Monthly Archives: December 2014

Sync an Active Directory Group with a SharePoint Group

Have you ever wanted to keep the members of a SharePoint group in sync with those of an Active Directory Group?

If so, you’re in luck, I happen to have just such as script.

Just a quick note, this was written for and tested on a 2010 site – in 2013, the default authentication is Claims – those funny looking strings like this: “i:0#.w|domain\user” (more info here) and you’ll need to work this script over a few times to make that work.

That said, this script will keep a SharePoint group in sync with an AD group.

The AD group is considered the “master”

That is to say, if the AD group has extra users that aren’t in SharePoint, they will be added to SharePoint.

If a user is removed from the AD group, they will also be removed from the SharePoint Group.

If a user is added to the SP Group, but isn’t in the AD group? They will be removed from the SP group.

This is one of those scripts that makes sense to run as a scheduled task once you get it working.  If you need help with that, see my post: Schedule your PowerShell scripts using the Windows task scheduler.

#AD to SharePoint Sync Script
#Jack Fruh 2014
write-host "NOTE: This has only been tested on NTLM authentication - it will likely need work to work with claims based authentication in 2013" -foregroundcolor red

function main()
    #setup the environment so this can run as a schedule task:
    #note that the AD PowerShell Commands must be installed on the SharePoint Server for this to work.
    Write-host "note that the AD PowerShell Commands must be installed on the SharePoint Server for this to work." -foregroundcolor blue
    Write-host "Adding SharePoint Snapin"
    $Host.Runspace.ThreadOptions = "ReuseThread"
    Add-PSSnapin microsoft.sharepoint.powershell -ErrorAction SilentlyContinue
    Write-host "Importing AD module"
    import-module activedirectory

    write-host "Starting work..."
    #Hard coded variables for testing, 
    # we need the name of the AD Group, the name of the corresponding group in Sharepoint to sync with, and the URL of the SPWeb where the SP group resides.
    $ADgroupname = "TheGroup"
    $SPGroupName = "SyncMeWithAD"
    $spweburl = "http://sharepoint2010"
    #note that it's reasonably easy to turn this hardcoded list into a CSV import and then loop through multiple groups

    #get a list of the AD Users in the AD Group
    #$ADGroupMembers = get-adgroupmember -Identity $ADgroupname | select @{name="LoginName";expression={$_.samaccountname}}
    $ADGroupMembers = get-adgroupmember -Identity $ADgroupname | select @{name="LoginName";expression={$(getDomain($_.distinguishedName)) + "\" +  $_.samaccountname.toupper()}}
    if ($ADGroupMembers -eq $null)
        write-host "The AD Group we're syncing with is empty - this is usually a problem or typo - the SP group will be left alone" -foregroundcolor red

    #get the list of users in the SharePoint Group
    $web = get-spweb $spweburl
    $group = $web.groups[$SPGroupName]
    if ($group -eq $null) {write-host "SPGroup Not found" ; exit }
    $spusers = $group.users | select @{name="LoginName";expression={$_.LoginName.toupper()}}
    write-host "Debug: at this point we should have a list of user ID's from SharePoint in domain\user format, uppercase" 
    foreach($x in $spusers)
        write-host $x.LoginName -foregroundcolor green
    if($spusers -eq $null)
      write-host "The SPgroup is empty" -foregroundcolor cyan
      write-host "Adding all AD group members to the SP group"
      foreach ($ADGroupMember in $ADGroupMembers)
            #add the AD group member to the SP group
            write-host "Adding $($ADGroupMember.LoginName)" 
            write-host "new-spuser -useralias $($ADGroupMember.LoginName) -web $($web.url) -group $SPGroupName" -foregroundcolor green
            new-spuser -useralias $ADGroupMember.LoginName -web $web.url -group $SPGroupName
           # $$ADGroupMember.loginname)
            set-SPuser -identity $ADGroupMember.LoginName -web $web.url -group $spgroupname
      write-host "Done adding users - script will now exit" -foregroundcolor magenta

    #use compare-object to get a listing of what's different between AD and SP
    write-host "Comparing AD Group Users to SP group Users"
    $result = compare-object -referenceobject $adgroupmembers -differenceobject $spusers  -includeequal -property LoginName

    Write-host "Result of comparison is:"
    write-host "-------------------------"

    #filter the results of the comparison to show only the users that need to be added
    Write-host "Looking for users in AD that we need to add to SharePoint"
    $missingSPusers = $result |  Where {$_.SideIndicator -eq '<='} | select LoginName #users in AD that are missing from SharePoint
    if ($missingSPusers -ne $Null)
        foreach ($missingSPuser in $missingSPusers)
            write-host "Adding $($missingSPUser.LoginName) to sharepoint"
            write-host "new-spuser -useralias $($missingSPuser.LoginName) -web $($web.url) -group $SPGroupName" -foregroundcolor green
            new-spuser -useralias $missingSPuser.LoginName -web $web.url -group $SPGroupName
            set-SPuser -identity $missingSPuser.LoginName -web $web.url -group $spgroupname
    #now do the reverse
    #Filter the results of the comparison to show 'extra' users that need to be removed
    write-host "Looking for Extra users in SharePoint that are not in AD"
    $extraSPusers = $result |  Where {$_.SideIndicator -eq '=>'} | select LoginName #users in AD that are missing from SharePoint
    if ($extraSPusers -ne $null)
        foreach ($extraSPuser in $extraSPusers)
            write-host "Removing $($extraSPuser.LoginName) to sharepoint"
            Remove-SPUser -useralias $($extraSPuser.LoginName) -Web $web -group $SPGroupName -confirm:$false
} # end main function

function getDomain($distinguishedname)
  $dn = $distinguishedname
  #extract Domain name from Distinguished name
  #Domain name should be the first DN= Entry from left to right.
  #Examples:  CN=BOB,OU=Users,DN=DomainShortName,DN=Com
  #Examples:  CN=BOB,OU=Users,DN=DomainShortName,DN=Forrest,DN=Com
  $start = $dn.indexof(",DC=")+4 #find the first occurance of DC in the Distinguishedname  
  $end = $dn.indexof(",",$start)  #find the first comma, this is the end of the domain name
  $domain = $dn.substring($start, $end-$start).toupper()
  return $domain


Now for a friendly reminder and some advice…
#1) Always test code you find online before using it in production…
#2) when you test this code, follow this advice:

Testing this code

When you test the code, you might make a mistake I made during development – I’ll share that mistake with you to save you an hour of time and some frustration.

Here’s what I did…

While testing, I wanted to try adding users to an AD group and wanted to make sure they added in correctly.

For one test I wanted to remove ALL the users from the SharePoint Group, and confirm that they came back ok.

To do this I used the UI to remove all the users – I checked each user, then clicked “actions->remove users from group” like this:

I then ran my Super Awesome AD Sync PowerShell Script which Added the groups back in.

Now here’s where it got ugly.

When I checked the UI, they weren’t there.

In fact, if I ran the powershell script again it indicated that they were being added back a second time (the script should have told me there was nothing to change!)

What was the cause?

It was my use of the refresh button…refresh in IE

Recall that the very last thing I did was remove users using that screen.

Now interestingly, you know how we all click “OK” on a screen without paying attention?

After I hit refresh, I got this, and ignored it:

See what I did there?

I was refreshing the delete in the UI!

Don’t make that mistake!

Instead of clicking the refresh button, it’s easier (and safer) to click the group name on the left:

Lessons learned:

  • Pay attention to dialog boxes, they may save you an hour.
  • Don’t ever click ‘refresh’ after performing a delete!


Is it time for an end-of-year email “Flush”?

The end of the year 2014 is nearing and I’m starting to get some ‘what a great year’ email in my inbox.

As I reflect back on the year, I’d have to agree.

As I look at my work inbox, It’s sitting at 71 items – that’s not exactly ‘inbox zero’ but it’s a low enough number that I can quickly scan all of it at the end of the day to make sure nothing slipped by.

There are some great advantages of “inbox zero” and while I rarely get to ‘true zero’, having a small number of items in my inbox does provide a certain amount of peace and comfort that lets me focus my energy on other things, instead of having a looming feeling that I’ve forgotten to address something critical.

I’m sure there are plenty of books and blog posts on how to achieve such inbox nirvana, And I can’t say that I’ve read any of that. I do have one suggestion…
When your inbox gets overwhelming, it’s time for a flush.

When your inbox gets overwhelming, it’s time for a flush.

Now this doesn’t mean you just delete everything, but why not make a folder, call it “Stuff I didn’t get to in 2014” and drag EVERYTHING in from your “inbox” to this new folder? Then start out 2015 with a clear inbox and see if that helps your productivity and focus.

– Jack

Filed under “Deep thoughts by SharePoint Jack”

Is ‘SharePoint Online’ becoming ‘Office 365 Sites’?

There’s been a bit of chatter for some time now about the future of SharePoint.
An article over a year ago portrayed SharePoint as a technology Stack, much like .net

I couldn’t help but notice in my office 365 site, that SharePoint “Sites” aren’t actually branded “SharePoint” in the panel now:

See that?
Every other branded product has its brand name.
We see “Excel Online” not “Spreadsheet”
OneDrive is there.
So is Delve

And both PowerPoint Online and and OneNote Online use two lines to describe what those do.
In fact, there are exactly the same number of characters in the word “PowerPoint” as there are in “SharePoint”

Lets look at one more thing…
See that tile with the “V” – that’s not Visio, it’s Video, you know, Office 365 Video:


Now, if “Video” by itself means “Office 365 Video”, does it follow suit that “Sites” by itself means “Office 365 Sites”?

Lets look at a few more things in the o365 interface.
When I clicked on “Sites” the first time, I got this screen:
Now here we can relax, Microsoft hasn’t rolled Sites into OneDrive. If you note the url, you’ll see it’s going to a mysite location. It’s the first time I’ve used this tenant, and mysites have never been setup for the user that I’m using.

After the mysite was setup, I went back to the first screenshot, and again clicked on the “Sites” link.
This time I came here:
Now lets take a moment and examine that screen shall we?

  • There’s no mention of SharePoint…
  • Those familiar with the SharePoint 2013 branding might recognize the “S>” logo.
  • Those familiar with SharePoint infrastructure might notice that the URL is a SharePoint MySite.

If that’s a mysite, maybe the “team site” is different?

Curious, I had to create a standard old “team site” and see what it looked like – I did this in the SharePoint online admin panel (yes that’s still there, under the hood) Note, that I did this before the above screenshot was taken, which is why you see “Public Site” and “Team Site” in the screenshot.

Ok so what does a “Team Site” look like?

See the word SharePoint anywhere on that screenshot?
I didn’t think so.
I even brought down the settings menu to see if there was any mention of it. (no)

Times they are a changing. If I didn’t know any better, I’d say that the SharePoint Brand Name is on it’s way out.
Is it time to rethink the “SharePointJack” brand as well?

Discrepancy between SharePoint Online Recycle Bin and MS’s stated 90 day retention policy

In Office 365 Sites / SharePoint Online, deleted objects are supposed to hang around for 90 days.

While playing around with SharePoint Online I deleted a site collection, then went and had a look in the SharePoint Online admin portal. I was a little surprised to see that it showed that it only had 30 days to live – that’s a lot less than the 90 that MS states.

I searched the net, and confirmed, it is in fact supposed to be 90 days.

It turns out that between day 30 and 90, you must use powershell to recover a deleted SharePoint Online/o365 site.

The commands to do this are fairly straightforward:

#connect to SPO
Connect-SPOService -url -credential

#take a look at the Sites in the long term recycle bin:

Now the above commands will get you connected to SPO, and then show you what sites you have that are deleted.
If you only have one site, you can just pipe the output to Restore-SPODeletedSite

Get-SPODeletedSite | Restore-SPODeletedSite

What if you only want to restore one site?
Just use “where”
Here’s a full example:

#connect to SPO
Connect-SPOService -url -credential

#take a look at the Sites in the long term recycle bin:

#usepick one URL from above and use it here:
Get-SPODeletedSite | Where {$_.url -eq "https://yourURL/sites/yoursite"} | Restore-SPODeletedSite

Slides from SPFest Chicago 2014 SharePoint PowerShell Time Machine Session

I presented a session at SPFest Chicago titled: SharePoint PowerShell Time Machine.

A big thank you to everyone that attended!

The Slides and scripts used in that session are attached below:
SharePoint PowerShell Time Machine.pptx
SharePoint PowerShell Time Machine Scripts_Jack Fruh

If you are just getting started with PowerShell, the cheat sheet is a GREAT place to start! It’s 6 pages of very short form info about PowerShell:
Combined PowerShell and SharePoint Cheat Sheet

I look forward to hearing how you’re using PowerShell to save time!

– Jack

PS. If you download the scripts, you might find you have some trouble running them – Windows will sometimes tag the files as ‘downloaded’ and you’ll need to untag them before you can run them.

If all else fails, you can always open in notepad, and copy/paste into a new file.

– Jack

Note: Bamboo solutions did a write up of the session and put it on their blog:

Slides from SPFest Chicago 2014 SharePoint PowerShell Workshop

I did a PowerShell workshop with Michael Blumenthal today at SPFest Chicago.

The main slide deck is attached below, more to follow.

Introduction to PowerShell – Be a PowerShell Hero – SPFest 2014 Workshop

If you were at the session, thanks for attending!
If you missed it, thanks for looking up the slide deck!

Either way I look forward to hearing how you’re using PowerShell with SharePoint!

– Jack