pixel0815
Goto Top

Sharepoint 2013 PermissionCheck - SID auflösen zu Ad-Gruppe

Hallo zusammen, folgendes Skript erstellt eine CSV Datei.
Beim SP2013 nutzen wir Claims Authentifzierung und leider stehen die Gruppen nicht mehr im Klartext da.

In der Spalte LoginName erscheint dann

c:0+.w|s-1-5-21-123456789-12345678-5555555

Ich würde gerne die SID wieder zurück auflösen zu einer Gruppe, am besten in einer zusätzlichen Spalte.

#Script written and modified by Adnan Amin
#Blog: http:{{comment_single_line_double_slash:0}}
#twitter: @adnan_amin
#facebook: https:{{comment_single_line_double_slash:1}}
#facebook: https:{{comment_single_line_double_slash:2}}
#The initial idea was taken from another technet gallery script by Salaudeen Rajack at https:{{comment_single_line_double_slash:3}}
#Script written by Salaudeen only genrate report for a single person, where as below script generates acceess permissions details for all users.

Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

Function GetUserAccessReport($WebAppURL, $FileUrl)
{
 #Get All Site Collections of the WebApp
 $SiteCollections = Get-SPSite -WebApplication $WebAppURL -Limit All

#Write CSV- TAB Separated File) Header
"URL `t Site/List `t Title `t PermissionType `t Permissions  `t LoginName" | out-file $FileUrl  


	#Check Web Application Policies
	$WebApp= Get-SPWebApplication $WebAppURL

	foreach ($Policy in $WebApp.Policies) 
  	{
	 	#Check if the search users is member of the group
		#if($Policy.UserName -eq $SearchUser)
		  #	{
				#Write-Host $Policy.UserName
	 			$PolicyRoles=@()
		 		foreach($Role in $Policy.PolicyRoleBindings)
				{
					$PolicyRoles+= $Role.Name +";"  
				}
				#Write-Host "Permissions: " $PolicyRoles 
				
				"$($AdminWebApp.URL) `t Web Application `t $($AdminSite.Title)`t  Web Application Policy `t $($PolicyRoles) `t $($Policy.UserName)" | Out-File $FileUrl -Append  
			#}
 	 }
  
  #Loop through all site collections
   foreach($Site in $SiteCollections) 
    {
	  #Check Whether the Search User is a Site Collection Administrator
	  foreach($SiteCollAdmin in $Site.RootWeb.SiteAdministrators)
      	{
				"$($Site.RootWeb.Url) `t Site `t $($Site.RootWeb.Title)`t Site Collection Administrator `t Site Collection Administrator `t $($SiteCollAdmin.LoginName)" | Out-File $FileUrl -Append  
		
		}
  
	   #Loop throuh all Sub Sites
       foreach($Web in $Site.AllWebs) 
       {	
			if($Web.HasUniqueRoleAssignments -eq $True)
            	{
		        #Get all the users granted permissions to the list
	            foreach($WebRoleAssignment in $Web.RoleAssignments ) 
	                { 
	                  #Is it a User Account?
						if($WebRoleAssignment.Member.userlogin)    
							{
							  			#Get the Permissions assigned to user
									 	$WebUserPermissions=@()
									    foreach ($RoleDefinition  in $WebRoleAssignment.RoleDefinitionBindings)
									   	{
				                    	    $WebUserPermissions += $RoleDefinition.Name +";"  
				                       	}
										#write-host "with these permissions: " $WebUserPermissions 
										#Send the Data to Log file
										"$($Web.Url) `t Site `t $($Web.Title)`t Direct Permission `t $($WebUserPermissions)  `t $($WebRoleAssignment.Member.LoginName)" | Out-File $FileUrl -Append  
							}
					#Its a SharePoint Group, So search inside the group and check if the user is member of that group
					else  
						{
                        foreach($user in $WebRoleAssignment.member.users)
                            {
								    #Get the Group's Permissions on site 
									$WebGroupPermissions=@()
							    	foreach ($RoleDefinition  in $WebRoleAssignment.RoleDefinitionBindings)
							   		{
		                    	  		$WebGroupPermissions += $RoleDefinition.Name +";"  
		                       		}
									#write-host "Group has these permissions: " $WebGroupPermissions 
									
									#Send the Data to Log file
									"$($Web.Url) `t Site `t $($Web.Title)`t Member of $($WebRoleAssignment.Member.Name) Group `t $($WebGroupPermissions) `t $($user.LoginName)" | Out-File $FileUrl -Append  
							}
						}
               	    }
				}
				
				#********  Check Lists with Unique Permissions ********/
		            foreach($List in $Web.lists)
		            {
		                if($List.HasUniqueRoleAssignments -eq $True -and ($List.Hidden -eq $false))
		                {
		                   #Get all the users granted permissions to the list
				            foreach($ListRoleAssignment in $List.RoleAssignments ) 
				                { 
				                  #Is it a User Account?
									if($ListRoleAssignment.Member.userlogin)    
										{
										   
													#Get the Permissions assigned to user
												 	$ListUserPermissions=@()
												    foreach ($RoleDefinition  in $ListRoleAssignment.RoleDefinitionBindings)
												   	{
							                    	    $ListUserPermissions += $RoleDefinition.Name +";"  
							                       	}
													#write-host "with these permissions: " $ListUserPermissions 
													
													#Send the Data to Log file
													"$($List.ParentWeb.Url)/$($List.RootFolder.Url) `t List `t $($List.Title)`t Direct Permission1 `t $($ListUserPermissions)  `t $($ListRoleAssignment.Member)" | Out-File $FileUrl -Append  
										}
										#Its a SharePoint Group, So search inside the group and check if the user is member of that group
									else  
										{
					                        foreach($user in $ListRoleAssignment.member.users)
					                            {
													    #Get the Group's Permissions on site 
														$ListGroupPermissions=@()
												    	foreach ($RoleDefinition  in $ListRoleAssignment.RoleDefinitionBindings)
												   		{
							                    	  		$ListGroupPermissions += $RoleDefinition.Name +";"  
							                       		}
														#write-host "Group has these permissions: " $ListGroupPermissions 
														
														#Send the Data to Log file
														"$($Web.Url) `t List `t $($List.Title)`t Member of $($ListRoleAssignment.Member.Name) Group `t $($user.LoginName) `t $($user.LoginName)" | Out-File $FileUrl -Append  

												}
									}	
			               	    }
				            }
		            }
				}	
			}
					
		}

#Call the function to Check User Access

$datum=([datetime]::now).tostring("dd-MM-yyyy_HH-mm-ss")  
GetUserAccessReport "http://sp2013" "C\pfadzurdateie\SP2013_PermisionReport-$datum.csv"  

Content-Key: 311482

Url: https://administrator.de/contentid/311482

Ausgedruckt am: 19.03.2024 um 09:03 Uhr

Mitglied: 129813
129813 02.08.2016 um 11:32:01 Uhr
Goto Top
To resolve a SID to it's account name use
(New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-11').Translate([System.Security.Principal.NTAccount])  
Regards
Mitglied: pixel0815
pixel0815 02.08.2016 um 11:43:55 Uhr
Goto Top
Hi Highload,

i want to try it with the Values

for Example

$SiteCollAdmin.Username -> $SiteCollAdmin.Displayname or $SiteCollAdmin.Name

It works with the SITE Admins.... but not with Lists.
Mitglied: 129813
129813 02.08.2016 aktualisiert um 11:47:37 Uhr
Goto Top
???
it should be clear that if your string looks like this:
c:0+.w|s-1-5-21-123456789-12345678-5555555
you first have to split the string with '|' to extract the SID for using it with the above method !!
Mitglied: pixel0815
pixel0815 02.08.2016 um 13:41:21 Uhr
Goto Top
i change the script to

Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

Function GetUserAccessReport($WebAppURL, $FileUrl)
{
 #Get All Site Collections of the WebApp
 $SiteCollections = Get-SPSite -WebApplication $WebAppURL -Limit All

#Write CSV- TAB Separated File) Header
"URL `t Site/List `t Title `t PermissionType `t Permissions  `t LoginName" | out-file $FileUrl  


	#Check Web Application Policies
	$WebApp= Get-SPWebApplication $WebAppURL

	foreach ($Policy in $WebApp.Policies) 
  	{
	 	#Check if the search users is member of the group
		#if($Policy.UserName -eq $SearchUser)
		  #	{
				#Write-Host $Policy.UserName
	 			$PolicyRoles=@()
		 		foreach($Role in $Policy.PolicyRoleBindings)
				{
					$PolicyRoles+= $Role.Name +";"  
				}
				#Write-Host "Permissions: " $PolicyRoles 
				
				"$($AdminWebApp.URL) `t Web Application `t $($AdminSite.Title)`t  Web Application Policy `t $($PolicyRoles) `t $($Policy.UserName)" | Out-File $FileUrl -Append  
			#}
 	 }
  
  #Loop through all site collections
   foreach($Site in $SiteCollections) 
    {
	  #Check Whether the Search User is a Site Collection Administrator
	  foreach($SiteCollAdmin in $Site.RootWeb.SiteAdministrators)
      	{
				"$($Site.RootWeb.Url) `t Site `t $($Site.RootWeb.Title)`t Site Collection Administrator `t Site Collection Administrator `t $($SiteCollAdmin.Displayname)" | Out-File $FileUrl -Append  
		
		}
  
	   #Loop throuh all Sub Sites
       foreach($Web in $Site.AllWebs) 
       {	
			if($Web.HasUniqueRoleAssignments -eq $True)
            	{
		        #Get all the users granted permissions to the list
	            foreach($WebRoleAssignment in $Web.RoleAssignments ) 
	                { 
	                  #Is it a User Account?
						if($WebRoleAssignment.Member.userlogin)    
							{
							  			#Get the Permissions assigned to user
									 	$WebUserPermissions=@()
									    foreach ($RoleDefinition  in $WebRoleAssignment.RoleDefinitionBindings)
									   	{
				                    	    $WebUserPermissions += $RoleDefinition.Name +";"  
				                       	}
										#write-host "with these permissions: " $WebUserPermissions 
										#Send the Data to Log file
										"$($Web.Url) `t Site `t $($Web.Title)`t Direct Permission `t $($WebUserPermissions)  `t $($WebRoleAssignment.Member.Displayname)" | Out-File $FileUrl -Append  
							}
					#Its a SharePoint Group, So search inside the group and check if the user is member of that group
					else  
						{
                        foreach($user in $WebRoleAssignment.member.users)
                            {
								    #Get the Group's Permissions on site 
									$WebGroupPermissions=@()
							    	foreach ($RoleDefinition  in $WebRoleAssignment.RoleDefinitionBindings)
							   		{
		                    	  		$WebGroupPermissions += $RoleDefinition.Name +";"  
		                       		}
									#write-host "Group has these permissions: " $WebGroupPermissions 
									
									#Send the Data to Log file
									"$($Web.Url) `t Site `t $($Web.Title)`t Member of $($WebRoleAssignment.Member.Name) Group `t $($WebGroupPermissions) `t $($user.Displayname)" | Out-File $FileUrl -Append  
							}
						}
               	    }
				}
				
				#********  Check Lists with Unique Permissions ********/
		            foreach($List in $Web.lists)
		            {
		                if($List.HasUniqueRoleAssignments -eq $True -and ($List.Hidden -eq $false))
		                {
		                   #Get all the users granted permissions to the list
				            foreach($ListRoleAssignment in $List.RoleAssignments ) 
				                { 
				                  #Is it a User Account?
									if($ListRoleAssignment.Member.userlogin)    
										{
										   
													#Get the Permissions assigned to user
												 	$ListUserPermissions=@()
												    foreach ($RoleDefinition  in $ListRoleAssignment.RoleDefinitionBindings)
												   	{
							                    	    $ListUserPermissions += $RoleDefinition.Name +";"  
							                       	}
													#write-host "with these permissions: " $ListUserPermissions 
													
													#Send the Data to Log file
													"$($List.ParentWeb.Url)/$($List.RootFolder.Url) `t List `t $($List.Title)`t Direct Permission1 `t $($ListUserPermissions)  `t $($ListRoleAssignment.Member.Displayname)" | Out-File $FileUrl -Append  
										}
										#Its a SharePoint Group, So search inside the group and check if the user is member of that group
									else  
										{
					                        foreach($user in $ListRoleAssignment.member.users)
					                            {
													    #Get the Group's Permissions on site 
														$ListGroupPermissions=@()
												    	foreach ($RoleDefinition  in $ListRoleAssignment.RoleDefinitionBindings)
												   		{
							                    	  		$ListGroupPermissions += $RoleDefinition.Name +";"  
							                       		}
														#write-host "Group has these permissions: " $ListGroupPermissions 
														
														#Send the Data to Log file
														"$($Web.Url) `t List `t $($List.Title)`t Member of $($ListRoleAssignment.Member.Name) Group `t $($user.LoginName) `t $($user.Displayname)" | Out-File $FileUrl -Append  

												}
									}	
			               	    }
				            }
		            }
				}	
			}
					
		}

#Call the function to Check User Access

$datum=([datetime]::now).tostring("dd-MM-yyyy_HH-mm-ss")  
GetUserAccessReport "http://sharepointserver" "pathandfilename-$datum.csv"