask = $role.PermissionMask
		$permname = $role.Name
		$PermLevels.Add("$permmask", "$permname")
		trap [Exception] {continue}
	}
	foreach ($perm in $web.Permissions)
	{
		$permmaskcurrent = $perm.PermissionMask
		$level = $PermLevels.Get_Item("$permmaskcurrent")

		if ($perm.Member.Name -like "*All Authenticated Users*")
		{
				#CLAIM PRINCIPAL FOR ROLE
				$claimPrincipal = New-SPClaimsPrincipal -ClaimValue $perm.Member.Name -ClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -TrustedIdentityTokenIssuer $sts
				
				
				$newUser = New-SPUser -UserAlias $claimPrincipal.ToEncodedString() -Web $web

				$account = $web.EnsureUser($newUser)
			
				if ($level -eq "Limited Access")
				{
					$level = "Read"
					$role = $web.RoleDefinitions[$level]
					$assignment = New-Object Microsoft.SharePoint.SPRoleAssignment($account)
					$assignment.RoleDefinitionBindings.Add($role)
					$web.RoleAssignments.Add($assignment)
				}
				else
				{
					$role = $web.RoleDefinitions[$level]
					$assignment = New-Object Microsoft.SharePoint.SPRoleAssignment($account)
					$assignment.RoleDefinitionBindings.Add($role)
					$web.RoleAssignments.Add($assignment)
				}
				
				$web.Url + "`t" + $perm.Member.Name + "`t" + $perm.Member.UserLogin + "`t" + $perm.Member.Email + "`t" + $level + "`t" + $account >> User_Permissions_AllAuthenticatedUsers.csv

		}
	}
}

————————————————————————–

The above script loops through all the Site Collections and Sites to search for the Windows Claim for ‘All Authenticated Users’ once it finds an instance where the ‘All Authenticated Users’ permissions is used it adds the SAML Claim for ‘All Authenticated Users’

This script does not clean up/remove the old Windows Claims permission for the ‘All Authenticated Users’ I did that just incase the Web Application needs to be extended to once again support Windows Claims/NTLM authentication.

I will later blog about how to add the ‘All Authenticated Users’ SAML Claim to Groups, and also how to add indivdual SAML Claim permissions to users by granting their SAML Token for email.

Hopefully this is helpful for those that are struggling to reprovision their Windows Claims permissions to SAML Claims.

Get SharePoint 2010 Site Collections Last Modified Date using PowerShell

April 9, 2014 9 comments

I was recently asked if I could provide a script that will list all site collections withing a web application that had not been accessed within a given amount of days so that the Site Administrators can decommission them due to non use.   Since there is no easy way to determine who has actually “visited” these sites without digging through audit logs or IIS logs, or possibly writing some custom code, the next best thing to do is to check when the site was last modified.  The assumption here is if a site was created on a specific date, but nothing has changed on the site (added documents, document/library creations, etc) since a given amount of time the site is probably “stale” and no longer in use.

The below PS script basically loops through all Site Collections / Sub-Sites of a Web Application and determines when it was last modified based off a given date, and spits out a report.

——————————————————————————————————————————————

$webApp = Get-SPWebApplication “URL OF WEB APPLICATION”
$daysInActive = Read-Host “Enter in number of days to check since last modified”
$date = (Get-Date).AddDays(-$daysInActive).ToString(“MM/dd/yyyy”)

Foreach ($web in $webApp | Get-SPSite -Limit All | Get-SPWeb -Limit All)
{

if ($web.LastItemModifiedDate -le $date)
{

Write-Host $web.Url
Write-Host $web.LastItemModifiedDate

$web.Url + ” | ” + “Last Modified Date: ” + $web.LastItemModifiedDate >> LastModified.txt

}

}

——————————————————————————————————————————————

UPDATE:

The following updated script generates a cvs file, and emails specific individuals who need to be notified of “InActive” Site Collections/Sites

——————————————————————————————————————————————

#Get Web Application
$webApp = Get-SPWebApplication “URL OF WEB APPLICATION”

#Get Today’s Date
$today = Get-Date

#Set EmailSentDate
$EmailSentDate = $today.ToString(“MM-dd-yyyy”)

#Create csv Log Name and Location
$csvLog = “c:\temp\lastModified_” + $EmailSentDate + “.csv”

#Set Count to 0
$count = 0

#CREATE .CVS Column Headers
“siteTitle `t” + “siteURL `t” + “siteOwners `t” + “lastModifiedDate” >> $csvLog

#GET NUMBER DAYS OF INACTIVE FROM USER
$daysInActive = Read-Host “Enter in number of days to check since last modified”
$date = (Get-Date).AddDays(-$daysInActive).ToString(“MM/dd/yyyy”)

#LOOP THROUGH ALL SITE COLLECTIONS AND SUB-SITES IN A WEB APPLICATION
Foreach ($web in $webApp | Get-SPSite -Limit All | Get-SPWeb -Limit All)
{
if ($web.LastItemModifiedDate -le $date)
{

#SET $siteOwner VARIABLE TO EMPTY
$siteOwner = “”
#SET COUNT TO
$count = 0

#LOOP THROUGH SITE OWNERS
foreach ($siteAdmin in $web.SiteAdministrators)
{

$count = $count + 1

#IF MORE THAN 1 SITE OWNER, PUT OWNERS ON ONE LINE SEPERATED WITH A COMMA
if ($count -gt 1)
{
$siteOwner = $siteAdmin.LoginName + “, ” + $siteOwner
}
#IF ONLY ONE SITE OWNER
else
{
$siteOwner = $siteAdmin.LoginName
}
}
#WRITE TO .CSV FILE
$web.Title + “`t” + $web.URL + “`t” + $siteOwner + “`t” + $web.LastItemModifiedDate >> $csvLog
}
}

#SEND EMAIL NOTIFICATION
$att1 = New-Object Net.Mail.Attachment($csvLog)
$email = New-Object System.Net.Mail.MailMessage
$email.From = “FROM EMAIL ADDRESS”
$email.To.Add(“TO EMAIL ADDRESS”)
$email.Subject = “SharePoint Sites With Inactivity – ” + $daysInActive
$email.Body = “The Following SharePoint sites have not been visited in the past, $daysInActive days.  Please notify the Site Owners of these sites to decommission”
$email.Attachments.Add($att1)
$smtpServer = “SMTP SERVER NAME or IP ADDRESS”
$smtp = new-object Net.Mail.SmtpClient($smtpServer)
$smtp.Send($email)

—————————————————————————————————————————————————————————

Hide Left Side Navigation, Search Bar, and Search Icon using Content Editor WebPart In SharePoint 2010

October 3, 2013 1 comment

If you ever wanted to format your SharePoint 2010 Site to feel more like a public facing site (landing page), and you want to hide the left side navigation, search bar, and search icon from your site then below is a very simply way to accomplish this by just using a Content Editor Webpart on your site rather than modifying the masterpage.

 

1.  Add a Content Editor WebPart to your SharePoint 2010 Site in any zone.
2.  Edit the HTML Source of Content Editor WebPart
3.  Type the following

<!—-Hide Left Navigation—–>

<style>
BODY #s-4-leftpanel
{
DISPLYAY:  none
}
.s4-ca
{
MARGIN-LEFT: 0px
}
</style>

<!—-Hide Search Bar——>

<style>
#SRSB
{
DISPLAY: none
}
</style>

<!—-Hide Search Icon—–>

<style>
.s4-help
{
VISIBILITY: hidden
}
</style>

 

4.  Apply changes to Content Editor Webpart
5.  Hide Content Editor Webpart from site
6.  Stop editing page.

Remove Orphaned Content Types in SharePoint 2010 That Are Associated With a Feature.

March 21, 2013 4 comments

This blog relates to an earlier blog I have http://jshidell.com/2012/06/07/removing-a-corrupted-site-column-in-sharepoint-2010/ where there were orphaned content types found in content databases that needed to be removed because it prevented me from activating Site Collection features.

For this blog I will discuss how you can remove Orphaned Content Types found in your Site Collection Site Content Type lists that you can not delete through the SharePoint GUI because they are associated with a feature that is no longer deployed or unavailable in your SharePoint 2010 farm, and you no longer need these Content Types.

In my case I had 8 different Orphaned Content Types that were left behind after a solution was retracted from my SharePoint 2010 farm.  Depending on how these solutions were developed in most cases once a solution is retracted it should also take along with it their content types.  However this was not the case for me.

The solution I was dealing with here was Visual Fusion, this 3rd party solution was no longer needed in our environment and I needed to get rid of all its references.

Since Visual Fusion does not automatically remove their content types after retracting, these content types still lived in our content databases.

When I tried to delete these content types from the Site Content Type lists I got an error stating that this content type is part of a feature, and would not allow me to delete it.

What happens here is there is a column(field) in each ContentTypes table in each Content Database called isFromFeature  This column specifies if each content type is associated to a feature or not.  If the flag=1 its associated to a feature if the flag=0 then it is not.

The only way around fixing this problem is to do a direct DB modification.

As I stressed in my blog link above doing any type of DB modificiation/fix is not supported by Microsoft unless you get direct approval from them that its ok.  For all my cases like this I open up a case with them to protect me just incase I need premier Microsost support later.

So if you ever run into this issue, make sure you get Microsoft’s approval before proceeding, unless you don’t care about receiving premier support.

Below are the steps to fix this issue:  Proceed with caution.  I’m not responsible for your farm.

===========================================================================================================

1.  Determine which Content Database(s) have these orphan content types.  If you have multiple content databases, you can determine which site collection lives in which Content Database by going to (Central Administration, Application Management, View all site collections)

2.  After you determine which Content Database(s) need these orphaned content types removed, head over to your Database Server (I’m assuming SQL).

3.  Once on your database server bring up SSMS and open up a new query window.

4.  Type inside the query window, and execute query

SELECT * FROM [NAME OF CONTENT DATABASE].[dbo].[ContentTypes] WHERE Definition like ‘%NAME OF Content Type%’

5.  If you look at the results you should see the IsFromFeature flag set to 1 for these content types

6.  We will now want to update this flag from 1 to 0

7.  Inside that same query window, type

UPDATE [NAME OF CONTENT DATABASE].[dbo].[ContentTypes] SET IsFromFeature = 0 WHERE Definition like ‘%NAME OF Content Type%’

8.  This will update the flag in IsfromFeature from 1 to 0

9.  Run the Query command from step 4 again to verify that the flag did change.

10.  If successful, go back to your Site Collection Site Content Types, and now you should be able to open up each Content Type and delete.

============================================================================================================

Hopefully this is hopeful for others who have encountered this same problem

Taking Ownership and Checking In Documents With No Checked In Versions in SharePoint 2007 Using PowerShell.

September 24, 2012 Leave a comment

I recently blogged about how to Get a listing of All Checked-Out Documents with No Checked-In Versions in SharePoint 2007 Using PowerShell.  That blog posting can be found here — http://jshidell.com/2012/06/21/getting-a-list-of-all-checked-out-files-with-no-checked-in-versions-in-sharepoint-2007-using-powershell/

Now i’m going to add a little more to that blog with the ability to Take Ownership and also Check in the documents at the same time.  This can come into handy if you have alot of documents that are checked out and don’t belong to you, and you need them checked in.  Possibly for migration purposes.

Below is the modified script on how to accomplish this.

——————————————————————————————————————————————————————————–
Void [System.Reflection.Assembly]::LoadWithPartialName(“Microsoft.SharePoint”)

function CheckedOutItems()
{
$url=Read-Host “Please Enter In Site Url”
”SiteURL ‘t” + “FileName ‘t” + “CheckedOutTo ‘t” + “ModifiedDate ‘t” + “Version” >> c:\temp\checkedoutfiles.csv
$site = New-Object Microsoft.SharePoint.SPSite($url)
$webs = $site.AllWebs

foreach($web in $webs)
{
$listCollections=$web.Lists
foreach($list in $listCollections)
{
if($list.BaseType.ToString() -eq “DocumentLibrary”)
{
$dList=[Microsoft.SharePoint.SPDocumentLibrary]$list
$items = $dList.Items
$files = $dList.CheckedOutFiles
foreach($file in $files
{
$wuse=$file.DirName.Substring($web.ServerRelativeUrl.Length)
$web.Url + “‘t” + $wuse + “‘/” + $file.LeafName + “‘t” + $file.CheckedOutBy.Name + “‘t” + $file.TimeLastModified.ToString() + “‘t” + “No Checked In Version” >> c:\temp\checkedoutfiles.csv
$file.TakeOverCheckOut() #Take ownership of checked out document
}
foreach($item in $list.Items)
{
$item.File.Checkin(“Checked in by Systems Administrator”) #Check document in
if (($list.CheckedOutFiles | Where {$_.ListItemId -eq $item.ID}) -ne $null) {continue}

}
}
}
$web.Dispose()
}
$site.Dispose()
}

CheckedOutItems

PowerShell Script: (Creating a Site Collection in a Managed Path In It’s Own Content Database)

April 10, 2012 Leave a comment

Did I mention I love PowerShell.  Well I’ll mention it again.  I love PowerShell.  It makes for performing things within SharePoint 2010 so much easier through automation.

Below is a basic script that will Create a New Site Collection in a Managed Path and in It’s own Content Database.  Just copy the script below into Notepad and save as .ps1.

The Script checks to see if a Managed Path already exists in the Web Application.  If not it creates it.  Creates the new Content Database, Creates the new Site Collection in the new Managed Path, Assigns Primary/Secondary Site Owners, Sets the Site Collection to Anonymous Access.

—————————————————————————————————————————————————

Write-Host “********************************************************************************************************”
Write-Host “*     Checking to see if Managed Path already Exists                                                                 *”
Write-Host “********************************************************************************************************”

$WebApplicationURL = Read-Host “Enter in Web Application URL”
$ManagedPathName = Read-Host “Enter in Managed Path”

$ManagedPath = Get-SpManagedPath -WebApplication $WebApplicationURL -Identity $ManagedPathName -ErrorAction SilentlyContinue
if ($ManagedPath -ne $null)
{
Write-Host “Managed Path $ManagedPathName already Exists”.
}
else
{
Write-Host “Managed Path Does Not Exist, Creating Managed Path $ManagedPathName ….”
New-SPManagedPath -RelativeURL $ManagedPathName -WebApplication $WebApplicationURL -Explicit
}

Write-Host “*********************************************************************************************************”
Write-Host “*     Creating New Content Database                                                                                             *”
Write-Host “*********************************************************************************************************”

$NewContentDB = Read-Host “Enter In Name of New Content Database”
New-SPContentDatabase -name $NewContentDB -WebApplication $WebApplicationURL
Write-Host “Content Database Created”

Write-Host “**************************************************************************************”
Write-Host “*      Creating New Site Collection                                                  *”
Write-Host “**************************************************************************************”

$Template = “STS#0”
$Domain = Read-Host “Enter In Domain”
$NewSiteCollectionURL = $WebApplicationURL + “/” + $ManagedPathName
$PrimaryOwnerAlias = Read-Host “Enter In Primary Site Collection Owner”
$SecondaryOwnerAlias = Read-Host “Enter In Secondary Site Collection Owner”
$OwnerAlias = $Domain + “\” + $PrimaryOwnerAlias
$SecondaryAlias = $Domain + “\” $SecondaryOwnerAlias

New-SPSite -Url $NewSiteCollectionURL -ContentDatabase $NewContentDb -OwnerAlias $OwnerAlias -SecondaryOwnerAlias $SecondaryAlias -Template $Template

$Web = Get-SPWeb $NewSiteCollectionURL
$Web.AnonymousState = 2;

Write-Host “Site Collection Created Succesfully…”
Write-Host “Site Collection Owners Added”
Write-Host “Anonymous Access Enabled”

—————————————————————————————————————————————————-

That’s it, pretty simple.  I will be modifying this script a little to display all the different SharePoint Templates you can choose from when creating your Site Collection.  Currently this script is using the Team Site template.

Getting A List of SharePoint 2007 Email Enabled Document Libraries using PowerShell

January 19, 2012 1 comment

In the process of migrating between MOSS 2007 and SharePoint 2010 I needed to get a listing of all Email Enabled Document Libraries/Lists in my MOSS 2007 environment prior to migration.  This could be accomplished with a little bit of coding with the SharePoint API, but why do that when you can do it with PowerShell.

First and foremost if you haven’t already installed PowerShell 2.0 onto your MOSS 2007 server go to http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=20430 and download the lastest version. Since PowerShell does not come native with MOSS 2007 this needs to be installed individually before we can begin.

After installing PowerShell 2.0 we are going to be creating a .ps1 file.

Open up any text editor (my choice is notepad).

First thing we want to do is load the SharePoint Assemblies so that PowerShell knows how to process MOSS 2007 commands.  Assemblies do not have to be loaded into SharePoint 2010.

#Load SharePoint Assemblies
[System.reflection.Assembly]::LoadWithPartialName(“Microsoft.SharePoint”)
[System.Reflection.Assembly]::Load(“Microsoft.SharePoint, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c”)
[System.Reflection.Assembly]::Load(“Microsoft.SharePoint.Portal, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c”)

Next Instantiate a SPWebApplication Object

#Instantiate a SPWebApplication Object
$SPWebApp = [Microsoft.SharePoint.Administration.SPWebApplication]::Lookup(http://portal)

Next Lets Create a CSV file
#Create a CSV file Email-Enabled.txt
“E-Mail,List,Site”  > “EMail-Enabled.txt” #Write the Headers in to a text file

Now Create a ForEach loop to loop through the SharePoint Web Applications, Sites, Subsites, and Lists to gather all Email Enabled Document Libraries and pipe it out to the Email-Enabled.Txt file we created.

foreach ($SPsite in $SPwebApp.Sites)  # Get The Collection of Site Collections
{
foreach($SPweb in $SPsite.AllWebs)  # Get The Collection of Sub Sites
{
foreach ($SPList list in $SPweb.Lists)  # Get The Collection of Lists.
{
if ( ($splist.CanReceiveEmail) -and ($SPlist.EmailAlias) )
{
# WRITE-HOST “E-Mail -” $SPList.EmailAlias “is configured for the list “$SPlist.Title “in “$SPweb.Url
$SPList.EmailAlias + “,” + $SPlist.Title +”,” + $SPweb.Url >> EMail-Enabled.txt  #append the data
}
}
}
}

So your final script should look like this:

#Load SharePoint Asssemblies
[System.reflection.Assembly]::LoadWithPartialName(“Microsoft.SharePoint”)
[System.Reflection.Assembly]::Load(“Microsoft.SharePoint, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c”)
[System.Reflection.Assembly]::Load(“Microsoft.SharePoint.Portal, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c”)

$SPWebApp = [Microsoft.SharePoint.Administration.SPWebApplication]::Lookup(http://portal)

#create a CSV file
“E-Mail,List,Site” > “EMail-Enabled.txt” #Write the Headers in to a text file

#Create foreach loop to enumerate through SharePoint Web Application, Sites, Subsites, and Lists.  
foreach ($SPsite in $SPwebApp.Sites)  # get the collection of site collections
{
foreach($SPweb in $SPsite.AllWebs)  # get the collection of sub sites
{
foreach ($SPList list in $SPweb.Lists)
{
if ( ($splist.CanReceiveEmail) -and ($SPlist.EmailAlias) )
{
# WRITE-HOST “E-Mail -” $SPList.EmailAlias “is configured for the list “$SPlist.Title “in “$SPweb.Url
$SPList.EmailAlias + “,” + $SPlist.Title +”,” + $SPweb.Url >> EMail-Enabled.txt  #append the data
}
}
}
}

Save the file as emailenabled.ps1 or which ever name you choose.

Open up PowerShell on your MOSS 2007 Server, and change directories to where the emailenabled.ps1 script was saved.

Execute the script.  Depending on how large your web application is this might take a little bit of time.

After the script completes inside the location where your script sits you will now see a .TXT file named “Email-Enabled.txt”. Inside that text file you will have a listing of all the Email Enabled Document Libraries/Lists within your SharePoint 2007 Web Application.