Yearly Archives: 2013

Powershell for working with SharePoint Recycle Bin

I had to look through the SharePoint recycle bin today to look for something – the UI interface is a bit lacking – it only shows 200 items at a time with no ability to search so I turned to powershell…

Looking at the recycle bin is actually very easy…

# recycle bin's are tied to a site collection so we need a site collection object

$site = get-spsite

#we can see everything in the recycle bin like this:

#unfortunately, the above command dumps quite a lot to the screen.
#fortunately, we can pipe the output to other commands for filtering and cleanup.

#This command will return all the webs in the recyclebin
$site.Recyclebin | where {$_.itemtype -eq "web"}

#we can build on this by adding a sort statement, 
#here I sort by dirname, which is the URL path the item would have been at before it was deleted
$site.Recyclebin | where {$_.itemtype -eq "web"} | sort dirname

# we can format the output into a nice list
$site.Recyclebin | where {$_.itemtype -eq "web"} | sort dirname | select title, itemtype, dirname, itemstate

#note that in the above listing, itemstate shows which recycle bin it's in (FirstStageRecyclebin = End user Recycle Bin Items, SecondStageRecycleBin = Deleted from end user Recycle Bin)

#here's one more application of filtering to show everything that's not a page nor a list item

$site.RecycleBin | where { $_.itemtype -ne "file" -and $_.itemtype -ne "ListItem" } | sort dirname | select title, itemtype, dirname

Using some of the simple queries above, I was able to look deep inside our recycle bin quickly without having to browse it in pages of 200 items at a time.

Update: this came in kinda handy.. one of our developers wrote some “site clean up code” Long story short, several hundred web’s were deleted that should not have been…

#script to restore all the webs in the recycle bin
#note: be sure to scroll over
#the word press template cuts off the right side
# or choose "Full screen" from the menu on this code window
$SiteCollection = get-spsite
$SitesToRecover = $siteCollection.RecycleBin | Where {$_.ItemType -eq "Web" -and 
#in this where clause, it's best to run this twice - the first time, restrict it to the root sites, with the $_.Dirname -eq "sites/myteamsites", then after those have been restored, you can take that last statement out and run it again to get the sub sub webs.
$_.DeletedBy -like "SHAREPOINT\system" -and $_.Web -Like "" -and $_.DirName -eq "yourrootURLfragment"}
foreach ($OneSite in $SitesToRecover) { $OneSite.Restore() }


One More:

#Deleting an item didn't work with the $item.delete() 
#"Due to the state of the object" 

#I found this worked instead
$sitecol = $get-spsite
$items = $sitecol.recyclebin
$item = $items | Select -first 1
$Guid = new-object system.guid($


Simple PS script to move users between SharePoint Security Groups

Today a user had a simple request – about 450 users were added to the wrong SharePoint Group.
They needed to be moved from the Members group to the Visitors group.

My first thought was to rename the groups and change permissions, but the user had already started the process and had moved about 100 of them manually before calling me.

So I had to move 350 users, and couldn’t rename and re-permission either Group.

My first though was to just dump a list of all the user ID’s from the Members Group using Powershell – I would paste them into the GUI to add them to the Visitors Group.

I used powershell to get the list of users:

$web = get-spweb ""
$group = $web.groups | where {$ -eq "Name of your Group" }
foreach ($user in $group.users) { $user.userLogin + ";" }

The above script dumped a bunch of user ID’s to the screen and my intention was to copy that right off the PowerShell screen. (Note I added the semicolon to make it easier to add the whole list in one copy/paste operation)

My first snag was that you can only paste in 200 users at a time, not a big deal, I did a few small groups.

Now I just needed to delete all the users from the Members group- Easy Right?
Well, it would be if I had less than 30- SharePoint only shows 30 members of a group at a time. You can select all 30 pretty easily, but I wanted to delete 350.

Back to Powershell
This script deletes everyone in the given group:

$web = get-spweb ""
$group = $web.groups | where {$ -eq "Name of your Group" }
foreach ($user in $group.users)

Job Done.

Of course, at this point, I thought, shoot, I could have/should have just scripted the whole copy operation – can’t be that hard right?

$web = get-spweb ""
$SourceGroup = $web.groups | where {$ -eq "Name of your Source Group" }
$TargetGroup = $web.groups | where {$ -eq "Name of your Target Group" }
foreach ($user in $Sourcegroup.users)
   Write-Host "Moving $user from $SourceGroup to $TargetGroup"

Disclaimer – I haven’t tried this- by the time I got this far, I had already deleted all the users so this is more of a “for future reference” kind of script.

Ideally there might be a return value on .addUser that would let me know if it was successful, or you might run the script twice, the first time with the remove statement commented out, Then do a quick visual check that your Target Group has the users you need, then run it again to empty the SourceGroup.

Error installing SharePoint 2010 Language Packs – and an odd fix

I ran into a strange problem when installing Language packs for SharePoint.

I installed 2 languages, and the corresponding service packs for them.

After the installation, you’re supposed to run the SharePoint 2010 Products Configuration Wizard.

This is where the problems started – the wizard failed.

After trying a handful of things, it was time for a call to MS Support.

This might be the first call where running that SETH diagnostic tool seemed to help.

The agent came back and asked me to grant full control of our log directory to the WSS_ADMIN_WPG Local Security group. (As a side note, our logs aren’t in the default location, they were moved off the system drive years ago.)

I am not sure how, or why, but that actually worked.

What makes this interesting is,

  1. The WSS_ADMIN_WPG group already had read and Write access to the directory, just not full control.
  2. After the Products Configuration Wizard completed, the permissions on the logs directory had been reset – no more full control, back to read and write, just as they were before all of this started.


Hopefully this will help someone!

I’m speaking at tonight’s Share-A-Pint event.

Tonight I’m giving a talk at the Share-A-Pint meetup at the Brickhouse in Downers Grove, IL (A suburb of Chicago)

If you’re in the area – please stop by – the Share-A-Pint events are always fun and I always learn something new.

Tonight’s topic –
SharePoint Management on a Budget (Part 1)

I’ll be talking about free tools and scripts I use to manage SharePoint.

Sub topics for this and future talks on this theme are:

  • Using the Content Deployment Wizard from Codeplex to move content from one farm to another.
  • PowerShell Scripts for SharePoint 2010/2013 to capture permissions on a weekly basis.
  • A PowerShell Script to grant more than 2 users admin rights to every site collection.
  • A PowerShell “shortcut” script to auto connect your admin account to each machine you need to copy files to/from so that you don’t have to enter credentials manually when copying files to your farm.
  • A PowerShell script to enable Blobcache on your WFE’s.
  • A PowerShell script to enable Versioning on every document library in your farm.

We may not cover all of these this time around, if one is of interest, be sure to ask about it!

An email about what goes into a corporate SharePoint farm

A short while back my Friend Nik asked me if I could outline some details about how the corporate IT farm was structured.

He commented that the email I sent him was pretty handy, so I thought it might make a good blog post for others as well.


Our Portal environment consisted of the following:
(Sharepoint 2010 – adjust OS/Software versions as needed for 2013)

Database Layer:
2 physical machines, with Windows Server 2008 R2 and SQL Server 2008 R2, in a clustered configuration – with storage for the Cluster being provided by a SAN

Sharepoint Layer:
4 Virtual Machines, with Windows Server 2008R2 and Sharepoint 2010 with SP1 and the latest CU
2 of these servers were designated as “App” servers and 2 as “Web Front Ends”

IP addresses:
Each Server needs 1 IP address for general network connectivity.
For our web front ends, we chose to allocate an additional IP per DNS name (it is possible to share the general machine IP address with multiple Non-SSL websites, but when SSL gets involved, you need 1 IP per dns name)
When there is more than one IP per server, you add them on the network adapter on the advanced button where you would normally specify the IP address.
From an IP perspective all IP addresses generally need to be in the same subnet.
At the Sharepoint Machine layer, these are all internal IP addresses, not publicly accessible.

Load Balancing:
If a hardware Load balancer is used, then it would typically get a dedicated IP for the DNS name it is load balancing – this is in addition to any management IP that would be used to manage the load balancer. Here we use an F5 load balancer. There is also a certificate requirement which I’ll talk about below.

Another LB option is Microsoft’s Network Load Balancer – This requires a slightly different config on the servers – I think the WFE’s end up sharing the same IP address per DNS name, but the addition of NLB then needs a second IP on each node and a second network interface so the nodes can communicate through the “back channel”

SSL Certificates:
The rules for SSL are, you need one cert per DNS name (Unless you use what’s known as a wildcard certificate) so for example and would each need a separate certificate, but another option would be to obtain a wildcard certificate that covers *, which would then work with all subdomains of (,,, etc) I am not a certificate expert, but I have heard there are pros and cons to using a wildcard cert.

SSL certs are requested from within IIS – you have to fill out a few fields, and it will create a text file with the request – this text file then goes to the certficiate authority, they send back the certificate file and you go back into IIS and “complete the certificate request” – note that you do all this on only one of the two WFE’s – and you complete the request on the same box it originated from.
If you are load balancing then your next step is to “Export” the certificate from IIS of the box that has the cert – you will need to give the exported file a password (if not then you are not exporting correctly) copy the exported file (it will have a .pfx extension) to the other node, and “Import” it into IIS – and you’ll be prompted for the password you used.
As far as where the certificate requests go, We had someone on staff here that handled that. On other projects, I’ve used godaddy and also Verisign to get SSL certs. Both have websites where you’d upload the request file, make a payment, validate your identity and your right to create certificates for the domain in question and then receive the certificate.

SSL and IIS – Once you have the certificate in IIS you’ll need to tell IIS which website to assign it to – this is done by right clicking on the site and choosing “Bindings” when you select SSL, you’ll see a drop down of installed SSL certificates.

SSL and a hardware Load balancer – depending on the Loadbalancer used – it might be necessary to provide the certificate to the Load balancer so that it can decrypt traffic to inspect it before sending it forward. In our case I think our team wanted a .pem file – I have instructions somewhere on how to convert that if you need it.

SharePoint installation and Service accounts –
I used the AutoSPInstaller from CodePlex
In the installer package is a configuration file that you will need to modify to supply different accounts.
This is a great place to get a list of all the accounts you could ever possibly need (though of course it’s possible to re-use the same account, but the installer script spells out all the different places you could possibly want a different account – it’s up to you to choose if you’re going to type in the same thing in several places)
The installation of SP allows for “ Slip-streaming” updates so that the installation can be done all in one step including Service Packs and CU’s (Probably not an issue right now with 2013 since it’s new)

Admin rights – this area is tricky and I can’t say I’m an expert here.
In general, what I’ve found is that there are a LOT of operations during setup and Maintenance that require an account to be in the local administrators group.
The autoSPInstaller documentation actually does a decent job of discussing a few account that need admin on a temporary basis, that can later be removed from the admin group – however – on thing to watch out for is that they would then need to be added back in for things like applying service packs and CU’s

Inbound access to SharePoint from the internet:
I know a little bit here – I’m not the UAG guy per say but here’s how it works –
Internally you still have all the same private IP addresses – if you’re using a load balancer then it has an IP for the site you want to “publish” on the internet – this is an internal IP.
UAG is installed on a box somewhere – I would expect to see this in a DMZ, between two firewalls – one on the outside and one between UAG and the internal network.
UAG will need an external, public IP and an internal – UAG will need the SSL certificate if SSL is being used. Here is one area where the wildcard seems to help – you can only have one IP per SSL certificate – unless that certificate is a wildcard – so our UAG box has a wildcard cert for * and the public DNS of all our sites point to the same Public IP address, the address of the UAG box. (Note that the DNS we use inside the private network is different and internally DNS for each website points to the load balancer for that site, not to the UAG box)

Siteminder –
Just say no…

A note about the number of servers and their roles –
This is all documented by MS – I think it’s pretty typical to do a 2 App 2 Wfe farm as a starting point as it gives some redundancy – you could also do a 1 app 2 wfe, or 1 and 1.
Search in 2013 is pretty awesome so It might be good to dedicate a box or two to that- I still need to read up on the infrastructure there – typically you have one or more crawlers, and then one back end for the crawlers to talk to – here we’ve used the WFE’s as crawlers.

A note about installing in the DMZ –
Some might find it desirable to install some or all of SharePoint in the DMZ – There really shouldn’t be a problem with this so long as all the needed ports are opened up – for example if SQL is in the network, and SP is in the DMZ you’d need SP to be able to talk to SQL (I think that’s port 1433) You’d also need to open ports internally so that internal clients can hit the site, and use webdav for opening files with explorer. If you decided to split SharePoint with some boxes in the DMZ and some on the internal network, you’d need to open ports used by SharePoint for internal communication (I think port 38??? Is used for services)

A note about the “WFE” role –
There really aren’t roles in SP – there is a service in 2010 called something like the “SharePoint Foundation Web Site” or something like that – You can sometimes get away with disabling that (from CA) on the boxes that are “App” server boxes- but there are times when this causes deployments or 3rd party installations to fail. There is no harm leaving it on,but you will then see the websites in IIS on the “App” boxes – so long as you don’t route any traffic to those boxes (from the load balancer for example) then those sites will never spin up and really shouldn’t be a problem.

A note about memory – sizing, etc…
Follow the Microsoft “best practices” where possible – I think they currently recommend 8-16 gb minimum per machine.

A note about log files –
I store these on the D drive – the AutoSPInstaller makes it easy to specify these in advance.

I hope this helps!

It’s funny – I’ve never actually thought about all this at once – It might make a good blog post!

– Jack

As a follow up to this email – Server 2012/IIS 8 supports Server Name Indication which may allow you to share an IP address amongst multiple SSL sites (Browser support varies so it’s not a given)

Simple batch file to run a directory of powershell .ps1 files

A few times our support team has given me a zip file full of .ps1 files they want me to run – today I got two zip files with about 20 powershell scripts.

Not wanting to write them by hand, I wrote this small batch file called run.bat and put it in the directory with the ps1 files.

powershell -Command "& {Set-ExecutionPolicy bypass}" -NoExit
for %%f in (*.ps1) do powershell -Command "& {.\%%f}" -NoExit

Map a drive letter to SharePoint in a way that can survive a reboot.

If you’ve tried to map a network drive to sharepoint, and found it didn’t survive a reboot, here’s a Trick a fellow sharepoint person shared with me:


In other words, if your site is,
to get to that in windows, without opening a browser first, you’d go to \\\davwwwroot\RootSite\subsite\library

Update 6-2014 — renamed article to make it easier to find.

Also, please note, there is the “net use” command which can map a drive from the command prompt.

For example:

net use z: \\\davwwwroot\subsite\library /user:domain\user yourpassword  /Persistent:yes

(You can leave off the password part and type it in at runtime)

Does your organization do SharePoint Training?

This is more of a twitter question, but with 140 characters, I can’t really explain what I am looking for…

This is not a call for trainers (sorry trainers!)

I’m looking for feedback from people who’ve seen organizations tackle training.

What did that organization do well?
What was received well from users?
Did the training help push the SharePoint platform forward?
Did it increase productivity?
Did it work with Executives?
What format was used?
Was there anything that did not work?