SharePoint Security and Microsoft PowerShell

SharePoint Security and Microsoft PowerShell

by

Combining a powerful tool by the name of PowerShell with an equally powerful platform such as SharePoint, the results can be extremely beneficial. However, many users struggle to wrap their head around this duo, and are left feeling unsure where exactly to start.

In this post, we’ll explore the capabilities of Microsoft’s PowerShell, both individually and when combined with SharePoint.

In layman’s terms, PowerShell is a modern day command prompt, gifting more power and control over the Windows operating system (OS). Built upon the .NET framework, Windows PowerShell is Microsoft’s own framework, created for task automation and configuration management with its own scripting language. It also consists of Windows PowerShell ISE, its very own powerful graphical user interface (UI) to create PowerShell scripts.

PowerShell 5.0 is the latest version of the framework, with additional new features such as backward compatibility and an improved PowerShell ISE. An improved desired state configuration allows for greater control over the configuration management, at 5.0 sees a new set of cmdlets – lightweight commands used to perform actions within the PowerShell environment.

How Powerful Is It?

PowerShell is without a doubt an excellent (and critical) tool for IT administrators and developers. With PowerShell single line commands, you can connect to remote computers, explore the active directory and export your data into .csv or .xml document formats. With the pipelining feature, you can connect the output of one cmdlet as an input to another cmdlet.

PowerShell is not just a scripting language, but it’s a complete framework for perfect automated solutions.

Even here at Sharegate we've developed our own set of PowerShell commands, enabling certain actions within the application, like scheduling and automating a migration or managing SharePoint content.

Bonus: Download the Top 10 PowerShell Commands Every SharePoint Administrator Using Sharegate Should Know.

 

Within SharePoint, let’s say, for example, you want to update the title field of a particular user in Active Directory. This may seem like a relatively simple task; easily achieved by opening the GUI of the active directory.

But what if it has to be done for 100 users at a time? Suddenly, we’re left wishing there was a better way to update the title of those 100 users, decreasing the amount of effort required and saving on time. Fortunately for us, this is where PowerShell comes to the rescue.

With at most 3 cmdlets, we can get all the users from the .csv file and update the titles of those users in Microsoft Active Directory (AD). These scripts are short and sweet, and take no more than 5 seconds to update all 100 users:

SharePoint and PowerShell Together...

PowerShell is a common feature in other Microsoft platforms such as Windows, Active Directory, Exchange, SQL Server, and SharePoint. Earlier versions of SharePoint had its own command line application called STSADM to perform various operations within SharePoint, but its pales in comparison to PowerShell.

PowerShell is a common feature in other Microsoft platforms such as Windows, Active Directory, Exchange, SQL Server, and SharePoint.

The tool is able to administer to windows, and so made sense for Microsoft to provide PowerShell support for SharePoint as well. Support is provided by DLL plugin, allowing users access to SharePoint objects using over 540 out-of-the-box cmdlets specifically for SharePoint.

You can load the SharePoint DLL plugin into PowerShell with the below cmdlet:

Microsoft has provided online utility to generate commands based on the verbs and nouns of the action you want to perform.

Accessing SharePoint Users and Groups

As a SharePoint administrator, it’s a very tedious task to manage the users and their inherent permissions on SharePoint sites. Each day, there are numerous tickets to assign the specific roles or permissions to users or groups of users on SharePoint sites. It’s a very time consuming process, not to mention the redundant efforts that get wasted doing same thing again and again.

PowerShell for SharePoint offers a variety of cmdlets to deal with SharePoint Users and Groups, Document or item permissions, Role Definitions and Site Administrators to save everyone time and hassle.

SharePoint Security Using PowerShell

To Get the SharePoint User, we can use the Get-SPUser cmdlet which will return the SPUser object and its properties.

Get User

 

Administrators can manage the security of SharePoint sites by finding out which files users have access to. You can get the site collection administrator for each site collection or who are the site owners of the sites.

Get All the Site Owners

 

Get the Primary and Secondary Site Collection Administrator

 

User Access on Files

A site collection administrator can easily verify and check user permissions from within site settings, but what if it you’re required to list access permission details for all the users in a SharePoint site? This is not possible out-of-the-box. By using the RoleAssignments property, however, you can achieve user access on the particular file as shown below:

Finding Unique Permissions

SharePoint allows administrators to break permission inheritance from the site level to item level. So, if you want a particular item to have a specific set of permission, but not the same as at the site level, you can break the inheritance and assign your new permissions.

It’s recommended not to overuse this privilege, however, as it can quickly become overwhelming and unmanageable to check the permissions for each item.

However, there is a way for SharePoint administrators to manage the unique permissions on the item using the HasUniquePerm property for sites and the HasUniqueRoleAssignments property for all the other types of securable objects.

You can find all the sites with the unique permissions from the site collection using the below command:

Security Information of Site

Now that we’ve discussed most of the objects which expose the security levels of SharePoint using PowerShell, we can now easily get all the security or permission level details of the SharePoint Using PowerShell. Below are some of the commands you can use to get that level of detail:

Get the site administrators
$site.RootWeb.SiteAdministrators
Get the site groups
$site.RootWeb.SiteGroups
Get the role definitions
$site.RootWeb.RoleDefinitions
Get the users of the associated owner group
$web.AssociatedOwnerGroup.Users

The Clue’s in the Name

Windows PowerShell is, as the name suggests, an incredibly powerful tool. It brings many benefits to power-users and IT professionals by making their lives that much easier.

Guillaume Leverdier
Guillaume Leverdier @sharegatetools

Guillaume is a tech savvy content strategist with a huge interest for all things Cloud and collaboration related. He focuses on delivering easy to read and comprehend articles for everyone to understand and use a first step toward more technical digging.