Blog Image

PowerShell

SharePoint Powershell Commands

GoSharePoint Website
Documentation Blog

This blog is based on SharePoint 2013 PowerShell Commands. Please visit my other blog which contains SharePoint Documentation.

WSS_WPG File Permissions

Windows Server Posted on Tue, June 28, 2016 05:28:00

<#====================================================================

Copyright © 2015, September. Michael Pomfret

The following updates the WSS_WPG file permissions.

====================================================================#>

Write-Host “”

Write-Host “==============================================================================”

Write-Host “SharePoint 2013 – Updating file permissions for the WSS_WPG group…”

Write-Host “==============================================================================”

Write-Host “”

$ProgramFiles = ${env:ProgramFiles}

$CommonProgramFiles = ${env:COMMONPROGRAMFILES}

$Windir = ${env:windir}

$Systemdrive = ${env:systemdrive}

$AllUsersProfile = ${env:AllUsersProfile}

#%AllUsersProfile%\Microsoft\SharePoint

#Read No

#This directory contains the file-system-backed cache of the farm configuration. Processes might fail to start and the administrative actions might fail if this directory is altered or deleted.

$FolderPath = $AllUsersProfile + “\Microsoft\SharePoint”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“WSS_WPG”, ‘Read’,’ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#C:\Inetpub\wwwroot\wss

#Read, execute No

#This directory (or the corresponding directory under the Inetpub root on the server) is used as the default location for IIS Web sites. SharePoint sites will be unavailable and administrative actions might fail if this directory is altered or deleted, unless custom IIS Web site paths are provided for all IIS Web sites extended with SharePoint 2013.

$FolderPath = “C:\Inetpub\wwwroot\wss”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“WSS_WPG”, “ReadAndExecute, Read”,’ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%ProgramFiles%\Microsoft Office Servers\15.0

#Read, execute No

#This directory is the installation location for the SharePoint 2013 binaries and data. It can be changed during installation. All SharePoint 2013 functionality will fail if this directory is removed, altered, or moved after installation. WSS_WPG read and execute permissions are required to enable IIS sites to load SharePoint 2013 binaries.

$FolderPath = $ProgramFiles + “\Microsoft Office Servers\15.0”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“WSS_WPG”, “ReadAndExecute, Read”,’ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%ProgramFiles%\Microsoft Office Servers\15.0\WebServices

# Read No

#This directory is the root directory where back-end Web services are hosted, for example, Excel and Search. The SharePoint 2013 features that depend on these services will fail if this directory is removed or altered.

$FolderPath = $ProgramFiles + “\Microsoft Office Servers\15.0\WebServices”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“WSS_WPG”, ‘Read’,’ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%ProgramFiles%\Microsoft Office Servers\15.0\Logs

#Read, write Yes

#This directory is the location where the runtime diagnostic logging is generated. Logging functionality will not function properly if this directory is removed or altered.

$FolderPath = $ProgramFiles + “\Microsoft Office Servers\15.0\Logs”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“WSS_WPG”, ‘Read, Write’,’ContainerInherit,ObjectInherit’, ‘InheritOnly’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\15\ADMISAPI

#Read Yes

#This directory contains the SOAP services for Central Administration. If this directory is altered, remote site creation and other methods exposed in the service will not function correctly.

$FolderPath = $COMMONPROGRAMFILES + “\Microsoft Shared\Web Server Extensions\15\ADMISAPI”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“WSS_WPG”, ‘Read’,’ContainerInherit,ObjectInherit’, ‘InheritOnly’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\15\CONFIG

#Read Yes

#This directory contains files used to extend IIS Web sites with SharePoint 2013. If this directory or its contents are altered, web application provisioning will not function correctly.

$FolderPath = $COMMONPROGRAMFILES + “\Microsoft Shared\Web Server Extensions\15\CONFIG”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“WSS_WPG”, ‘Read’,’ContainerInherit,ObjectInherit’, ‘InheritOnly’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\15\LOGS

#Modify No

#This directory contains setup and runtime tracing logs. If the directory is altered, diagnostic logging will not function correctly.

$FolderPath = $COMMONPROGRAMFILES + “\microsoft shared\Web Server Extensions\15\LOGS”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“WSS_WPG”, ‘Modify’,’ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%windir%\temp

#Read Yes

#This directory is used by platform components on which SharePoint 2013 depends. If the access control list is modified, Web Part rendering, and other deserialization operations may fail.

$FolderPath = $windir + “\Temp”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“WSS_WPG”, ‘Read’,’ContainerInherit,ObjectInherit’, ‘InheritOnly’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%windir%\System32\logfiles\SharePoint

#Read No

#This directory is used by SharePoint Server usage logging. If this directory is modified, usage logging will not function correctly.

#The registry key applies only to SharePoint Server.

mkdir ($windir + “\System32\logfiles\SharePoint” ) -force

$FolderPath = $windir + “\System32\logfiles\SharePoint”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“WSS_WPG”, ‘Read’,’ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%systemdrive%\program files\Microsoft Office Servers\15.0

#Read, execute Not Applicable

#The permission is granted for %systemdrive\program files\Microsoft Office Servers\15 folder on Index servers.

$FolderPath = $systemdrive + “\Program Files\Microsoft Office Servers\15.0”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“WSS_WPG”, ‘Read’,’ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl



WSS_ADMIN_WPG File Permissions

Windows Server Posted on Tue, June 28, 2016 05:26:42

<#====================================================================

Copyright © 2015, September. Michael Pomfret

Creates the Machine Translation Service

The following updates the WSS_ADMIN_WPG file permissions.

====================================================================#>

Write-Host “”

Write-Host “==========================================================================”

Write-Host “SharePoint 2013 – Updating file permissions for the WSS_ADMIN_WPG group…”

Write-Host “==========================================================================”

Write-Host “”

$ProgramFiles = ${env:ProgramFiles}

$CommonProgramFiles = ${env:COMMONPROGRAMFILES}

$Windir = ${env:windir}

$Systemdrive = ${env:systemdrive}

$AllUsersProfile = ${env:AllUsersProfile}

#%AllUsersProfile%\Microsoft\SharePoint

# Full control, No Inheritance

# This directory contains the file-system-backed cache of the farm configuration. Processes might fail to start and the administrative actions might fail if this directory is altered or deleted.

$FolderPath = $AllUsersProfile + “\Microsoft\SharePoint”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“WSS_ADMIN_WPG”, ‘FullControl’,’ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#C:\Inetpub\wwwroot\wss

#Full control No

# This directory (or the corresponding directory under the Inetpub root on the server) is used as the default location for IIS Web sites. SharePoint sites will be unavailable and administrative actions might fail if this directory is altered or deleted, unless custom IIS Web site paths are provided for all IIS Web sites extended with SharePoint 2013.

$FolderPath = “C:\Inetpub\wwwroot\wss”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“WSS_ADMIN_WPG”, ‘FullControl’,’ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%ProgramFiles%\Microsoft Office Servers\15.0

#Full control No

#This directory is the installation location for SharePoint 2013 binaries and data. The directory can be changed during installation. All SharePoint 2013 functionality will fail if this directory is removed, altered, or removed after installation. Membership in the WSS_ADMIN_WPG Windows security group is required for some SharePoint 2013 services to be able to store data on disk.

$FolderPath = $ProgramFiles + “\Microsoft Office Servers\15.0”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“WSS_ADMIN_WPG”, ‘FullControl’,’ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%ProgramFiles%\Microsoft Office Servers\15.0\WebServices

# Read, write No

# This directory is the root directory where back-end Web services are hosted, for example, Excel and Search. The SharePoint 2013 features that depend on these services will fail if this directory is removed or altered.

$FolderPath = $ProgramFiles + “\Microsoft Office Servers\15.0\WebServices”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“WSS_ADMIN_WPG”, ‘Read, Write’,’ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%ProgramFiles%\Microsoft Office Servers\15.0\Data

# Full control No

#This directory is the root location where local data is stored, including search indexes. Search functionality will fail if this directory is removed or altered. WSS_ADMIN_WPG Windows security group permissions are required to enable search to save and secure data in this folder.

$FolderPath = $ProgramFiles + “\Microsoft Office Servers\15.0\Data”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“WSS_ADMIN_WPG”, ‘FullControl’,’ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%ProgramFiles%\Microsoft Office Servers\15.0\Logs

# Full control Yes

# This directory is the location where the run-time diagnostic logging is generated. Logging functionality will not function properly if this directory is removed or altered.

$FolderPath = $ProgramFiles + “\Microsoft Office Servers\15.0\Logs”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“WSS_ADMIN_WPG”, ‘FullControl’,’ContainerInherit,ObjectInherit’, ‘InheritOnly’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%ProgramFiles%\Microsoft Office Servers\15.0\Data\Office Server

# Full control Yes

# Same as the parent folder.

$FolderPath = $ProgramFiles + “\Microsoft Office Servers\15.0\Data\Office Server”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“WSS_ADMIN_WPG”, ‘FullControl’,’ContainerInherit,ObjectInherit’, ‘InheritOnly’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%windir%\System32\drivers\etc\HOSTS

# Read, write Not Applicable

$FolderPath = $windir + “\System32\drivers\etc\hosts”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“WSS_ADMIN_WPG”, ‘Read, Write’,’None’, ‘None’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%windir%\Tasks

# Full control Not Applicable

$FolderPath = $windir + “\Tasks”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“WSS_ADMIN_WPG”, ‘FullControl’,’ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%COMMONPROGRAMFILES%Microsoft Shared\Web Server Extensions\15

# Modify Yes

# This directory is the installation directory for core SharePoint 2013 files. If the access control list (ACL) is modified, feature activation, solution deployment, and other features will not function correctly.

$FolderPath = $COMMONPROGRAMFILES + “\Microsoft Shared\Web Server Extensions\15”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“WSS_ADMIN_WPG”, ‘Modify’,’ContainerInherit,ObjectInherit’, ‘InheritOnly’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\15\ADMISAPI

# Full control Yes

# This directory contains the SOAP services for Central Administration. If this directory is altered, remote site creation and other methods exposed in the service will not function correctly.

$FolderPath = $COMMONPROGRAMFILES + “\Microsoft Shared\Web Server Extensions\15\ADMISAPI”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“WSS_ADMIN_WPG”, ‘FullControl’,’ContainerInherit,ObjectInherit’, ‘InheritOnly’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\15\CONFIG

# Full control Yes

# This directory contains files used to extend IIS Web sites with SharePoint 2013. If this directory or its contents are altered, web application provisioning will not function correctly.

$FolderPath = $COMMONPROGRAMFILES + “\Microsoft Shared\Web Server Extensions\15\CONFIG”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“WSS_ADMIN_WPG”, ‘FullControl’,’ContainerInherit,ObjectInherit’, ‘InheritOnly’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\15\LOGS

# Full control No

# This directory contains setup and runtime tracing logs. If the directory is altered, diagnostic logging will not function correctly.

$FolderPath = $COMMONPROGRAMFILES + “\Microsoft Shared\Web Server Extensions\15\LOGS”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“WSS_ADMIN_WPG”, ‘FullControl’,’ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%windir%\temp

# Full control Yes

# This directory is used by platform components on which SharePoint 2013 depends. If the access control list is modified, Web Part rendering and other deserialization operations might fail.

$FolderPath = $windir + “\temp”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“WSS_ADMIN_WPG”, ‘FullControl’,’ContainerInherit,ObjectInherit’, ‘InheritOnly’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%windir%\System32\logfiles\SharePoint

# Full control No

#This directory is used by SharePoint Server usage logging. If this directory is modified, usage logging will not function correctly.

#This registry key applies only to SharePoint Server.

mkdir ($windir + “\System32\logfiles\SharePoint” ) -force

$FolderPath = $windir + “\System32\logfiles\SharePoint”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“WSS_ADMIN_WPG”, ‘FullControl’,’ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%systemdrive\program files\Microsoft Office Servers\15

# Full control Not Applicable

# This permission is granted for a %systemdrive\program files\Microsoft Office Servers\15 folder on Index servers.

$FolderPath = $systemdrive + “\program files\Microsoft Office Servers\15.0”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“WSS_ADMIN_WPG”, ‘FullControl’,’ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl



Users Group File Permissions

Windows Server Posted on Tue, June 28, 2016 05:13:05

<#====================================================================

Copyright © 2015, September. Michael Pomfret

Creates the Machine Translation Service

The following updates the Users Group file permissions.

====================================================================#>

Write-Host “”

Write-Host “==================================================================”

Write-Host “SharePoint 2013 – Updating file permissions for the Users Group…”

Write-Host “==================================================================”

Write-Host “”

$ProgramFiles = ${env:ProgramFiles}

$CommonProgramFiles = ${env:COMMONPROGRAMFILES}

$Windir = ${env:windir}

$Systemdrive = ${env:systemdrive}

$AllUsersProfile = ${env:AllUsersProfile}

$Computername = ${env:computername}

$localUsers = “BUILTIN\Users”

#%ProgramFiles%\Microsoft Office Servers\15.0

#Read, execute No

#This directory is the installation location for SharePoint 2013 binaries and data. It can be changed during installation. All SharePoint 2013 functionality will fail if this directory is removed, altered, or moved after installation.

$FolderPath = $ProgramFiles + “\Microsoft Office Servers\15.0”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($localUsers, ‘ReadAndExecute’,’ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

exit

#%ProgramFiles%\Microsoft Office Servers\15.0\WebServices\Root

#Read, execute No

#This directory is the root directory where back-end root Web services are hosted. The only service initially installed on this directory is a search global administration service. Some search administration functionality that uses the server-specific Central Administration Settings page will not work if this directory is removed or altered.

$FolderPath = $ProgramFiles + “\Microsoft Office Servers\15.0\WebServices\Root”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($localUsers, ‘ReadAndExecute’,’ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%ProgramFiles%\Microsoft Office Servers\15.0\Logs

#Read, write Yes

#This directory is the location where the run-time diagnostic logging is generated. Logging will not function properly if this directory is removed or altered.

$FolderPath = $ProgramFiles + “\Microsoft Office Servers\15.0\Logs”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($localUsers, ‘Read, Write’,’ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%ProgramFiles%\Microsoft Office Servers\15.0\Bin

#Read, execute No

#This directory is the installed location of SharePoint 2013 binaries. All of the SharePoint 2013 functionality will fail if this directory is removed or altered.

$FolderPath = $ProgramFiles + “\Microsoft Office Servers\15.0\Bin”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($localUsers, ‘ReadAndExecute’,’ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl



Local System File Permissions

Windows Server Posted on Tue, June 28, 2016 05:11:35

<#====================================================================

Copyright © 2015, September. Michael Pomfret

Creates the Machine Translation Service

The following updates the local system file permissions.

====================================================================#>

Write-Host “”

Write-Host “===================================================================”

Write-Host “SharePoint 2013 – Updating file permissions for the local system…”

Write-Host “===================================================================”

Write-Host “”

$ProgramFiles = ${env:ProgramFiles}

$CommonProgramFiles = ${env:COMMONPROGRAMFILES}

$Windir = ${env:windir}

$Systemdrive = ${env:systemdrive}

$AllUsersProfile = ${env:AllUsersProfile}

#%AllUsersProfile%\Microsoft\SharePoint

#Full control No

#This directory contains the file-system-backed cache of the farm configuration. Processes might fail to start and administrative actions might fail if this directory is altered or deleted.

$FolderPath = $AllUsersProfile + “\Microsoft\SharePoint”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“System”, ‘FullControl’,’ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#C:\Inetpub\wwwroot\wss

#Full control No

#This directory (or the corresponding directory under the Inetpub root on the server) is used as the default location for IIS Web sites. SharePoint sites will be unavailable and administrative actions might fail if this directory is altered or deleted, unless custom IIS Web site paths are provided for all IIS Web sites extended with SharePoint 2013.

$FolderPath = “C:\Inetpub\wwwroot\wss”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“System”, ‘FullControl’,’ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\15\ADMISAPI

#Full control Yes

#This directory contains the SOAP services for Central Administration. If this directory is altered, remote site creation and other methods exposed in the service will not function correctly.

$FolderPath = $CommonProgramFiles + “\microsoft shared\Web Server Extensions\15\ADMISAPI”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“System”, ‘FullControl’,’ContainerInherit,ObjectInherit’, ‘InheritOnly’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\15\CONFIG

#Full control Yes

#If this directory or its contents are altered, Web Application provisioning will not function correctly.

$FolderPath = $CommonProgramFiles + “\microsoft shared\Web Server Extensions\15\CONFIG”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“System”, ‘FullControl’,’ContainerInherit,ObjectInherit’, ‘InheritOnly’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\15\LOGS

#Full control No

#This directory contains setup and run-time tracing logs. If the directory is altered, diagnostic logging will not function correctly.

$FolderPath = $CommonProgramFiles +”\microsoft shared\Web Server Extensions\15\LOGS”

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

#Get NTFS permissiongs

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“System”, ‘FullControl’,’ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

$Acl.SetAccessRule($Rule)

$Acl | Set-Acl $FolderPath

#%windir%\temp

#Full control Yes

#This directory is used by platform components on which SharePoint 2013 depends. If the access control list is modified, Web Part rendering, and other deserialization operations might fail.

$FolderPath = $windir + “\Temp”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“System”, ‘FullControl’,’ContainerInherit,ObjectInherit’, ‘InheritOnly’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%windir%\System32\logfiles\SharePoint

#Full control No

#This directory is used by SharePoint Server for usage logging. If this directory is modified, usage logging will not function correctly.

#This registry key applies only to SharePoint Server.

mkdir ($windir + “\System32\logfiles\SharePoint” ) -force

$FolderPath = $windir + “\System32\logfiles\SharePoint”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“System”, ‘FullControl’,’ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl



Local File Permissions

Windows Server Posted on Tue, June 28, 2016 05:10:05

<#====================================================================

Copyright © 2015, September. Michael Pomfret

The following updates the Local file permissions.

====================================================================#>

Write-Host “”

Write-Host “=============================================================”

Write-Host “SharePoint 2013 – Updating file permissions for the local …”

Write-Host “=============================================================”

Write-Host “”

$ProgramFiles = ${env:ProgramFiles}

$CommonProgramFiles = ${env:COMMONPROGRAMFILES}

$Windir = ${env:windir}

$Systemdrive = ${env:systemdrive}

$AllUsersProfile = ${env:AllUsersProfile}

#%ProgramFiles%\Microsoft Office Servers\15.0\Bin

# Read, execute No

# This directory is the installed location of the SharePoint 2013 binaries. All the SharePoint 2013 functionality will fail if this directory is removed or altered.

$FolderPath = $Windir + “\temp”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“Local”, ‘Read’,’ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl



All SharePoint Service Accounts File Permissions

Windows Server Posted on Tue, June 28, 2016 05:09:25

<#====================================================================

Copyright © 2015, September. Michael Pomfret

The following updates the SharePoint Service Account Group file permissions.

====================================================================#>

Write-Host “”

Write-Host “=======================================================================================”

Write-Host “SharePoint 2013 – Updating file permissions for the SharePoint Service Account Group…”

Write-Host “=======================================================================================”

Write-Host “Not Completed”

$ProgramFiles = ${env:ProgramFiles}

$CommonProgramFiles = ${env:COMMONPROGRAMFILES}

$Windir = ${env:windir}

$Systemdrive = ${env:systemdrive}

$AllUsersProfile = ${env:AllUsersProfile}

#%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\15\LOGS

# Modify No Inheritance

# This directory contains setup and runtime tracing logs. If this directory is altered, diagnostic logging will not function correctly. All SharePoint 2013 service accounts must have write permission to this directory.

$FolderPath = $CommonProgramFiles + “\Microsoft Shared\Web Server Extensions\15\LOGS”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“xxx_SP_ServiceAccounts”, ‘Modify’,’ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl



Administrators File Permissions

Windows Server Posted on Tue, June 28, 2016 05:07:34

<#====================================================================

Copyright © 2015, September. Michael Pomfret

Creates the Machine Translation Service

The following updates the administrators file permissions.

====================================================================#>

Write-Host “”

Write-Host “==============================================================================”

Write-Host “SharePoint 2013 – Updating file permissions for the local Administors group…”

Write-Host “==============================================================================”

Write-Host “”

$ProgramFiles = ${env:ProgramFiles}

$CommonProgramFiles = ${env:COMMONPROGRAMFILES}

$Windir = ${env:windir}

$Systemdrive = ${env:systemdrive}

$AllUsersProfile = ${env:AllUsersProfile}

#%AllUsersProfile%\ Microsoft\SharePoint

#Full control No

#This directory contains the file-system-backed cache of the farm configuration. Processes might fail to start and administrative actions might fail if this directory is altered or deleted.

$FolderPath = $AllUsersProfile + “\Microsoft\SharePoint”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“Administrators”, ‘FullControl’,’ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#C:\Inetpub\wwwroot\wss

#Full Control No

#This directory (or the corresponding directory under the Inetpub root on the server) is used as the default location for IIS Web sites. SharePoint sites will be unavailable and administrative actions might fail if this directory is altered or deleted, unless custom IIS web site paths are provided for all IIS web sites that are extended with SharePoint 2013.

$FolderPath = “C:\Inetpub\wwwroot\wss”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“Administrators”, ‘FullControl’,’ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\15\ADMISAPI

#Full control Yes

#This directory contains the SOAP services for Central Administration. If this directory is altered, remote site creation and other methods exposed in the service will not function correctly.

$FolderPath = $CommonProgramFiles + “\microsoft shared\Web Server Extensions\15\ADMISAPI”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“Administrators”, ‘FullControl’,’ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\15\CONFIG

#Full control Yes

#If this directory or its contents are altered, web application provisioning will not function correctly.

$FolderPath = $CommonProgramFiles +”\microsoft shared\Web Server Extensions\15\CONFIG”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“Administrators”, ‘FullControl’,’ContainerInherit,ObjectInherit’, ‘InheritOnly’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\15\LOGS

#Full control No

#This directory contains setup and runtime tracing logs. If the directory is altered, diagnostic logging will not function correctly.

$FolderPath = $CommonProgramFiles +”\microsoft shared\Web Server Extensions\15\LOGS”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“Administrators”, ‘FullControl’,’ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%windir%\temp

# Full control Yes

#This directory is used by platform components on which SharePoint 2013 depends. If the ACL is modified, Web Part rendering, and other deserialization operations might fail.

$FolderPath = $windir + “\temp”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“Administrators”, ‘FullControl’,’ContainerInherit,ObjectInherit’, ‘InheritOnly’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%windir%\System32\logfiles\SharePoint

# Full control No

#This directory is used by SharePoint Server for usage logging. If this directory is modified, usage logging will not function correctly.

#This registry key applies only to SharePoint Server.

mkdir ($windir + “\System32\logfiles\SharePoint” ) -force

$FolderPath = $windir + “\System32\logfiles\SharePoint”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“Administrators”,’FullControl’,’ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl



Adds SharePoint Administrators to the local administrator Group

Windows Server Posted on Mon, June 27, 2016 17:38:28

<#====================================================================

Copyright © 2015, September. Michael Pomfret

Adds a number of SharePoint Administrators to the local administrator Group

1. Function to check for the existence of Local group.

2. function to create the local group

====================================================================#>

# Powershell function to check for the Local user account…

function LocalUserExist($userName)

{

$Computer = [ADSI]”WinNT://$Env:COMPUTERNAME,Computer”

# Local user account creation:

$colUsers = ($Computer.psbase.children | Where-Object {$_.psBase.schemaClassName -eq “User”} | Select-Object -expand Name)

$userFound = $colUsers -contains $userName

return $userFound

}

# Powershell to check for the existence of Local group…

function LocalGroupExist($groupName)

{

return [ADSI]::Exists(“WinNT://$Env:COMPUTERNAME/$groupName,group”)

}

# Powershell function to create the local user…

function CreateLocalUser($userName,$password)

{

$userExist = LocalUserExist($userName)

if($userExist -eq $false)

{

$User = $Computer.Create(“User”, $userName)

$User.SetPassword($password)

$User.SetInfo()

$User.FullName = “Full Name”

$User.SetInfo()

$User.UserFlags = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD

$User.SetInfo()

}

else {

“User : $userName already exist.”

}

}

# PS function to create the local group

function CreateLocalGroup($groupName)

{

$groupExist = LocalGroupExist($groupName)

if($groupExist -eq $false)

{

$Group = $Computer.Create(“Group”, $groupName)

$Group.SetInfo()

$Group.Description = $groupName

$Group.SetInfo()

}

else

{

“Group : $groupName already exist.”

}

}

# PS function to check for the group in the local machine…

function CheckGroupMember($groupName,$memberName)

{

$group = [ADSI]”WinNT://$Env:COMPUTERNAME/$groupName”

$members = @($group.psbase.Invoke(“Members”))

$memberNames = $members | foreach {$_.GetType().InvokeMember(“Name”, ‘GetProperty’, $null, $_, $null)}

$memberFound = $memberNames -contains $memberName

return $memberFound

}

# PS function to add a user to the group…

function AddUserToGroup ($groupName, $userName)

{

$group = [ADSI]”WinNT://$Env:COMPUTERNAME/$groupName”

$user = [ADSI]”WinNT://$Env:COMPUTERNAME/$userName”

$memberExist = CheckGroupMember $groupName $userName

if($memberExist -eq $false)

{

$group = [ADSI]”WinNT://$Env:COMPUTERNAME/$groupName”

$user = [ADSI]”WinNT://$Env:COMPUTERNAME/$userName”

$group.Add($user.Path)

}

}

Write-Host “Windows Server 2012 – Adding SharePoint Setup Administrator to local administrators group”

$ADusername = “xxx_SP_Farm”

$groupName = “Administrators”

if (CheckGroupMember($groupName,$ADusername)-eq $false)

{

$domain = “AD”

$strComputer = $env:computername

$username = “xxx_SP_Farm”

$computer = [ADSI](“WinNT://” + $strComputer + “,computer”)

$computer.name

$Group = $computer.psbase.children.find(“Administrators”)

$Group.name

$Group.Add(“WinNT://” + $domain + “/” + $username)

}

else

{

“Username : $ADusername already exist.”

}

cmd.exe /c pause



Next »