Tag Archives: Security

PowerShell script to update all Site Collection Owners

Requirement

Update the site collection owners for all sites in your SharePoint farm. You normally wouldn’t do this too often, but this is helpful when you are doing things like migrations from old SharePoint installations.

Having a valid account with a working e-mail address is important especially when you use site collection quotas and warning e-mails. When a site reaches its warning limit, it sends an e-mail notification to the site collection owner and secondary owner. If your accounts do not have a valid e-mail address, you will not receive any notification.

Solution

I have written a simple PowerShell script to change the site collection owner and secondary owner for all sites in your farm. As always, use it in your test environment first and feel free to modify as you see fit.

 

# This powershell script sets the site collection owner and secondary owner on all site collections in the farm to the account you specify.
 
Add-PSSnapin Microsoft.SharePoint.PowerShell
 
$owner = Read-Host "Enter site collection owner username: "
$second = Read-Host "Enter site collection secondary owner username: "
 
$sites = Get-SPSite -Limit all
 
foreach ($site in $sites)
{
	Write-Host Setting $site.url owner to $owner and secondary owner to $second
	stsadm -o siteowner -url $site.url -ownerlogin $owner -secondarylogin $second
}
 
Write-Host "Done"
 
$site.dispose()
Comments ( 0 )

SharePoint Keeps Prompting for Credentials

Problem

SharePoint keeps prompting you for credentials in the following scenarios:

  1. You get prompted for credentials when you access the site in the browser.
  2. You get prompted for credentials when you open a document from SharePoint.
  3. You get prompted for credentials after you open a document from SharePoint and try to “Save As”.

Cause

The most likely cause of your problem is that you are using an FQDN for SharePoint (For example, sharepoint.company.com) and your client machine runs Windows 7. By default, Internet Explorer and Webdav assume that this address is on the Internet and as a security measure, does not automatically pass in your credentials.

Solution

If your scenario is the same as above, then you will need to do two things.

  1. Add your SharePoint server’s FQDN to your Trusted Sites or Intranet Sites zone.
  2. Modify your registry settings for the WebClient service.

Add your SharePoint server’s FQDN to your Trusted Sites or Intranet Sites zone.

If using Trusted sites, ensure that you do not select “Require server verification (https:) for all sites in this zone”.

  1. Internet Explorer -> Internet Options -> Security -> Trusted Sites -> Sites
  2. Add the URL(s) of your SharePoint server(s).
  3. Click OK
  4. Click Custom Level -> Scroll to the bottom -> User Authentication
  5. Ensure that it is set to Automatic logon with current user name and password

If you are using the Intranet Sites zone, note that you need to manually add the SharePoint server URL under Advanced settings.

  1. Internet Explorer -> Internet Options -> Security -> Local Intranet -> Sites -> Advanced
  2. Add the URL(s) of your SharePoint server(s).
  3. Click OK
  4. Click Custom Level -> Scroll to the bottom -> User Authentication
  5. Ensure that it is set to Automatic logon with current user name and password

Modify your registry settings for the WebClient service.

  1. Open Regedit, Start -> Run -> regedit
  2. Browse to the location: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WebClient\Parameters
  3. Create a new Multi-String Value and call it AuthForwardServerList
  4. Under Value data: Type in the URL of the SharePoint sites, one on each line. You may use wildcards.
  5. Click OK.
  6. Open Services console, Start -> Run -> services.msc
  7. Look for the WebClient service, and click on Restart.

 References

http://support.microsoft.com/kb/943280/en-us

Comments ( 8 )

The security validation for this page is invalid

Problem:

After applying SharePoint 2010 Service Pack 1 and June 2011 Update, you start getting an exception “The security validation for this page is invalid. Click Back in your Web browser, refresh the page, and try your operation again.” in your InfoPath forms when you try to do certain actions like adding an attachment to the form.

Checking the ULS logs, you see the following error:

Message : Failed to get SPGroupName from GroupID. Error Message: Group cannot b
e found.  Callstack:    at Microsoft.SharePoint.SPGroupCollection.Get
ByID(Int32 id)     at Microsoft.SharePoint.WebControls.PeopleEditor.s
et_SharePointGroupID(Int32 value).

Cause

This is a known bug in the June 2011 update and there is no known fix from Microsoft at the time this post is written.

Solution

The work-around is to disable Web Page Security Validation  in the Web Application settings.

  1. Open Central Administration -> Manage Web Applications -> General Settings
  2. Web Page Security Validation -> Off.
  3. OK

Note: This work-around causes issues with InfoPath form postbacks and creating document libraries / subsites. Use the following guide instead to fix this issue:

http://www.mysharepointadventures.com/2011/08/june-2011-cu-woes-workaround-for-infopath-forms-error/

 

Comments ( 0 )

Powershell script to display unique permissions for all subsites and lists

Requirement

Display security permissions for site collection, subsites, and lists/libraries in each site.

Solution

This can be achieved by a simple powershell script. To use it, you must modify the $site variable to point to your site collection.

Syntax: <script name>.ps1 | out-file c:\permissions.txt

#Add SharePoint PowerShell SnapIn if not already added
if ((Get-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue) -eq $null) {
Add-PSSnapin "Microsoft.SharePoint.PowerShell"
}

#Define variables
$site = Get-SPSite "http://<site collection>"

#Get all subsites for site collection
$web = $site.AllWebs

#Loop through each subsite and write permissions

foreach ($web in $web)
{
if (($web.permissions -ne $null) -and ($web.hasuniqueroleassignments -eq "True"))
{
Write-Output "****************************************"
Write-Output "Displaying site permissions for: $web"
$web.permissions | fl member, basepermissions
}
elseif ($web.hasuniqueroleassignments -ne "True")
{
Write-Output "****************************************"
Write-Output "Displaying site permissions for: $web"
"$web inherits permissions from $site"
}

#Loop through each list in each subsite and get permissions

foreach ($list in $web.lists)
{
$unique = $list.hasuniqueroleassignments
if (($list.permissions -ne $null) -and ($unique -eq "True"))
{
Write-Output "****************************************"
Write-Output "Displaying Lists permissions for: $web \ $list"
$list.permissions | fl member, basepermissions
}
elseif ($unique -ne "True") {
Write-Output "$web \ $list inherits permissions from $web"
}
}
}
Write-Host "Finished."
$site.dispose()
$web.dispose()
$unique.dispose()


The output you get will look something like this:


****************************************
Displaying site permissions for: Intranet

Member : domain\administrator
BasePermissions : ViewFormPages, Open, BrowseUserInfo, UseClientIntegration, Us
eRemoteAPIs
Intranet \ Brands inherits permissions from Intranet
Intranet \ Content and Structure Reports inherits permissions from Intranet
****************************************
Displaying Lists permissions for: Intranet \ News

Member : domain\domain users
BasePermissions : ViewListItems, OpenItems, ViewVersions, ViewFormPages, Open,
ViewPages, CreateSSCSite, BrowseUserInfo, UseClientIntegratio
n, UseRemoteAPIs, CreateAlerts
Intranet \ Pages inherits permissions from Intranet
Intranet \ PDFs inherits permissions from Intranet
****************************************
Displaying site permissions for: About Company
About Company inherits permissions from SPSite Url=http://my.company/intranet
About Company \ Documents inherits permissions from About Company
Displaying Lists permissions for: About Company\ Images

Member : domain\administrator
BasePermissions : ViewFormPages, Open, BrowseUserInfo, UseClientIntegration, Us
eRemoteAPIs


As you can see, the script only displays the permissions of subsites and lists that are unique.

Comments ( 2 )