Managing SharePoint User Profile Service Application Permissions with PowerShell

---

Written by Chandrasekar Natarajan, Microsoft Premier Field Engineer.

---

When the User Profile service application is configured in Microsoft SharePoint 2010, by default NT Authority\Authenticated Users and All Authenticated Users are granted permissions to create My Sites and use other features (personal and social) provided by the user profile service.

 

But what if you don’t want to grant all of these permissions to all users?  PowerShell comes in handy to revoke these permissions.   The PowerShell cmdlets used are Revoke-SPObjectSecurity and Set-SPProfileServiceApplicationSecurity, as follows:

 $upaproxyname="User Profile Service Application"
 $upaproxy = Get-SPServiceApplicationProxy | Where-Object {$_.DisplayName -eq $upaproxyname}
 $upasecurity = Get-SPProfileServiceApplicationSecurity -ProfileServiceApplicationProxy $upaproxy
 
 #All Authenticated Users
 $allauthusers = New-SPClaimsPrincipal -Identity 'c:0(.s|True' -IdentityType EncodedClaim
 #To revoke Use Personal Features permission
 Revoke-SPObjectSecurity -Identity $upasecurity -Principal $allauthusers -Rights "Use Personal Features"
 #To revoke Create Personal Site permission
 Revoke-SPObjectSecurity -Identity $upasecurity -Principal $allauthusers -Rights "Create Personal Site"
 #To revoke Use Social Features permission
 Revoke-SPObjectSecurity -Identity $upasecurity -Principal $allauthusers -Rights "Use Social Features"
 Set-SPProfileServiceApplicationSecurity -Identity $allauthusers -ProfileServiceApplicationProxy $upaproxy
 
 #NT AUTHORITY\authenticated users
 $ntauthusers = New-SPClaimsPrincipal-Identity 'c:0!.s|windows' -IdentityType EncodedClaim
 #To revoke Use Personal Features permission
 Revoke-SPObjectSecurity -Identity $upasecurity -Principal $ntauthusers -Rights "Use Personal Features"
 #To revoke Create Personal Site permission
 Revoke-SPObjectSecurity -Identity $upasecurity -Principal $ntauthusers -Rights "Create Personal Site"
 #To revoke Use Social Features permission
 Revoke-SPObjectSecurity -Identity $upasecurity -Principal $ntauthusers -Rights "Use Social Features"
 Set-SPProfileServiceApplicationSecurity -Identity $ntauthusers -ProfileServiceApplicationProxy $upaproxy

Hope you found this helpful.

Comments

• Anonymous
  December 03, 2014
  Thanks for posting this. I am having an issue with removing NT AUTHORITYauthenticated users. The powershell output: Revoke-SPObjectSecurity : The specified user or domain group was not found. I tried changing this to windows group rather than an encoded, but it still yielded the same results. (Windows 2012 R2, SQl 2014, SP 2013 with SP1)
• Anonymous
  February 01, 2015
  Hi,
  
  i am having the same problem with removing NT AUTHORITYauthenticated users :-(
  Same error message, same environment