SharePoint How-To Series: User Administration

Adding users, removing users, modifying permissions and even deleting users is a core step of administration. Understanding the logical order of permissions and how to set them is imperative for all SharePoint solutions.

Liam Cleary

October 27, 2015

4 Min Read
SharePoint How-To Series: User Administration

In our last three posts, we have walked through the use of PowerShell and commands for administration, as well as working with the Workflow Services.

In this the final post of our administration series, we will look at one of the most important areas of SharePoint administration: security and permissions. Adding users, removing users, modifying permissions and even deleting users is a core step of administration. Understanding the logical order of permissions and how to set them is imperative for all SharePoint solutions.

SharePoint as a product utilizes out-of-the-box Active Directory for its authentication and authorization stack. Users and Groups within Active Directory are often used as the permission boundary, which makes it easy to control access. However, over time, users are often left in groups they should not be in, or they have lost permissions they needand often just stop using it completely.

Adding New Users

So, where to begin? Let’s look at adding new users. The user interface is simple and fairly intuitive within SharePoint 2013. To add a new user, we would simply use the picker.

Typing the name causes SharePoint to perform an LDAP lookup to validate the user. However, in different locations within SharePoint the user experience is different.

Web Application User Policy

Site Collection Administrators

Site Collection People and Groups

Site Collection Permissions

List and Library Permissions

Item Level Permissions

As you can see, the interface does change slightly when you are looking to add users to SharePoint. The core function behind it, though, is that you are performing a name resolution using LDAP for the on-premises deployment. Of course, this does change if you are using other authentication options, but that's a post for another day.

If we wanted to perform the same process of adding users, using PowerShell then we would need to use some simple commands.

Add a Farm Administrator

$FarmAdminAccount = “DOMAINUser”

$CentralAdministrationWebApplication = Get-SPWebApplciation –IncludeCentralAdministration | Where-Object {$_.Displayname –eq “SharePoint Central Administration v4”}

$CentralAdministrationSite = $CentralAdministrationWebApplication.Sites[0]

$CentralAdministrationWeb = $CentralAdministrationSite.RootWeb

 

$FarmAdministratorGroup = $ CentralAdministrationWeb.SIteGroups[“Farm Administrators”]

$ FarmAdministratorGroup.AddUser($FarmAdminAccount, “”, $FarmAdminAccount,”Added By PowerShell”)

 

Add a Shell Administrator

Add-SPShellAdmin DOMAINUser

 

Add a Site Collection Administrator

 

$Username = “{DOMAINUser}”

$WebApplicationUrl = “{SharePoint URL}”

$WebApplication = Get-SPWebApplication $WebApplicationUrl;

$SiteCollection  = $WebApplication.Sites[0];

$SiteCollectionAdmin = $SiteCollection.RootWeb.EnsureUser($Username);

$SiteCollectionAdmin.IsSiteAdmin = $true;

$SiteCollectionAdmin.Update();

Managing security can be done very easily using either the user interface or PowerShell. Permission control is one thing, but being able to get information back out of user’s permissions is just as important. Third-party tools could be used, but PowerShell can often do just as good a job. Retrieving a list of permissions for a SharePoint site is as simple as the following PowerShell.

function Get-PermissionsReport($SharePointSite, $IterateThrough)

{

  $SharePointSite | Get-SPUser | % { New-Object PSObject -Property @{

UserLogin = $_.UserLogin

            ‘Role Permission: ‘ = $_.Roles

            ‘Security Group: ‘ = $_.Groups | %{$_.Roles}

            Groups = $_.Groups

            Url = $SharePointSite.Url

    }

  }

 

if($IterateThrough) { $SharePointSite.Webs | % { Get-PermissionsReport $_ $IterateThrough } }

}

 

$SharePointSite = Get-SPWeb “{SharePoint URL}”

Get-SPPermissionsReport $SharePointSite $true | Sort-Object UserLogin | Out-GridView

Thanks to: Konstantin Vlasenko

Once run it will render in a Grid View window like so:

What’s great about PowerShell is that you can actually take code like this and shorten it to make it easier to use.

$SharePointSite = "{SharePoint URL}"

Get-SPUser -Web $SharePointSite | select UserLogin, @{name=”Explicit Permissions”;expression={$_.Roles}}, @{name=”Permissions given via Groups”;expression={$_.Groups | %{$_.Roles}}},Groups | format-Table –auto

Once run, the results are output directly within the PowerShell window.

There are other great scripts that can be used for getting reports out available on Codeplex, as well as on Microsoft TechNet Gallery site: https://gallery.technet.microsoft.com

Hopefully, over these past few posts you have seen that PowerShell is a core tool in any SharePoint Administrator' toolkit, and that it can be used for all things in SharePoint.

Don’t forget the upcoming webinar on SharePoint Administration, where we will cover even more. You can register here.

http://sharepointpromag.com/sharepoint-admin-101?promo=UM_WPBLK

 

 

About the Author

Liam Cleary

https://www.helloitsliam.com/

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like