PowerShell

<#====================================================================

Copyright © 2015, September. Michael Pomfret

Creates the Service Applications\App Management Service

Allows you to install apps from the internal App Catalog or the public SharePoint Store.

Read more: http://technet.microsoft.com/en-us/library/fp161236(v=office.15).aspx

====================================================================#>

#Allows to use SharePoint cmdlets from inside the Windows PowerShell command window

If ((Get-PsSnapin |?{$_.Name -eq “Microsoft.SharePoint.PowerShell”})-eq $null)

{

Add-PsSnapin Microsoft.SharePoint.PowerShell | Out-Null

}

function Add-Module($strFileName){

Write-Host “Attempting to run ” $strFileName

If (Test-Path $strFileName){

&($strFileName)

}Else{

Write-Host “Cannot locate” $strFileName

}

}

<#====================================================================

Get SharePoint variables

====================================================================#>

Add-Module(“C:\Temp\SharePoint2013\GetVariables.ps1”)

$ServiceApplicationName = “App Management Service”

$ServiceName = “App Management Service”

$DatabaseName = “App Management”

$spAppPoolName = “App Management Service Application Pool”

$spAppPoolAcc = $AppManagementAppPoolAcc

$ConfigDB = “SharePoint_Configuration”

$MachinesToActivate = $AppManagementMachinesToActivate.Split(“,”).trim()

#Get default SQL server

$DefaultDatabaseServer = (Get-SPDatabase | ? { $_.Type -eq “Configuration Database” }).NormalizedDataSource

#Get SQL server instance for the User Profile Application, Social,

$DatabaseServer = $AppManagementServerInstance

Write-Host “”

Write-Host “========================================================”

Write-Host “SharePoint 2013 – Module ‘$ServiceApplicationName’…”

Write-Host “To SharePoint Servers” $MachinesToActivate

Write-Host “Application Pool Name -” $spAppPoolName

Write-Host “Application Pool Account -” $spAppPoolAcc

Write-Host “Database Server Instance -” $DatabaseServer

Write-Host “Configuration DB -” $ConfigDB

Write-Host “========================================================”

Write-Host “”

start-SPAssignment -Global | Out-Null

try

{

#Check for existing service application and proxy

$ExistingServiceApp = Get-SPServiceApplication | where-object {$_.Name -eq $ServiceApplicationName}

if ($ExistingServiceApp -eq $null)

{

Write-Host -f White $strTest” – Creating ‘$ServiceApplicationName'”

#Check if application pool already exist, if not create it

$spManagedAccount = Get-SPManagedAccount -Identity $spAppPoolAcc -ErrorAction SilentlyContinue

#Check if managed account already exist, if not exit

$spManagedAccount = Get-SPManagedAccount -Identity $spAppPoolAcc -ErrorAction SilentlyContinue

if ($spManagedAccount -eq $null)

{

Write-Host -f Red $strTest “- ” $ServiceName ” Managed Account – Unable to retrieve managed account” $spAppPoolAcc

exit -1

}

$ApplicationPool = Get-SPServiceApplicationPool -Identity $spAppPoolName -ErrorAction SilentlyContinue

if ($ApplicationPool -eq $null)

{

New-SPServiceApplicationPool -Name $spAppPoolName -Account $spManagedAccount | Out-Null

}

else

{

Set-SPServiceApplicationPool $ApplicationPool -Account $spManagedAccount | Out-Null

}

$SA = New-SPAppManagementServiceApplication -Name $ServiceApplicationName -ApplicationPool $spAppPoolName -DatabaseServer $DatabaseServer -DatabaseName $DatabaseName

#Create Service Application Proxy

Write-Host -f Green $strTest ” – Creating ‘$ServiceApplicationName’ proxy”

New-SPAppManagementServiceApplicationProxy -name “$ServiceApplicationName Proxy” -ServiceApplication $SA | Out-Null

#Start service instances

Write-Host $strTest “- Starting service instance”

foreach ($machine in $MachinesToActivate)

{

#Gets the service to determine its status

$service = $(Get-SPServiceInstance | where {$_.TypeName -match $ServiceName} | where {$_.Server -match “SPServer Name=”+$machine})

If ($service.Status -eq “Disabled”)

{

Write-Host -f Green $strTest “- Starting” $service.ID “on $machine”

Start-SPServiceInstance -Identity $service.ID | Out-Null

}

}

Write-Host -f Green $strTest “- Done creating ‘$ServiceApplicationName’.”

}else{

Write-Host -f Red $strTest “- ServiceApplication ‘$ServiceApplicationName’ already exists.”

#Remove Application?

$RemoveApplication=read-host ‘Do you wish to remove Application? (Y/N)’

if ($RemoveApplication-eq”Y”)

{

write-host ” – Removing ‘$ServiceApplicationName’…”

Remove-SPServiceApplication $ExistingServiceApp -removedata -Confirm:$false

#Proxy is NOT automatically deleted

$ExistingServiceAppProxy = Get-SPServiceApplicationProxy | where-object {$_.Name -eq “$ServiceApplicationName Proxy”}

if ($ExistingServiceAppProxy -ne $null)

{

write-host ” – Removing ‘$ServiceApplicationName proxy’…”

Remove-SPServiceApplicationProxy $ExistingServiceAppProxy -Confirm:$false

}

write-host ” – Stopping service instance…”

Get-SPServiceInstance | where-object {$_.TypeName -eq $ServiceName} | Stop-SPServiceInstance -Confirm:$false | Out-Null

}

}

}

catch { write-Output $_ }

Stop-SPAssignment -Global | Out-Null

<#====================================================================

Copyright © 2015, September. Michael Pomfret

Creates the Business Data Connectivity Service.ps1

Allows you to connect to and interact with external data.

Read more: http://technet.microsoft.com/en-us/library/ee661740.aspx

====================================================================#>

#Allows to use SharePoint cmdlets from inside the Windows PowerShell command window

If ((Get-PsSnapin |?{$_.Name -eq “Microsoft.SharePoint.PowerShell”})-eq $null)

{

Add-PsSnapin Microsoft.SharePoint.PowerShell | Out-Null

}

function Add-Module($strFileName){

Write-Host “Attempting to run ” $strFileName

If (Test-Path $strFileName){

&($strFileName)

}Else{

Write-Host “Cannot locate” $strFileName

}

}

<#====================================================================

Get SharePoint variables

====================================================================#>

Add-Module(“C:\Temp\SharePoint2013\GetVariables.ps1”)

#Get default SQL server

$DefaultDatabaseServer = (Get-SPDatabase | ? { $_.Type -eq “Configuration Database” }).NormalizedDataSource

#Get SQL server instance for the User Profile Application, Social,

$DatabaseServer = $BDCServerInstance

$ServiceApplicationName = “Business Data Connectivity Service”

$ServiceName = “Business Data Connectivity Service”

$DatabaseName = “Business Data Connectivity Service”

$spAppPoolName = “BDC Service Application Pool”

$spAppPoolAcc = $BDCAppPoolAcc

$MachinesToActivate = $BDCMachinesToActivate.Split(“,”).trim()

Write-Host “”

Write-Host “========================================================”

Write-Host “SharePoint 2013 – Module ‘$ServiceApplicationName’…”

Write-Host “To SharePoint Servers” $MachinesToActivate

Write-Host “Application Pool Name -” $spAppPoolName

Write-Host “Application Pool Account – -” $spAppPoolAcc

Write-Host “Database Server Instance -” $DatabaseServer

Write-Host “Configuration DB -” $ConfigDB

Write-Host “========================================================”

Write-Host “”

Start-SPAssignment -Global | Out-Null

try

{

#Check for existing service application and proxy

$ExistingServiceApp = Get-SPServiceApplication | where-object {$_.Name -eq $ServiceApplicationName}

if ($ExistingServiceApp -eq $null)

{

Write-Host “- Creating ‘$ServiceApplicationName'”

#Check if application pool already exist, if not create it

$spManagedAccount = Get-SPManagedAccount -Identity $spAppPoolAcc -ErrorAction SilentlyContinue

#Check if managed account already exist, if not exit

$spManagedAccount = Get-SPManagedAccount -Identity $spAppPoolAcc -ErrorAction SilentlyContinue

if ($spManagedAccount -eq $null)

{

Write-Host -f Red $strTest “- ” $ServiceName ” Managed Account – Unable to retrieve managed account” $spAppPoolAcc

exit -1

}

$ApplicationPool = Get-SPServiceApplicationPool -Identity $spAppPoolName -ErrorAction SilentlyContinue

if ($ApplicationPool -eq $null)

{

New-SPServiceApplicationPool -Name $spAppPoolName -Account $spManagedAccount | Out-Null

}

else

{

Set-SPServiceApplicationPool $ApplicationPool -Account $spManagedAccount | Out-Null

}

#Note: Proxy is automatically created

New-SPBusinessDataCatalogServiceApplication -Name $ServiceApplicationName -ApplicationPool $spAppPoolName -DatabaseServer $DatabaseServer -DatabaseName $DatabaseName | Out-Null

#Start service instances

Write-Host “- Starting service instance”

foreach ($machine in $MachinesToActivate)

{

#Gets the service to determine its status

$service = $(Get-SPServiceInstance | where {$_.TypeName -match $ServiceName} | where {$_.Server -match “SPServer Name=”+$machine})

If ($service.Status -eq “Disabled”)

{

Write-Host $strTest “- Starting” $service.ID “on $machine”

Start-SPServiceInstance -Identity $service.ID | Out-Null

}

}

Write-Host “- Done creating ‘$ServiceApplicationName’.`n”

}else{

Write-Host -f Red “- ServiceApplication ‘$ServiceApplicationName’ already exists.”

#Remove Application?

$RemoveApplication=read-host ‘Do you wish to remove Application? (Y/N)’

if ($RemoveApplication-eq”Y”)

{

write-host $strTest”- Removing ‘$ServiceApplicationName’…”

Remove-SPServiceApplication $ExistingServiceApp -removedata -Confirm:$false

#Proxy is NOT automatically deleted

$ExistingServiceAppProxy = Get-SPServiceApplicationProxy | where-object {$_.Name -eq “$ServiceApplicationName Proxy”}

if ($ExistingServiceAppProxy -ne $null)

{

write-host “- Removing ‘$ServiceApplicationName proxy’…”

Remove-SPServiceApplicationProxy $ExistingServiceAppProxy -Confirm:$false

}

write-host ” – Stopping service instance…”

Get-SPServiceInstance | where-object {$_.TypeName -eq $ServiceName} | Stop-SPServiceInstance -Confirm:$false | Out-Null

}

}

}

catch { write-Output $_ }

Stop-SPAssignment -Global | Out-Null

<#====================================================================

Copyright © 2015, September. Michael Pomfret

Create the Access Services

Allows users to publish a Microsoft Access 2013 Web database to a SharePoint site.

Read more: http://technet.microsoft.com/en-us/library/ee748653.aspx

====================================================================#>

#Allows to use SharePoint cmdlets from inside the Windows PowerShell command window

If ((Get-PsSnapin |?{$_.Name -eq “Microsoft.SharePoint.PowerShell”})-eq $null)

{

Add-PsSnapin Microsoft.SharePoint.PowerShell | Out-Null

}

<#====================================================================

Get SharePoint variables

====================================================================#>

Add-Module(“C:\Temp\SharePoint2013\GetVariables.ps1”)

function Add-Module($strFileName){

Write-Host “Attempting to run ” $strFileName

If (Test-Path $strFileName){

&($strFileName)

}Else{

Write-Host “Cannot locate” $strFileName

}

}

$ServiceApplicationName = “Access Services”

$ServiceName = “Access Services”

$spAppPoolName = “Access Services Application Pool”

$spAppPoolAcc = $AccessAppPoolAcc

$MachinesToActivate = $AccessMachinesToActivate.Split(“,”).trim()

Write-Host “”

Write-Host “========================================================”

Write-Host “SharePoint 2013 – Module ‘$ServiceName’…”

Write-Host “To SharePoint Servers” $MachinesToActivate

Write-Host “Application Pool Name -” $spAppPoolName

Write-Host “Application Pool Account – -” $spAppPoolAcc

Write-Host “========================================================”

Write-Host “”

Start-SPAssignment -Global | Out-Null

try

{

#Check for existing service application and proxy

$ExistingServiceApp = Get-SPServiceApplication | where-object {$_.Name -eq $ServiceApplicationName}

if ($ExistingServiceApp -eq $null)

{

Write-Host $strTest “- Creating ‘$ServiceApplicationName'”

#Check if managed account already exist, if not exit

$spManagedAccount = Get-SPManagedAccount -Identity $spAppPoolAcc -ErrorAction SilentlyContinue

if ($spManagedAccount -eq $null)

{

Write-Host -f Red $strTest “- ” $ServiceName ” Managed Account – Unable to retrieve managed account” $spAppPoolAcc

exit -1

}

#Check if application pool already exist, if not create it

$ApplicationPool = Get-SPServiceApplicationPool -Identity $spAppPoolName -ErrorAction SilentlyContinue

if ($ApplicationPool -eq $null)

{

New-SPServiceApplicationPool -Name $spAppPoolName -Account $spManagedAccount | Out-Null

}

else

{

Set-SPServiceApplicationPool $ApplicationPool -Account $spManagedAccount | Out-Null

}

#Note: Proxy is automatically created

New-SPAccessServicesApplication -Name $ServiceApplicationName -ApplicationPool $spAppPoolName | Out-Null

#Start service instances

Write-Host $strTest “- Starting service instance”

foreach ($machine in $MachinesToActivate)

{

#Gets the service to determine its status

$service = $(Get-SPServiceInstance | where {$_.TypeName -match $ServiceName} | where {$_.Server -match “SPServer Name=”+$machine})

If ($service.Status -eq “Disabled”)

{

Write-Host $strTest “- Starting” $service.ID “on $machine”

Start-SPServiceInstance -Identity $service.ID | Out-Null

}

}

Write-Host $strTest “- Done creating ‘$ServiceApplicationName’.`n”

}else{

Write-Host -f Red $strTest” – ServiceApplication ‘$ServiceApplicationName’ already exists.”

#Remove Application?

$RemoveApplication=read-host ‘Do you wish to remove Application? (Y/N)’

if ($RemoveApplication-eq”Y”)

{

write-host $strTest “- Removing ‘$ServiceApplicationName’…”

Remove-SPServiceApplication $ExistingServiceApp -removedata -Confirm:$false

#Proxy is NOT automatically deleted

$ExistingServiceAppProxy = Get-SPServiceApplicationProxy | where-object {$_.Name -eq “$ServiceApplicationName Proxy”}

if ($ExistingServiceAppProxy -ne $null)

{

write-host $strTest “- Removing ‘$ServiceApplicationName proxy’…”

Remove-SPServiceApplicationProxy $ExistingServiceAppProxy -Confirm:$false

}

write-host $strTest “- Stopping service instance…”

Get-SPServiceInstance | where-object {$_.TypeName -eq $ServiceName} | Stop-SPServiceInstance -Confirm:$false | Out-Null

}

}

}

catch { write-Output $_ }

Stop-SPAssignment -Global | Out-Null

param (

[parameter(mandatory=$false,position=1)][object]$installpath

)

<#====================================================================

Copyright © 2015, September. Michael Pomfret

Creates Access Services 2010.ps1

Allows users to continue the use of a Microsoft Access 2010 Web database. Doesn’t allow the creation of new applications.

Read more: http://technet.microsoft.com/en-us/library/ee748653.aspx

====================================================================#>

#Allows to use SharePoint cmdlets from inside the Windows PowerShell command window

If ((Get-PsSnapin |?{$_.Name -eq “Microsoft.SharePoint.PowerShell”})-eq $null)

{

Add-PsSnapin Microsoft.SharePoint.PowerShell | Out-Null

}

<#====================================================================

Get SharePoint variables

====================================================================#>

Add-Module(“C:\Temp\SharePoint2013\GetVariables.ps1”)

function Add-Module($strFileName){

Write-Host “Attempting to run ” $strFileName

If (Test-Path $strFileName){

&($strFileName)

}Else{

Write-Host “Cannot locate” $strFileName

}

}

#Allows users to continue the use of a Microsoft Access 2010 Web database. Doesn’t allow the creation of new applications.

#Read more: http://technet.microsoft.com/en-us/library/ee748653.aspx

$ServiceApplicationName = “Access Services 2010”

$ServiceName = “Access Database Service 2010”

$spAppPoolName = “Access Services Application Pool”

$spAppPoolAcc = $Access2010AppPoolAcc

$MachinesToActivate = $Access2010MachinesToActivate.Split(“,”).trim()

Write-Host “”

Write-Host “========================================================”

Write-Host “SharePoint 2013 $strTest “-Module ‘$ServiceName’…”

Write-Host “To SharePoint Servers” $MachinesToActivate

Write-Host “Application Pool Name -” $spAppPoolName

Write-Host “Application Pool Account -” $spAppPoolAcc

Write-Host “========================================================”

Write-Host “”

#Allows to use SharePoint cmdlets from inside the Windows PowerShell command window

Add-PsSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue | Out-Null

Start-SPAssignment -Global | Out-Null

try

{

#Check for existing service application and proxy

$ExistingServiceApp = Get-SPServiceApplication | where-object {$_.Name -eq $ServiceApplicationName}

if ($ExistingServiceApp -eq $null)

{

Write-Host $strTest “- Creating ‘$ServiceApplicationName'”

#Check if application pool already exist, if not create it

$spManagedAccount = Get-SPManagedAccount -Identity $spAppPoolAcc

$ApplicationPool = Get-SPServiceApplicationPool -Identity $spAppPoolName -ErrorAction SilentlyContinue

if ($ApplicationPool -eq $null)

{

New-SPServiceApplicationPool -Name $spAppPoolName -Account $spManagedAccount | Out-Null

}

else

{

Set-SPServiceApplicationPool $ApplicationPool -Account $spManagedAccount | Out-Null

}

#Note: Proxy is automatically created

New-SPAccessServiceApplication -Name $ServiceApplicationName -ApplicationPool $spAppPoolName | Out-Null

#Start service instances

Write-Host $strTest “- Starting service instance”

foreach ($machine in $MachinesToActivate)

{

#Gets the service to determine its status

$service = $(Get-SPServiceInstance | where {$_.TypeName -match $ServiceName} | where {$_.Server -match “SPServer Name=”+$machine})

If ($service.Status -eq “Disabled”)

{

Write-Host $strTest “- Starting” $service.ID “on $machine”

Start-SPServiceInstance -Identity $service.ID | Out-Null

}

}

Write-Host $strTest “- Done creating ‘$ServiceApplicationName’.”

}

else

{

Write-Host -f Red $strTest” – ServiceApplication ‘$ServiceApplicationName’ already exists.”

#Remove Application?

$RemoveApplication=read-host ‘Do you wish to remove Application? (Y/N)’

if ($RemoveApplication-eq”Y”)

{

#Write-Host ” $strTest “-‘$ServiceApplicationName’ already exists.”

write-host $strTest “- Removing ‘$ServiceApplicationName’…”

Remove-SPServiceApplication $ExistingServiceApp -removedata -Confirm:$false

#Proxy is automatically deleted

$ExistingServiceAppProxy = Get-SPServiceApplicationProxy | where-object {$_.Name -eq $ServiceApplicationName}

if ($ExistingServiceAppProxy -ne $null)

{

write-host $strTest “- Removing ‘$ServiceApplicationName proxy’…”

Remove-SPServiceApplicationProxy $ExistingServiceAppProxy -Confirm:$false

}

write-host $strTest “- Stopping service instance…”

Get-SPServiceInstance | where-object {$_.TypeName -eq $ServiceName} | Stop-SPServiceInstance -Confirm:$false | Out-Null

}

}

}

catch { write-Output $_ }

Stop-SPAssignment -Global | Out-Null

Set-ExecutionPolicy -ExecutionPolicy “Unrestricted” -Force

Write-Host “”

Write-Host “========================================================”

Write-Host “People Picker – Adding Trusts……”

Write-Host “- Set an encryption key for use with a one-way trust ”

Write-Host “- Enable cross-forest or cross-domain queries when you use a one-way trust”

Write-Host “- Set an encryption key for use with a one-way trust ”

Write-Host “- Set an encryption key for use with a one-way trust ”

Write-Host “https://technet.microsoft.com/en-gb/library/gg602075.aspx”

Write-Host “========================================================”

Write-Host “”

$URLList = @()

$URLList += “http://spsite”

$URLList += “http://spsite:<Central Admin Port>”

#Allows to use SharePoint cmdlets from inside the Windows PowerShell command window

If ((Get-PsSnapin |?{$_.Name -eq “Microsoft.SharePoint.PowerShell”})-eq $null)

{

Add-PsSnapin Microsoft.SharePoint.PowerShell | Out-Null

}

try

{

Write-Host “- Updating encryption key”

stsadm -o setapppassword -password <passphase>

foreach ($URL in $URLList)

{

Write-Host “- Enable cross-forest or cross-domain queries for” $URL

STSADM -o setproperty -pn peoplepicker-searchadforests -pv “domain:<ad.domain.com,AD\xxx_SP_Profile,<service account password>;forest:ad.forestdomain.com,AD\xxx_SP_Profile,<service account password>” -url $URL

}

}

catch { Write-Output $_ }

#Examples of Alternate Access Mappings
#Allows to use SharePoint cmdlets from inside the Windows PowerShell command window

If ((Get-PsSnapin |?{$_.Name -eq “Microsoft.SharePoint.PowerShell”})-eq $null)

{

Add-PsSnapin Microsoft.SharePoint.PowerShell | Out-Null

}

#create the public URL

New-SPAlternateURL -URL “http://spsite” -Zone “Default” -WebApplication “SharePoint – 80” -ErrorAction SilentlyContinue

New-SPAlternateURL -URL “https://spsite” -Zone “Intranet” -WebApplication “SharePoint – 80” -ErrorAction SilentlyContinue

New-SPAlternateURL -URL “https://bi.spsite.com” -Zone “Internet” -WebApplication “SharePoint – 80” -ErrorAction SilentlyContinue

New-SPAlternateURL -URL “https://spsite” -Zone “Default” -WebApplication “SharePoint – 80” -ErrorAction SilentlyContinue

New-SPAlternateURL -URL “http://spsite.com” -Zone “Intranet” -WebApplication “SharePoint – 80” -ErrorAction SilentlyContinue

<#====================================================================

Copyright © 2015, September. Michael Pomfret

The following updates the WSS_WPG Registry Permissions.ps1

====================================================================#>

Write-Host “”

Write-Host “========================================================================”

Write-Host “SharePoint 2013 – Updating registry permissions for the WSS_WPG group…”

Write-Host “========================================================================”

Write-Host “”

#HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office Server\15.0

#Read, No Inheritance

#This key is the root of the SharePoint 2013 registry settings.

$RegKey = “HKLM:\SOFTWARE\Microsoft\Office Server\15.0”

$person = [System.Security.Principal.NTAccount]”WSS_WPG”

$access = [System.Security.AccessControl.RegistryRights]”Readkey”

$inheritance = [System.Security.AccessControl.InheritanceFlags]”ContainerInherit” #This key and subkeys

$propagation = [System.Security.AccessControl.PropagationFlags]”NoPropagateInherit”

$type = [System.Security.AccessControl.AccessControlType]”Allow”

$rule = New-Object System.Security.AccessControl.RegistryAccessRule($person,$access,$inheritance,$propagation,$type)

$acl.ResetAccessRule($rule)

Set-Acl $RegKey $acl

#HKEY_LOCAL_MACHINE\Software\Microsoft\Office Server\15.0\Diagnostics

#Read, write, No Inheritance

#This key contains settings for the SharePoint 2013 diagnostic logging. Altering this key will break the logging functionality.

$RegKey = “HKLM:\Software\Microsoft\Office Server\15.0\Diagnostics”

$acl = Get-Acl $RegKey

$person = [System.Security.Principal.NTAccount]”WSS_WPG”

$access = [System.Security.AccessControl.RegistryRights]”ReadKey, WriteKey”

$inheritance = [System.Security.AccessControl.InheritanceFlags]”ContainerInherit”

$propagation = [System.Security.AccessControl.PropagationFlags]”NoPropagateInherit” #This key and subkeys

$type = [System.Security.AccessControl.AccessControlType]”Allow”

$rule = New-Object System.Security.AccessControl.RegistryAccessRule($person,$access,$inheritance,$propagation,$type)

$acl.ResetAccessRule($rule)

Set-Acl $RegKey $acl

#HKEY_LOCAL_MACHINE\Software\Microsoft\Office Server\15.0\LoadBalancerSettings

# Read, write, No Inheritance

# This key contains settings for the document conversion service. Altering this key will break document conversion functionality.

$RegKey = “HKLM:\Software\Microsoft\Office Server\15.0\LoadBalancerSettings”

$acl = Get-Acl $RegKey

$person = [System.Security.Principal.NTAccount]”WSS_WPG”

$access = [System.Security.AccessControl.RegistryRights]”ReadKey, WriteKey”

$inheritance = [System.Security.AccessControl.InheritanceFlags]”ContainerInherit”

$propagation = [System.Security.AccessControl.PropagationFlags]”NoPropagateInherit” #This key and subkeys

$type = [System.Security.AccessControl.AccessControlType]”Allow”

$rule = New-Object System.Security.AccessControl.RegistryAccessRule($person,$access,$inheritance,$propagation,$type)

$acl.ResetAccessRule($rule)

Set-Acl $RegKey $acl

#HKEY_LOCAL_MACHINE\Software\Microsoft\Office Server\15.0\LauncherSettings

# Read, write, No Inheritance

# This key contains settings for the document conversion service. Altering this key will break document conversion functionality.

$RegKey = “HKLM:\Software\Microsoft\Office Server\15.0\LauncherSettings”

$acl = Get-Acl $RegKey

$person = [System.Security.Principal.NTAccount]”WSS_WPG”

$access = [System.Security.AccessControl.RegistryRights]”ReadKey, WriteKey”

$inheritance = [System.Security.AccessControl.InheritanceFlags]”ContainerInherit”

$propagation = [System.Security.AccessControl.PropagationFlags]”NoPropagateInherit” #This key and subkeys

$type = [System.Security.AccessControl.AccessControlType]”Allow”

$rule = New-Object System.Security.AccessControl.RegistryAccessRule($person,$access,$inheritance,$propagation,$type)

$acl.ResetAccessRule($rule)

Set-Acl $RegKey $acl

#HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\15.0\Secure Read No

# Read, No Inheritance

# This key contains the connection string and the ID of the configuration database to which the machine is joined. If this key is altered, the SharePoint 2013 installation on the machine will not function.

$RegKey = “HKLM:\Software\Microsoft\Shared Tools\Web Server Extensions\15.0\Secure”

$acl = Get-Acl $RegKey

$person = [System.Security.Principal.NTAccount]”WSS_WPG”

$access = [System.Security.AccessControl.RegistryRights]”ReadKey”

$inheritance = [System.Security.AccessControl.InheritanceFlags]”ContainerInherit”

$propagation = [System.Security.AccessControl.PropagationFlags]”NoPropagateInherit” #This key and subkeys

$type = [System.Security.AccessControl.AccessControlType]”Allow”

$rule = New-Object System.Security.AccessControl.RegistryAccessRule($person,$access,$inheritance,$propagation,$type)

$acl.ResetAccessRule($rule)

Set-Acl $RegKey $acl

#HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\15.0\WSS

# Read, Inherit – Yes

# This key contains settings that are used during setup. If this key is altered, diagnostic logging may fail and setup or post-setup configuration may fail.

$RegKey = “HKLM:\Software\Microsoft\Shared Tools\Web Server Extensions\15.0\WSS”

$acl = Get-Acl $RegKey

$person = [System.Security.Principal.NTAccount]”WSS_WPG”

$access = [System.Security.AccessControl.RegistryRights]”ReadKey”

$inheritance = [System.Security.AccessControl.InheritanceFlags]”ContainerInherit”

$propagation = [System.Security.AccessControl.PropagationFlags]”InheritOnly” #This key and subkeys

$type = [System.Security.AccessControl.AccessControlType]”Allow”

$rule = New-Object System.Security.AccessControl.RegistryAccessRule($person,$access,$inheritance,$propagation,$type)

$acl.ResetAccessRule($rule)

Set-Acl $RegKey $acl

<#====================================================================

Copyright © 2015, September. Michael Pomfret

The following updates the WSS_WPG file permissions.

====================================================================#>

Write-Host “”

Write-Host “==============================================================================”

Write-Host “SharePoint 2013 – Updating file permissions for the WSS_WPG group…”

Write-Host “==============================================================================”

Write-Host “”

$ProgramFiles = ${env:ProgramFiles}

$CommonProgramFiles = ${env:COMMONPROGRAMFILES}

$Windir = ${env:windir}

$Systemdrive = ${env:systemdrive}

$AllUsersProfile = ${env:AllUsersProfile}

#%AllUsersProfile%\Microsoft\SharePoint

#Read No

#This directory contains the file-system-backed cache of the farm configuration. Processes might fail to start and the administrative actions might fail if this directory is altered or deleted.

$FolderPath = $AllUsersProfile + “\Microsoft\SharePoint”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“WSS_WPG”, ‘Read’,’ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#C:\Inetpub\wwwroot\wss

#Read, execute No

#This directory (or the corresponding directory under the Inetpub root on the server) is used as the default location for IIS Web sites. SharePoint sites will be unavailable and administrative actions might fail if this directory is altered or deleted, unless custom IIS Web site paths are provided for all IIS Web sites extended with SharePoint 2013.

$FolderPath = “C:\Inetpub\wwwroot\wss”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“WSS_WPG”, “ReadAndExecute, Read”,’ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%ProgramFiles%\Microsoft Office Servers\15.0

#Read, execute No

#This directory is the installation location for the SharePoint 2013 binaries and data. It can be changed during installation. All SharePoint 2013 functionality will fail if this directory is removed, altered, or moved after installation. WSS_WPG read and execute permissions are required to enable IIS sites to load SharePoint 2013 binaries.

$FolderPath = $ProgramFiles + “\Microsoft Office Servers\15.0”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“WSS_WPG”, “ReadAndExecute, Read”,’ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%ProgramFiles%\Microsoft Office Servers\15.0\WebServices

# Read No

#This directory is the root directory where back-end Web services are hosted, for example, Excel and Search. The SharePoint 2013 features that depend on these services will fail if this directory is removed or altered.

$FolderPath = $ProgramFiles + “\Microsoft Office Servers\15.0\WebServices”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“WSS_WPG”, ‘Read’,’ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%ProgramFiles%\Microsoft Office Servers\15.0\Logs

#Read, write Yes

#This directory is the location where the runtime diagnostic logging is generated. Logging functionality will not function properly if this directory is removed or altered.

$FolderPath = $ProgramFiles + “\Microsoft Office Servers\15.0\Logs”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“WSS_WPG”, ‘Read, Write’,’ContainerInherit,ObjectInherit’, ‘InheritOnly’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\15\ADMISAPI

#Read Yes

#This directory contains the SOAP services for Central Administration. If this directory is altered, remote site creation and other methods exposed in the service will not function correctly.

$FolderPath = $COMMONPROGRAMFILES + “\Microsoft Shared\Web Server Extensions\15\ADMISAPI”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“WSS_WPG”, ‘Read’,’ContainerInherit,ObjectInherit’, ‘InheritOnly’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\15\CONFIG

#Read Yes

#This directory contains files used to extend IIS Web sites with SharePoint 2013. If this directory or its contents are altered, web application provisioning will not function correctly.

$FolderPath = $COMMONPROGRAMFILES + “\Microsoft Shared\Web Server Extensions\15\CONFIG”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“WSS_WPG”, ‘Read’,’ContainerInherit,ObjectInherit’, ‘InheritOnly’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\15\LOGS

#Modify No

#This directory contains setup and runtime tracing logs. If the directory is altered, diagnostic logging will not function correctly.

$FolderPath = $COMMONPROGRAMFILES + “\microsoft shared\Web Server Extensions\15\LOGS”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“WSS_WPG”, ‘Modify’,’ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%windir%\temp

#Read Yes

#This directory is used by platform components on which SharePoint 2013 depends. If the access control list is modified, Web Part rendering, and other deserialization operations may fail.

$FolderPath = $windir + “\Temp”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“WSS_WPG”, ‘Read’,’ContainerInherit,ObjectInherit’, ‘InheritOnly’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%windir%\System32\logfiles\SharePoint

#Read No

#This directory is used by SharePoint Server usage logging. If this directory is modified, usage logging will not function correctly.

#The registry key applies only to SharePoint Server.

mkdir ($windir + “\System32\logfiles\SharePoint” ) -force

$FolderPath = $windir + “\System32\logfiles\SharePoint”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“WSS_WPG”, ‘Read’,’ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%systemdrive%\program files\Microsoft Office Servers\15.0

#Read, execute Not Applicable

#The permission is granted for %systemdrive\program files\Microsoft Office Servers\15 folder on Index servers.

$FolderPath = $systemdrive + “\Program Files\Microsoft Office Servers\15.0”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“WSS_WPG”, ‘Read’,’ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl