2 min read
Find dead SharePoint ActiveDirectory Groups
The are three ways to handle access rights in SharePoint.
- Using ActiveDirectory Groups
- Using SharePoint Groups
- Using both of them
I personally recommend to use the first suggestion. Managing the access rights in one system is much easier to administrate, no switching or log off for administration work.
In our SharePoint installation I create for each securable resource and rights type a ActiveDirectory group and assign them organization groups.
A huge disadvantage of this strategy is that after a period of adding ActiveDirectory groups it’s hard to know which of those groups are really required.
I could handle this issue with a simple script which compares all SharePoint ActiveDirectory groups and the All ActiveDirectory groups from a specific OU against.
Import-Module ActiveDirectory
$Domain = "$((Get-ADDomain).Name)"
$ADGroups = Get-ADGroup -Filter "*" -SearchBase "OU=SharePoint,OU=Services,OU=vblusers2,DC=vbl,DC=ch"
$SPGroups = (
Get-SPWebs | %{
if($_.HasUniqueRoleAssignments){
$Url = $_.Url
$_.RoleAssignments | Where{$_.Member.IsDomainGroup} | %{ $_ | Select-Object @{Name = "Member"; Expression = {$_.member -replace ($Domain + "\"),""}}, @{Name = "Url"; Expression = {$Url}},@{Name = "Type"; Expression = {"Website"}}}
}
}
)+(
Get-SPLists | %{
if($_.HasUniqueRoleAssignments){
$Url = ([uri]$_.Parentweb.Url).Scheme + "://" + ([uri]$_.Parentweb.Url).host + $_.DefaultViewUrl
$_.RoleAssignments | Where{$_.Member.IsDomainGroup} | %{ $_ | Select-Object @{Name = "Member"; Expression = {$_.member -replace ($Domain + "\"),""}}, @{Name = "Url"; Expression = {$Url}},@{Name = "Type"; Expression = {"List"}}}
}
}
)
$ADGroups | where{ -not (($SPGroups | select Member) -match $_.Name)} | select namehttps://gist.github.com/6699783
Requirements
Categories: scripting , SharePointTags: activedirectory , managment , sharepoint
Improve this page
Show statistic for this page