Find dead SharePoint ActiveDirectory Groups

The are three ways to handle access rights in SharePoint.

  • Using ActiveDirectory Groups
  • Using SharePoint Groups
  • Using both of them

I personally recommend to use the first suggestion. Managing the access rights in one system is much easier to administrate, no switching or log off for administration work.

In our SharePoint installation I create for each securable resource and rights type a ActiveDirectory group and assign them organization groups.

A huge disadvantage of this strategy is that after a period of adding ActiveDirectory groups it’s hard to know which of those groups are really required.

I could handle this issue with a simple script which compares all SharePoint ActiveDirectory groups and the All ActiveDirectory groups from a specific OU against.

<pre>Import-Module ActiveDirectory

$Domain = "$((Get-ADDomain).Name)"

$ADGroups = Get-ADGroup -Filter "*" -SearchBase "OU=SharePoint,OU=Services,OU=vblusers2,DC=vbl,DC=ch"

$SPGroups = (
    Get-SPWebs | %{
        if($_.HasUniqueRoleAssignments){
            $Url = $_.Url
            $_.RoleAssignments | Where{$_.Member.IsDomainGroup} | %{ $_ | Select-Object @{Name = "Member"; Expression = {$_.member -replace ($Domain + "\"),""}}, @{Name = "Url"; Expression = {$Url}},@{Name = "Type"; Expression = {"Website"}}}
        }
    }
    )+(

    Get-SPLists | %{
        if($_.HasUniqueRoleAssignments){
            $Url = ([uri]$_.Parentweb.Url).Scheme + "://" + ([uri]$_.Parentweb.Url).host + $_.DefaultViewUrl
            $_.RoleAssignments | Where{$_.Member.IsDomainGroup} | %{ $_ | Select-Object @{Name = "Member"; Expression = {$_.member -replace ($Domain + "\"),""}}, @{Name = "Url"; Expression = {$Url}},@{Name = "Type"; Expression = {"List"}}}
        }
    }
)

$ADGroups | where{ -not (($SPGroups | select Member) -match $_.Name)} | select name</pre>

https://gist.github.com/6699783

Requirements

Leave a Reply