powershell - 使用 PowerShell 向库中的 SharePoint 文件夹授予 Active-Directory-Synced 组权限
问题描述
我们有一个 SharePoint Online 站点,其中包含许多子站点,每个子站点都有一个包含 15 个文件夹的文档库。我们希望为每个文件夹设置对不同 Active-Directory-Synced 安全组的不同权限。例如
Group1 Group2 Group3
Folder1 RO RO RW
Folder2 NA RW RO
..
Folder15 RW RW RO
(RO:只读,RW:读写,NA:无访问权限)
为此,我们首先需要打破从其父文件夹的继承,我设法使用此 PS 代码实现了这一点,其中 SPOMod.psm1 可在线免费获得这里https://gallery.technet.microsoft.com/ office/SharePoint-Module-for-5ecbbcf0
$cred=Get-Credential
Import-Module "D:\somepath\SharePoint Onlince Client Components SDK\SPOMod.psm1" -verbose
Connect-SPOCSOM -Credential $cred -Url "https://companyname.sharepoint.com/sites/Projects_Division/ProjectnameAndLocation"
Get-SPOListItems -ListTitle Documents -Recursive -IncludeAllProperties $true | select ID
Remove-SPOListItemInheritance -ListTitle Documents -KeepPermissions $false -ItemID 1
Remove-SPOListItemInheritance -ListTitle Documents -KeepPermissions $false -ItemID 2
Remove-SPOListItemInheritance -ListTitle Documents -KeepPermissions $false -ItemID 3
Remove-SPOListItemInheritance -ListTitle Documents -KeepPermissions $false -ItemID 4
Remove-SPOListItemInheritance -ListTitle Documents -KeepPermissions $false -ItemID 5
Remove-SPOListItemInheritance -ListTitle Documents -KeepPermissions $false -ItemID 6
Remove-SPOListItemInheritance -ListTitle Documents -KeepPermissions $false -ItemID 7
Remove-SPOListItemInheritance -ListTitle Documents -KeepPermissions $false -ItemID 8
Remove-SPOListItemInheritance -ListTitle Documents -KeepPermissions $false -ItemID 9
Remove-SPOListItemInheritance -ListTitle Documents -KeepPermissions $false -ItemID 10
Remove-SPOListItemInheritance -ListTitle Documents -KeepPermissions $false -ItemID 11
Remove-SPOListItemInheritance -ListTitle Documents -KeepPermissions $false -ItemID 12
Remove-SPOListItemInheritance -ListTitle Documents -KeepPermissions $false -ItemID 13
Remove-SPOListItemInheritance -ListTitle Documents -KeepPermissions $false -ItemID 14
Remove-SPOListItemInheritance -ListTitle Documents -KeepPermissions $false -ItemID 15
其中 ItemID 1 到 15 是首先在此库上创建的文件夹 ID。这对我来说很好。
下一步是为每个文件夹分配 AD 组权限。为此,我正在尝试使用从这里获得的 PS 代码(http://www.sharepointdiary.com/2016/09/sharepoint-online-set-folder-permissions-powershell.html)
#Load SharePoint CSOM Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"
#Variables
$SiteURL="https://companyname.sharepoint.com/sites/Projects_Division/Project1nameAndLocation"
$FolderURL="Documents/Folder1" #Relative URL of the 1st Folder
$GroupName="ActiveDirectory Group1 Name" #The AD Group that we want to assign for Folder1
$UserAccount="useraccount@company.com" An AD Account that we want to also assign
$PermissionLevel="Read"
$Cred= Get-Credential
$Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.Username, $Cred.Password)
#Setup the context
$Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
$Ctx.Credentials = $Credentials
$Web = $Ctx.web
#Get the Folder
$Folder = $Web.GetFolderByServerRelativeUrl($FolderURL)
$Ctx.Load($Folder)
$Ctx.ExecuteQuery()
#Break Permission inheritence - Remove all existing list permissions & keep Item level permissions
$Folder.ListItemAllFields.BreakRoleInheritance($False,$True)
$Ctx.ExecuteQuery()
Write-host -f Yellow "Folder's Permission inheritance broken..."
#Get the SharePoint Group & User
$Group =$Web.SiteGroups.GetByName($GroupName)
$User = $Web.EnsureUser($UserAccount)
$Ctx.load($Group)
$Ctx.load($User)
$Ctx.ExecuteQuery() #The error is happening here and the script stopps
#Grant permission
#Get the role required
$Role = $web.RoleDefinitions.GetByName($PermissionLevel)
$RoleDB = New-Object Microsoft.SharePoint.Client.RoleDefinitionBindingCollection($Ctx)
$RoleDB.Add($Role)
#Assign permissions
$GroupPermissions = $Folder.ListItemAllFields.RoleAssignments.Add($Group,$RoleDB)
$UserPermissions = $Folder.ListItemAllFields.RoleAssignments.Add($User,$RoleDB)
$Folder.Update()
$Ctx.ExecuteQuery()
Write-host "Permission Granted Successfully!" -ForegroundColor Green
-----
我在执行查询时在 #Get the SharePoint Group & User 处遇到错误:
------
PS C:\Users\user\Desktop\code> $Ctx.ExecuteQuery()
Exception calling "ExecuteQuery" with "0" argument(s): "Group cannot be found."
At line:1 char:5
+ $Ctx.ExecuteQuery()
+ ~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : ServerException
----
尽管该组已成功进行 AD 同步,但如果我尝试从 GUI 执行相同操作,它仍会出现在 SharePoint GUI 中。
如果该组是本地 SharePoint Online 组(不是 AD 同步),我注意到并测试该代码可以完美运行是否有命令允许我以相同的方式使用 AD 同步组?
解决方案
$Group =$Web.SiteGroups.GetByName($GroupName) 仅获取 SharePoint 组。
使用:$ADGroup = $Web.EnsureUser("Domain\ADGroup") 来解析 AD 组!
推荐阅读
- python - 当 score = 'r2_score' 时,sklearn 的 RidgeCV 的 cv.values 是什么意思?
- java - sparksql中用户定义函数(UDF)的scala到java转换
- multithreading - 创建一个线程使函数休眠而不冻结程序
- forms - 如何实时显示/隐藏元素(Blazor)?
- user-interface - GUI 动画 - Roblox Studio
- javascript - JS如何一举删除/停用/销毁所有方法、类、setTimouts和setIntervals?
- python - 无法打开文件'main.py':[Errno 2] 没有这样的文件或目录
- javascript - 可交互组件和随机函数的 Aframe 问题
- laravel - Laravel/Eloquent,动态检索数据(whereIn,sum)
- c++ - glfwInit() 冻结程序