AD security group permissions
Hi Everyone,
does anyone know/encountered the following issue?
While using 'Create Group' activity from AD integration Pack, and creating LST group. By that I get as an outcome - group with default permissions(for LST<<List Access>> - to this folder and subfolders). Does anyone know how can I change this
permissions to - This folder only - upon creation of the group, or right ater it? Is it possible by 'Get Group' or 'Update Group' activities, somehow?
Any suggestions on that, highly appreciated.
Thx.
It's not wrong, it is expected behavior and working as designed. Until a user logs into the SharePoint site that is granted access via AD group, the user is not going to show under 'check permissions' as having access. SharePoint must have a record of the
user in the UIL in order to validate their access.
You're free to file an RFC with Microsoft, but the monetary impact to you must be extremely high in order for this behavior to be changed.
Trevor Seward
Follow or contact me at...
  
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.
Similar Messages
-
Global security group permissions not propogating
I have a single flat domain that has migrated from NT to 2003 to 2008. A number of the global groups go back to the mid ninties.
I recently purchased a EMC VNXe 3300 for addition storage, joined it to the domain, migrated a bunch of folders with permissions using robocopy no problem.
Now I have one shared folder and the global security permission applied to the top level folder but did not decend the tree. I tried applying it from the advanced security tab and choose apply to this folder and all child objects and folder or some such
verbiage. I could not get that permission on anything below the top level unless I went to the object explictly and applied it.
I created a new global security group and applied it to the folder and it descended the tree with no problems.
I have hundreds of folders and hundreds of groups I need to move to this new storage, I have no idea what is wrong here?Hi,
Please help collect the current permission setting of the parent folder and a subfolder (which the original global security group cannot be applied with "inheriting").
Meanwhile have a try with icacls instead of GUI to see if it will work. For example:
icacls x:\folder /grant <group>:(OI)(CI)F
If you have any feedback on our support, please send to [email protected] -
Hi, can anyone tell me (under collaboration) what's the difference between user1 and user2 under this circumstances:
1. Projects being the security group that comes as default in the system.
user1 - Projects(RWD)
user2 - Projects(RWDA)
where local access (ACL) and account (Prj) permissions are the same?
2. Prj being the Account that comes as default in the system.
user1 - Prj(RWD)
user2 - Prj(RWDA)
where local access (ACL) and Projects (Security Group) permissions are the same?
Thanks!any help? plz
-
SharePoint group containing AD security group - Check Permissions does not show correct information
I'm seeing a problem with SharePoint 2013 groups that contain Active Directory security groups. When using the Check Permissions feature to see what permissions a specific user has, it does not reflect the correct permissions for a user inside of the AD
security group. This occurs when checking permissions on a site, library, list or folder. When a user is added as a direct member of the SharePoint group it lists their proper permissions. I should note that the users ability to access the site or list works
properly and coincides with the SP/AD group the user belongs to. It's only the Check Permissions that doesn't work. This does not happen with SharePoint 2010 and the Check Permissions tool is very useful. Any ideas?It's not wrong, it is expected behavior and working as designed. Until a user logs into the SharePoint site that is granted access via AD group, the user is not going to show under 'check permissions' as having access. SharePoint must have a record of the
user in the UIL in order to validate their access.
You're free to file an RFC with Microsoft, but the monetary impact to you must be extremely high in order for this behavior to be changed.
Trevor Seward
Follow or contact me at...
  
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs. -
Exchange 2010 Unable to Assign Full Access Permissions using a Security Group
I've been running into this issue lately. I cannot seem to use groups to allow full access to mailboxes. When I add them from the EMC, it will show up when you go to "Manage Full Access Permission...". After waiting a day and even restarting
the Information Store service, the permissions do not take effect. When I view the msExchDelegateListLink attribute of the mailbox account, the group is not listed.
When I grant a user full permission, it works and updates the attribute. However, on occasion when I revoke the full access permission for a user is doesn't always remove that user from the msExchDelegateListLink attribute. So the mailbox
will still appear in Outlook, but the user isn't able to see new emails.
Any ideas on what may be going wrong?
Environment:
Exchange Server 2010 SP1 Standard
Windows Server 2008 R2 Standard
Outlook 2010 SP1 (tried without SP1 as well)
I was looking over Add-MailboxPermission on Technet (http://technet.microsoft.com/en-us/library/bb124097.aspx) and I noticed that it doesn't mention adding groups. Is this not possible?I never got a proper fix.
I worked around it by creating a script which gets the members of an AD Mail Enabled security group, and updates the full access based on the groups members.
Here's a script I'm running every hour which updates permissions. It's probably not the most efficient script ever, but it works. It has several benefits
1. Managers of the distribution group can add/remove mailbox members using OWA or through the address list
2. New members of groups are added to FULL Access Permissions
3. Members removed from the groups are removed from FULL access permissions
4. Automapping works :)
5. Maintains a log of access added / removed / time taken etc.
Obviously I have had to remove domain related information, replace with whatever your domain requirements are, and PLEASE debug it properly in your environent first, don't complain to me if it wipes out a load of access for you or something like that!
It takes about 5 minutes to run in my environement. Some formatting seems to have got messed up on here, sorry. I hope it is of use!
# Mailbox Permissions Setter for Exchange #
# v1.1 #
# This script will loop through all mailboxes in Exchange and find any where #
# the type is 'SHARED'. These should be determined to be a GROUP/SHARED mailbox #
# and access to these mailboxes are controlled by a single ACL, e.g. 'ACL_Shared_Mailbox'. #
# This script will add any members of these ACLs directly to the Full Access Permissions #
# of the mailbox and also remove them if they no longer need the access. #
# Script created by Jon Read, Technical Administration
# Recent Changes
# 15/11/2012
# 1.1 Added exclusions for ACLs that we don't want automapping to happen for
# 12/11/2012
# 1.0 Initial script
#Do not change these values
Add-PSSnapin *Ex*
$starttime = Get-Date
$logfile = "C:\accesslog.txt"
$logfile2 = "C:\accesslog2.txt"
$totaladditionstomailboxes = 0
$totalremovalsfrommailboxes = 0
$totalmailboxesprocessed = 0
$totalmailboxesskipped = 0
# Exclude any ACLs that shouldn't be processed here if they are used for a non-standard purpose and
# we don't want FULL access mapping to happen. Seperate array values with commas
$ExcludedACLArray = "DOMAIN\ACL_ExcludedExample"
Write-Output " " >> $logfile
Write-Output " " >> $logfile
Write-Output "#----------------------------------------------------------------#" >> $logfile
Write-Output "# Mailbox Permissions Setter for Exchange #" >> $logfile
Write-Output "# v1.1 #" >> $logfile
Write-Output "#----------------------------------------------------------------#" >> $logfile
Write-Output " " >> $logfile
Write-Output " " >> $logfile
Write-output "Start time $starttime ">> $logfile
Write-Output " " >> $logfile
Write-Output " " >> $logfile
# Set preferred DCs and GCs
$preferredDC = "preferredDC.domain"
$preferredGC = "preferredGC.domain"
Write-Output " PreferredDC = $preferredDC ">> $logfile
Write-Output " PreferredGC = $preferredGC " >> $logfile
Set-ADServerSettings -PreferredGlobalCatalog $preferredGC -SetPreferredDomainControllers $preferredDC
# The first part of this will ADD permissions to the mailbox, reading from an associated ACL.
# Check for all mailboxes where the type is SHARED. These are the only ones we would
# want to apply group mailbox permissions to.
foreach ($mailbox in get-mailbox -resultsize "unlimited" | where-object {$_.RecipientTypeDetails -eq "SharedMailbox"})
$totalmailboxesprocessed = $totalmailboxesprocessed + 1
Write-Output " " >> $logfile
Write-Output " " >> $logfile
Write-Output "|-------------------------------------------------------" >> $logfile
Write-Output "| MAILBOX ADDITIONS: $mailbox " >> $logfile
Write-Output "|-------------------------------------------------------" >> $logfile
$mailbox=$mailbox.ExchangeGuid.ToString()
# For each of them, get the distribution list applied to the mailbox (Starting DOMAIN\ACL_)
# We then need it to be turned into a string to use later.
#Declared $changes as 0. if this is set to 0 at the end of the mailbox job, we know no changes were made.
$changes = 0
foreach ($distributiongroup in get-mailbox $mailbox | Get-MailboxPermission | Where-Object {$_.User -like "DOMAIN\ACL_*" })
$skipACL = 0
#Get the distribution group and put the name in a useable format
$distributiongroup=$distributiongroup.user.tostring()
Write-Output "Found ACL $distributiongroup" >> $logfile
# Check if this distribution group needs to be excluded and if it shouldn't be processed
# then move onto the next ACL. This will stop FULL access being granted if the mailbox is
# used for a non-standard purpose. See the start of this script
# for where these are excluded (ExcludedACLArray)
foreach ($ACL in $ExcludedACLArray )
if ($distributiongroup -eq $ACL)
$skipACL = 1
Write-Output "ACL $distributiongroup is excluded so skipping mailbox " >> $logfile
$totalmailboxesskipped = $totalmailboxesskipped + 1
if ($skipACL -eq 0)
# Get each user in this group and for each of them, add try to add them to full access permissions.
foreach ($user in Get-DistributionGroupMember -identity $distributiongroup)
# Get the user to try, convert to DOMAIN\USER to use shortly
$user="DOMAIN\" + $user.alias.ToString()
# Check to see if the user we have chosen from the ACL group already exists in the full access
# permissions. If they do, set $userexists to 1, if they do not, leave $userexists set to 0.
# Set $userexists to 0 as the default
$userexists = 0
foreach ($fullaccessuser in get-mailbox $mailbox | Get-MailboxPermission)
# See if the user exists in the mailbox access list.
# Change $fullaccessuser to a useable string (matching $user)
$fullaccessuser=$fullaccessuser.user.tostring()
if ($fullaccessuser -eq $user)
$userexists=1
# Break out of foreach if the user exists so we don't unnecessarily loop
break
# Now we know if the user needs to be added or not, so run code (if needed) to add
# the user to full access permissions
if ($userexists -eq 0)
Add-MailboxPermission $mailbox –user $user –accessrights "FullAccess"
Write-Output "Added $user " >> $logfile
$changes = 1
$totaladditionstomailboxes = $totaladditionstomailboxes + 1
#Now repeat for other users in the ACL
#if changes were 0, then log that no changes were made
if ($changes -eq 0)
Write-Output "No changes were made." >> $logfile
Write-Output " " >> $logfile
Write-Output " " >> $logfile
Write-Output "---------------------------------------------------------------------------------" >> $logfile
Write-Output " FINISHED ADDING PERMISSIONS" >> $logfile
Write-Output "---------------------------------------------------------------------------------" >> $logfile
Write-Output " " >> $logfile
# The second part of this will REMOVE permissions from the mailbox, reading from an associated ACL.
## Check for all mailboxes where the type is SHARED. These are the only ones we would
## want to apply group mailbox permissions to.
foreach ($mailbox in get-mailbox -resultsize "unlimited" | where-object {$_.RecipientTypeDetails -eq "SharedMailbox"})
Write-Output " " >> $logfile
Write-Output " " >> $logfile
Write-Output "|-------------------------------------------------------" >> $logfile
Write-Output "| MAILBOX REMOVALS : $mailbox " >> $logfile
Write-Output "|-------------------------------------------------------" >> $logfile
$mailbox=$mailbox.ExchangeGuid.ToString()
#Declared $changes as 0. if this is set to 0 at the end of the mailbox job, we know no changes were made.
$changes = 0
# For the current mailbox, get a list of all users with FULLACCESS, and then for each of them
# check if they exist in the ACL
foreach ($fullaccessuser in get-mailbox $mailbox | Get-MailboxPermission | Where-Object {$_.Accessrights -like "FullAccess" })
# Get the security identifier (SSID) of the FULLACCESS user to store for later.
$fullaccessuserSSID=$fullaccessuser.user.SecurityIdentifier.ToString()
$fullaccessuser=$fullaccessuser.User.ToString()
#If user needs to be excluded then skip this bit
#Users added or removed will only start with 07 (07$, 07T, so only run if the user starts with this.
#This stops it trying to remove NT AUTHORITY\SELF and other System entries
if ($fullaccessuser -like "DOMAIN\07*")
# Set $userexists to be 0. if we find the use user needs to remain, then change it to 1.
$userexists=0
# Check if this user exists in the ACL, if not, remove.
foreach ($distributiongroup in get-mailbox $mailbox | Get-MailboxPermission | Where-Object {$_.User -like "DOMAIN\ACL_*" })
$distributiongroup=$distributiongroup.user.tostring()
#Write-Output "Found associated distribution group $distributiongroup" >> $logfile
# Get each user in this group and for each of them, See if it matches the user in the mailbox.
foreach ($user in Get-DistributionGroupMember -identity $distributiongroup)
# Get the user to try, convert to DOMAIN\USER to use shortly
$userguid = $user.Guid.ToString()
$user="DOMAIN\" + $user.alias.ToString()
if ($fullaccessuser -eq $user)
$userexists=1
#we have found the user exists so no need to continue
break
# If userexists = 0, then they are NOT in the ACL, and should be removed from
# the full access permissions. Run the code to remove them from full access.
#CONVERT FULLACCESSUSER TO GUID AND REMOVE $FULLACCESSUSERGUID NOT $USERGUID
if ($userexists -eq 0)
Remove-MailboxPermission -Identity $mailbox –user $fullaccessuserSSID –accessrights "FullAccess" -Confirm:$false
Write-Output "Removed $fullaccessuser " >> $logfile
$changes = 1
$totalremovalsfrommailboxes = $totalremovalsfrommailboxes + 1
# if changes = 0, no changes were made to this mailbox, so log this fact.
if ($changes -eq 0)
Write-Output "No changes were made." >> $logfile
#Put the time in a displayable format
$endtime = Get-Date
$runtime = $endtime - $starttime
$runtime = $runtime.ToString()
$runtime1 = $runtime.split(".")
$totaltime = $runtime1[0]
Write-Output " " >> $logfile
Write-Output " " >> $logfile
Write-Output "|-------------------------------------------------------------------------------------- " >> $logfile
Write-Output "| SCRIPT COMPLETE : STATS " >> $logfile
Write-Output "|-------------------------------------------------------------------------------------- " >> $logfile
Write-Output "| Total Mailboxes Processed : $totalmailboxesprocessed " >> $logfile
Write-Output "| Total Additions : $totaladditionstomailboxes " >> $logfile
Write-Output "| Total Removals : $totalremovalsfrommailboxes " >> $logfile
Write-Output "| Total Mailboxes Skipped due to ACL : $totalmailboxesskipped " >> $logfile
Write-output "| Start time : $starttime ">> $logfile
Write-output "| End time : $endtime ">> $logfile
Write-Output "| **END OF RUN** - Elapsed time : $totaltime " >> $logfile
Write-Output "|---------------------------------------------------------------------------------------" >> $logfile
Write-Output " " >> $logfile -
Security Groups when in 'Project Server Permissions Mode' - Project Online
Hi All,
We have Project Online up and running, by default the PWA instance we added to O365 was in "SharePoint Permissions" Mode, we changed to "Project Server Permissions" Mode because of some complex security we need to configure. For some
reason (different from Project Server 2013) Project Online creates a number of Security Groups by default that seem to be duplicates. For example for Administrators there are:
- Administrators
- Administrators for Project Web App
- Web Administrators (Project Web App Synchronized)
For Project Managers:
- Project Managers
- Project Managers (Project Web App Synchronized)
- Project Managers for Project Web App
And there is something similar for all the groups (compared to Project Server 2013):
I have looked online, with no luck, for some guidance on what all these groups are and if I can delete some of them without causing PWA to crash.
If anyone out there can point me in the right direction / send me some documentation or links it will be greatly appreciated!
Thanks!
JorgeHi Jorge, I had the same thing on two different tenants within the last week - one today. I will just clean up the SharePoint groups manually. The ones with the descriptions are the correct Project Server permission mode groups... Hopefully Microsoft will
fix this soon, you could raise a support ticket on your office 365 tenant - support is pretty quick! Paul
Paul Mather | Twitter |
http://pwmather.wordpress.com | CPS -
Using security groups to grant Full Mailbox Permissions
Hi, I've of course found several articles discussing granting full mailbox permissions to universal security groups in Exchange 2010, however, most of them are outdated and provide contradicting information.
So I figured I'd ask here to generate a more 'current' discussion of this and get the real answers.
If I do the following:
1. Create a shared mailbox
2. Create a Universal Security group (USG)
3. Add User X to the USG
4. Grant the USG Full Access Permissions to the shared mailbox
Q1: Will the shared mailbox automatically show up in User X's mailbox? I've read posts/articles claiming both NO and YES to this question. Some say you have to still go through the 'open additional mailboxes' setting in Outlook.
Q2: According to the below thread, this is actually still a bug in Exchange 2010 in that when you assign Full Access to a Universal Group, it is supposed to auto-populate, but doesn't. Further, there are claims that USG replication takes a good 12-24 hours
before showing up in the user's Outlook. Some say you actually need to restart the Information Store before it will take affect. This is in stark contrast to granting full access to an individual user account, which takes affect immediately.
So what is the real truth here when using USGs to grant Full Access?
https://social.technet.microsoft.com/Forums/exchange/en-US/9840fd13-daf8-45aa-ab35-4a827f1ba1e0/exchange-2010-unable-to-assign-full-access-permissions-using-a-security-group?forum=exchangesvrgenerallegacy
Thanks,Hi squishmike,
Thank you for your question.
Q1: Will the shared mailbox automatically show up in User X's mailbox? I've read posts/articles claiming both NO and YES to this question. Some say you have to still go through the 'open additional mailboxes' setting in Outlook.
A: By my testing, we still go through the ‘open addition mailbox’ setting in outlook when we open outlook with new profile.
Q2: According to the below thread, this is actually still a bug in Exchange 2010 in that when you assign Full Access to a Universal Group, it is supposed to auto-populate, but doesn't. Further, there are claims that USG replication takes a good 12-24
hours before showing up in the user's Outlook. Some say you actually need to restart the Information Store before it will take affect. This is in stark contrast to granting full access to an individual user account, which takes affect immediately.
So what is the real truth here when using USGs to grant Full Access?
A: Question 1 has been answered it. It will show share mailbox by ‘open additional mailbox’, we will add shared mailbox manually.
If there are any questions regarding this issue, please be free to let me know.
Best Regard,
Jim -
Effictive Permissions not showing up for security groups after interforest migrations using ADMT
Hi there,
I"m trying to fix an issue with the effective permission, below is the description
Two separate forests exist with respective domains DomainA and DomainB.
A two-way trust has been established between these two domains.
I migrate a user (using ADMT) from DomainA to DomainB.
After migration the user account in DomainB has access to the same shares and folders on file servers in DomainA as it did with the user's account in DomainA.
when i checked the effective permission of the migrated security group it does not show up any tick mark on the permissions. but still end users are able to access the resource on file server
Thanks in advance for any advice you may have to offer.
-VijayHi,
After the user migration, did you finish the Security Translation?
http://social.technet.microsoft.com/wiki/contents/articles/16621.interforest-migration-with-admt-3-2-part-3.aspx#Group_Account_Migration
Regards.
Vivian Wang -
Use AD Security Groups for SharePoint database permissions
In our SharePoint environment we have around 30 content databases. Each of these content databases need a few application pool accounts added to there permissions for various service applications etc. Currently all the accounts are added individually,
but this can be a little error prone. Is there a reason why we could just pop all the required accounts in an AD security group and add that database permissions in SQL?You could do that, but your service accounts shouldn't be accessing the databases directly, instead routing through the SharePoint API, which then permissions would be taken care of by SharePoint accounts (or if you have custom Service Applications, the
service app pool account).
Trevor Seward
Follow or contact me at...
  
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs. -
Adding Editor Permissions to a AD Security Group
Hi,
Requirement: Add an AD Security Group with "Editor" rights on all MeetingRoom objects in the Exchange 2010 organization using Powershell.
MailEnabledDistribution Group alias = abcd1
The PS command I am running is :-
$all=Get-Mailbox -RecipientTypeDetails RoomMailbox
ForEach-Object {_.item in $all} {Add-MailboxFolderPermission -Identity ($item.alias+:\Calendar") -User abcd1 -AccessRights "Editor"}
Is this the right PS command or a better one exists to accomplish the goal.
Cheers
H
HAHi,
We can try the following commands to achieve it:
$all=Get-Mailbox -RecipientTypeDetails RoomMailbox
$all | ForEach {Add-MailboxFolderPermission -Identity “$($_.alias):\Calendar” -User abcd1 -AccessRights "Editor"}
Thanks,
Winnie Liang
TechNet Community Support -
Allocating and delegating permissions in Exchange Server 2010 between two AD security group.
People,
Can anyone please assist me in where and how to assign the following two AD security group in Exchange Server 2010?
IT Admin group (Full access and permission for all AD and Exchange related).
IT Helpdesk group (can only create mailbox and modify the mailbox properties including AD distribution group and contacts).
Because in Exchange Server 2007, everything can be managed easily through the AD security group that is created during the installation such as
Exchange Organization Administrators group for full access for IT Admin team and Exchange Recipient Administrators group for managing the mailbox user for Help Desk team.
/* Server Support Specialist */Hi,
Based on my knowledge, Exchange 2010 has an Organization Management group instead of the Exchange Organization Administrators group. Use the Recipient Management group instead of the Exchange Recipient Administrators group. In your case, you can add the
IT Admin group to the Organization Management group, add the IT Helpdesk group to the Recipient Management group.
Hope this can be helpful to you.
Best regards,
Amy Wang
TechNet Community Support
Thanks, Amy,
But for some reason I cannot see those built in AD security group in my ADUC?
So should I recreate it manually by right clicking on the AD user and Console ?
/* Server Support Specialist */ -
Project Server 2010: PWA Removing Default Project Site Security Groups When Creating a New Project
I looked for this specific issue with Project Server 2010/PWA/SharePoint and could not find an exact answer... hopefully someone can help.
We are currently using Project Server 2010 and have a number of project site templates that are used dependent upon the enterprise project type selected. Each of these project site templates have unique permissions which should create the default security
groups on the project site upon publishing/syncing:
<Project Name> Members
<Project Name> Owners
<Project Name> Visitors
<Project Name> Project Managers (Project Web App Synchronized)
<Project Name> Team Members (Project Web App Synchronized)
Web Administrators (Project Web App Synchronized)
Whether a user creates a project through PWA or Project Pro 2010 and imports the project into PWA, we get a weird result in the Site Permissions of the newly created project site. PWA will remove all default security groups from the project site template
and add a whole list of users in the Site Permissions list without groups.
Once the project is published and the project site is created, we can then go back and add those default security groups back in the project Site Permissions and even add a couple of custom groups without them being removed on all subsequent project syncs
or publishing.
How do we get PWA to not overwrite the project site templates' security groups and place each user in the proper default security groups? At the same time, how is PWA adding a number of users into the Project Site Permissions?
Thanks in advance.Paul,
Thanks for that information. Right now we are using the Test environment to turn the Auto-sync feature back on. I suspect that the reason this is happening is due to PWA groups/categories/security templates. There may be more than one PWA group that is "overwriting"
the default project site groups upon initial creation of the project. We will look further into the security settings to tighten up the policies. -
Unable to change members of AD security groups who have access to shared mailboxes
I have an exchange 2013 running for over a year now and never had any problems with it. Until recently.
A request came in to make a new shared mailbox. So I did just that and gave rights to a security (not mail enabled) AD group. Just like I Always do. Everything worked fine. A few hours later I did exactly the same for another request and then the people
could not access the shared mailbox. So I added my regular user to the AD group and I also couldn't (I tested it with OWA and Outlook). I tried to remove myself of one of my own shared mailboxes and the permissions wouldn't stick. When I removed the entire
group then the permissions were gone(and I could not access the shared mailbox). When I added it back I had my permissions back but still wasn't in the group. Then I tried adding a distribution group with the same result.
It seems when I add normal users directly to the permissions everything works.
When I had to restart the server a few days later. All changes were applied but I could not change it again.
i'm a bit stumped on this one. i'm out of options.Hi Jelle,
"I did exactly the same for another request and then the people could not access the shared mailbox.", I would like to verify if you give the same Security Group rights to multiple shared mailboxes.
If the security group members can't have access to all the shared mailboxes they have rights, you can recreate a security group and grant permissions to shared mailboxes one by one to check the result.
Hope this can be helpful to you.
Best regards,
Amy Wang
TechNet Community Support -
How to create a site and add security groups through code: scripts, csom, ... ?
Hi,
I'm new to CSOM and are looking for a way to create sites in SharePoint Office365 and especially add user to it with a specific role eg. 'visitor' or 'owner'.
I use this code to add sites from a csv file, so far so good.
But now I want to add security groups based on the csv file and assign a role. The security groups allready exists.
and also how to add a user with a 'owner' role for some sites.
That would make my life easier :-)
so thank you in advance!
# load assemblies
#[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client")
#[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client.Runtime")
Add-Type -Path "c:\Program Files\Common Files\microsoft shared\Web Server Extensions\15\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "c:\Program Files\Common Files\microsoft shared\Web Server Extensions\15\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"
# site collection
$siteUrl = “https://mysharepoint.com”
# admin
$username = "[email protected]"
$password = Read-Host -Prompt "Enter password" -AsSecureString
# get clientcontext as object
$ctx = New-Object Microsoft.SharePoint.Client.ClientContext($siteUrl)
# assign credentials to clientcontext object
$credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($username, $password)
$ctx.Credentials = $credentials
# create site from template 'teamsite' => STS#0
$data = Import-Csv "c:\tools\CSOM\vakwerking_test.csv"
foreach ($row in $data) {
$webCreationInformation = New-Object Microsoft.SharePoint.Client.WebCreationInformation
$webCreationInformation.Url = $row.vakwerkingurl
$webCreationInformation.Title = $row.vakwerkingnaam
$webCreationInformation.WebTemplate = "STS#0"
$webCreationInformation.UseSamePermissionsAsParentSite = $false
$newWeb = $ctx.Web.Webs.Add($webCreationInformation)
Write-Host "Title" $newWeb.Title
#send to sharepoint
$ctx.Load($newWeb)
$ctx.ExecuteQuery()Hi,
The command above about creating a group only works for the root site of the site collection, because the scope of the user group is site collection level, these groups
can be used in all the sites in this site collection.
With the existing groups in the root site, we can add users into them and grant specific permissions of a specific sub site to these groups.
Here is a demo about how to assign permission to a group using Client Object Model(though in C#) for your reference:
http://www.c-sharpcorner.com/UploadFile/54db21/set-permission-to-group-in-sharepoint-2010-programmatically/
Best regards,
Patrick
Patrick Liang
TechNet Community Support -
AD security group issues in SharePoint 2013 Integrated Mode
Hello,
Sorry if this is the wrong forum, I'm not sure if this is a SharePoint issue or a Reporting Services configuration issue (or if it should be in a SharePoint forum regardless).
I have SSRS2012 on SharePoint 2013 in integrated mode. We are doing item level permissions, which means we have an AD security group Reports-All with
Read to the Reports document library, then each actual report has unique permissions. We have a report with the ProjectManagers AD
security group on it with Read (plus some other stuff to let them manage subscriptions), and another AD security group ProjectUsers with
just Read access so they can open the reports. The data source used by this report has the AD security group I mentioned before, Reports-All,
with Read.
At a SharePoint level, things appear to work. When a user in ProjectManagers or ProjectUsers browses
to the library, they see only the 3 reports that those two security groups have permission to see (out of a lot more in the library). That means SharePoint is reading those security group memberships correctly as far as I can tell.
The issue is when a user in ProjectManagers or ProjectUsers clicks
on a report, they get a reporting server based error message, and the ULS logs have an error specific to the user trying to run the report.
Microsoft.ReportingServices.Diagnostics.Utilities.AccessDeniedException: The permissions granted to user 'MyDomain\MyUser' are insufficient for performing this operation. (Fault Detail is equal to Microsoft.ReportingServices.ServiceContract.RsExceptionInfo)
If I add that specific user with Read permissions to the report and the data source, they are then able to run the report without errors. It seems like some Report Server component is not liking the fact that I'm using security groups.
Has anyone seen this behavior with AD security groups? Any ideas on why my environment does not want to work properly with those even though AD security groups are working fine for other non-Reporting Services files?
Thanks,
AaronHi aaronzott,
According to your description, you configured SSRS 2012 of SharePoint integrated mode. You added read permission to reports and data source to AD security group Reports-All, then added just read permission to ProjectManagers and ProjectUsers groups. When
users in ProjectManagers or ProjectUsers groups click report, the error message occurred. After you added Read permissions to the report and the data source to the groups, they can preview the report without errors.
Report definition permissions are defined through List permissions on the library that contains the report, but we can set permissions on individual reports if we want to restrict access. Set properties on a report including data source connection information,
processing options, and parameter properties. Edit Items on the library that contains the report or on the individual report. We also need to have view permissions on a shared data source (.rsds) to select it for use with the report.
For more information about Set Permissions for Report Server Operations in a SharePoint Web Application, please refer to the following document:
http://msdn.microsoft.com/en-us/library/bb326286(v=sql.110).aspx
If you have any more questions, please feel free to ask.
Thanks,
Wendy Fu
If you have any feedback on our support, please click
here.
Maybe you are looking for
-
Retail - article follow up / material determination
Hello, I would to know the possiblity of material determination / article follow up in Retail scenario. The material should be substituted with material already maintained for replacement/follow up for the 'sales orders'. Help on this is really appre
-
Printing to Canon Pixma MP170 on Airport Express from Windows XP
I got a Canon MP170 basically for free with the rebates. Connected to my Airport Express, installed the drivers on my PowerMac and I can print just fine (I am aware that the scanner will only work when connected directly - which also works fine). Now
-
Displying wrong data after entering estimated cost while creating travel request.
Hi Team, We are facing an issue while creating travel request from portal. When we are entering estimated cost and after clicking on save and send button we are getting data is saved as correct.But after clicking on display form button the data is sh
-
Async - Sync in BPM - Multiple Retries
I have an asyncronous interface from CRM which goes into BPM and makes a synchronous call into the destination application and expects a response. However if there is a connection failure from the HTTP adapter to the destination application, I want t
-
I have a 2yr old iPad from work. And a iPhone 5 and I have a new iPad of my own now. (Not the air). My work iPad picks up wifi were ever I go. My iPhone and new iPad have trouble. I can't even get them to do it in my own house. Shouldn't they just c