2 min read

Find dead SharePoint ActiveDirectory Groups

September 25, 2013

The are three ways to handle access rights in SharePoint.

  • Using ActiveDirectory Groups
  • Using SharePoint Groups
  • Using both of them

I personally recommend to use the first suggestion. Managing the access rights in one system is much easier to administrate, no switching or log off for administration work.

In our SharePoint installation I create for each securable resource and rights type a ActiveDirectory group and assign them organization groups.

A huge disadvantage of this strategy is that after a period of adding ActiveDirectory groups it’s hard to know which of those groups are really required.

I could handle this issue with a simple script which compares all SharePoint ActiveDirectory groups and the All ActiveDirectory groups from a specific OU against.

Import-Module ActiveDirectory

$Domain = "$((Get-ADDomain).Name)"

$ADGroups = Get-ADGroup -Filter "*" -SearchBase "OU=SharePoint,OU=Services,OU=vblusers2,DC=vbl,DC=ch"

$SPGroups = (
    Get-SPWebs | %{
        if($_.HasUniqueRoleAssignments){
            $Url = $_.Url
            $_.RoleAssignments | Where{$_.Member.IsDomainGroup} | %{ $_ | Select-Object @{Name = "Member"; Expression = {$_.member -replace ($Domain + "\"),""}}, @{Name = "Url"; Expression = {$Url}},@{Name = "Type"; Expression = {"Website"}}}
        }
    }
    )+(

    Get-SPLists | %{
        if($_.HasUniqueRoleAssignments){
            $Url = ([uri]$_.Parentweb.Url).Scheme + "://" + ([uri]$_.Parentweb.Url).host + $_.DefaultViewUrl
            $_.RoleAssignments | Where{$_.Member.IsDomainGroup} | %{ $_ | Select-Object @{Name = "Member"; Expression = {$_.member -replace ($Domain + "\"),""}}, @{Name = "Url"; Expression = {$Url}},@{Name = "Type"; Expression = {"List"}}}
        }
    }
)

$ADGroups | where{ -not (($SPGroups | select Member) -match $_.Name)} | select name

https://gist.github.com/6699783

Requirements

Categories:  Active Directory , PowerShell , SharePoint

Tags:  activedirectory , groups , managment , sharepoint

comments powered by Disqus