Fix access denied errors for Claims-based authentication sites for users with permissions


Wow this was a fun issue. A web application using Claims-based authentication started giving access denied errors to ALL users after setting the values of the PortalSuperUserAccount and PortalSuperReaderAccount properties of the web application.

I won’t write much because it’s all explained in this excellent blog post by Andras Gaal.

Essentially, if you setup the accounts and give them permission via Web App Policy – you have to assign the account values using the Claims ID (i:0#.w|domain\user), NOT the (domain\user) NTLM ID.

To set the properties, use PowerShell!

$webapp = Get-SPWebApplication http://webappurl
$webapp.Properties["portalsuperuseraccount"] = "<claimsId>
$webapp.Properties["portalsuperreaderaccount"] = <claimsId>
$webapp.Update()
Advertisements

Access Denied while creating Publishing Pages


I ran into one of those weird errors that just kind of gets under your skin because you think you’ve checked everything.

You’ve all seen Access Denied errors in SharePoint, but have you run into the one where users WITH proper permissions get it when trying to create a list item – in this case Publishing Pages? Very bizarre.

I checked all of the usual suspects, permission inheritance, draft items in Style Library, Master Page Gallery, etc. Nothing. But then when I reached out to the search engines just for giggles, I found this post by Gunnar Peipman which gave me exactly what I needed.

The permissions on the Master Page Gallery are unique, and users need at least “Restricted Read” to create pages. What’s frustrating is if you go into Site Permissions and view the Uniquely Secured Content, Master Page Gallery DOES NOT show up in that list. You’d think it would show you all uniquely secured content, but that’s not the case.

Thanks Gunnar for the short post with the fix!

1.Go to Site Actions -> Site Settings ->Modify all site settings
2.Go to Galleries -> Master pages and page layouts
3.From the list toolbar, select Settings -> Document library settings
4.Select permissions for this document library
5.Add ‘Restricted Read’ access to the required groups.

Remove SharePoint Groups using PowerShell


Disclaimer: This post and function is 100% taken from the book by Gary Lapointe and Shannon Bray entitled “Automating Microsoft SharePoint 2010 Administration with Windows PowerShell 2.0.”

This post goes hand in hand with my two recent posts entitled “Retrieve SharePoint Groups using PowerShell” and “Create SharePoint Groups using PowerShell.”  In those posts, we used PowerShell Functions to retrieve SP Groups and to create SP Groups.  The third piece of the puzzle is Remove-SPGroup.

Again, I have taken the code from Gary and Shannon’s book – however, this function adds comment-based help as well as a confirm prompt.  I thought it would be nice to add the ability to cancel out of the operation, plus it just looks fancy – and I like fancy.

Here’s the Remove-SPGroup function:

function Remove-SPGroup {
<#
.Synopsis
	Use Remove-SPGroup to delete a SharePoint Group.
.Description
	This function uses the Remove() method of a SharePoint RoleAssignments property in an SPWeb to create a SharePoint Group.
.Example
	C:\PS>Remove-SPGroup -Web http://intranet -Group "Test Group"
	This example removes a group called "Test Group" in the http://intranet site.
.Example
	C:\PS>$web = Get-SPWeb http://intranet
	C:\PS>$group = Get-SPGroup -Web $web -Group "Test Group"
	C:\PS>Remove-SPGroup $web $group
	This example also removes a group called "Test Group" from the http://intranet site, but this example uses $web and $group variables.
.Notes
	Name: Remove-SPGroup
	Author: Ryan Dennis
	Last Edit: July 18th 2011
	Keywords: Remove-SPGroup
.Link
	http://www.sharepointryan.com
 	http://twitter.com/SharePointRyan
.Inputs
	None
.Outputs
	None
#Requires -Version 2.0
#>
[CmdletBinding()]
	Param(
	[Microsoft.SharePoint.PowerShell.SPWebPipeBind]$Web,
	[string]$Group
	)
$SPWeb = $Web.Read()
# Prompting code
$title = "Delete SharePoint Group"
$message = "Do you want to delete the SharePoint Group?"
$yes = New-Object System.Management.Automation.Host.ChoiceDescription "&Yes", "Deletes the SharePoint Group."
$no = New-Object System.Management.Automation.Host.ChoiceDescription "&No", "Cancels and keeps the SharePoint Group."
$options = [System.Management.Automation.Host.ChoiceDescription[]]($yes, $no)
$result = $Host.UI.PromptForChoice($title,$message,$options,0)
switch ($result)
{
	0 {"Deleting $($Group) Group."}
	1 {"Operation cancelled..."}
}
# End Prompting code
if ($result -eq 0){
$SPWeb.SiteGroups.Remove($Group)
$SPWeb.Dispose()
}
else {return}
}

Create SharePoint Groups using PowerShell


Disclaimer: This post and function is 100% taken from the book by Gary Lapointe and Shannon Bray entitled “Automating Microsoft SharePoint 2010 Administration with Windows PowerShell 2.0.”

This post goes hand in hand with my recent post called “Retrieve SharePoint Groups using PowerShell.”  In that post, we used a simple PowerShell Function to retrieve an SP Group and return the object in our command window.  In this function, we’re going to take the work a step further – we will use our function to create a new SharePoint Group.

Again, I have taken the code from Gary and Shannon’s book – the only addition I have made is comment-based help.  Since I intend to use these functions, I like to have help so I can go back and see examples and things like that.

The function provided in the book is very nice, it consists of 5 parameters and will has some built-in error handling – example: if the group already exists it will tell you so…

I have tested this a few times, and the function works great!

Without further ado, here’s the function:

function New-SPGroup {
<#
.Synopsis
	Use New-SPGroup to create a SharePoint Group.
.Description
	This function uses the Add() method of a SharePoint RoleAssignments property in an SPWeb to create a SharePoint Group.
.Example
	C:\PS>New-SPGroup -Web http://intranet -GroupName "Test Group" -OwnerName DOMAIN\User -MemberName DOMAIN\User2 -Description "My Group"
	This example creates a group called "Test Group" in the http://intranet site, with a description of "My Group".  The owner is DOMAIN\User and the first member of the group is DOMAIN\User2.
.Notes
	Name: New-SPGroup
	Author: Ryan Dennis
	Last Edit: July 18th 2011
	Keywords: New-SPGroup
.Link
	http://www.sharepointryan.com
 	http://twitter.com/SharePointRyan
.Inputs
	None
.Outputs
	None
#Requires -Version 2.0
#>
	[CmdletBinding()]
	Param(
	[Microsoft.SharePoint.PowerShell.SPWebPipeBind]$Web,
	[string]$GroupName,
	[string]$OwnerName,
	[string]$MemberName,
	[string]$Description
	)
	$SPWeb = $Web.Read()
	if ($SPWeb.SiteGroups[$GroupName] -ne $null){
		throw "Group $GroupName already exists!"	
	}
	if ($SPWeb.Site.WebApplication.UseClaimsAuthentication){
		$op = New-SPClaimsPrincipal $OwnerName -IdentityType WindowsSamAccountName
		$mp = New-SPClaimsPrincipal $MemberName -IdentityType WindowsSamAccountName
		$owner = $SPWeb | Get-SPUser $op
		$member = $SPWeb | Get-SPUser $mp
	}
	else {
	$owner = $SPWeb | Get-SPUser $OwnerName
	$member = $SPWeb | Get-SPUser $MemberName
	}
$SPWeb.SiteGroups.Add($GroupName, $owner, $member, $Description)
$SPGroup = $SPWeb.SiteGroups[$GroupName]
$SPWeb.RoleAssignments.Add($SPGroup)
$SPWeb.Dispose()
return $SPGroup
}

Retrieve SharePoint Groups using PowerShell


Disclaimer: This post and function is 100% taken from the book by Gary Lapointe and Shannon Bray entitled “Automating Microsoft SharePoint 2010 Administration with Windows PowerShell 2.0.”

As I frequently do when I’m looking for a topic to blog about, I reach for my favorite tool – PowerShell. Over the weekend I was reading some of the aforementioned book and I came across a set of tasks which do not have corresponding cmdlets out-of-the-box.

There are a set of functions described in Chapter 8 – Managing Site Collections and Sites which can be created and used to manage SharePoint Groups. There are 3 functions: Get-SPGroup, New-SPGroup and Remove-SPGroup. This post will only focus on the first and easiest, Get-SPGroup.

The Get-SPGroup function is pretty simple, and other than my obligatory comment-based help (which accounts for 23 of the 33 lines 🙂 ) – this function is very short.

Essentially all it’s doing is obtaining the SiteGroups collection property from an SPWeb object and returning the information on the property.

Here’s the function:

function Get-SPGroup {
<#
.Synopsis
	Use Get-SPGroup to retrieve a SharePoint Group.
.Description
	This function uses the SiteGroups collection property of an SPWeb object to return a specific group and its properties.
.Example
	C:\PS>Get-SPGroup -Web http://intranet -Group "Members"
	This example retrieves the properties of the "Members" group in the http://intranet site.
.Notes
	Name: Get-SPGroup
	Author: Ryan Dennis
	Last Edit: July 18th 2011
	Keywords: Get-SPGroup
.Link
	http://www.sharepointryan.com
 	http://twitter.com/SharePointRyan
.Inputs
	None
.Outputs
	None
#Requires -Version 2.0
#>
	[CmdletBinding()]
	Param(
	[Microsoft.SharePoint.PowerShell.SPWebPipeBind]$Web,
	[string]$Group
	)
$SPWeb = $Web.Read()
$SPGroup = $SPWeb.SiteGroups[$Group]
$SPWeb.Dispose()
return $SPGroup
}

I’ll soon be posting the other two functions…

RD