SharePoint Account Management using SPUserUtil - Part 1 - Cloning Accounts
SharePoint Account Management using SPUserUtil - Part 1 - Cloning Accounts
SPUserUtil will mean either WSSUserUtil or SPSUserUtil respectively (WSSUserUtil is used to administer Windows SharePoint Sites on a standalone WSS Farm/Virtual server OR Windows SharePoint sites in the same virtual server of a SharePoint Portal Server 2003 site.) SPSUserUtil is a superset of WSSUserUtil, designed for working on SharePoint Portal Server Areas.
You don't need a separate tool to just add an account resource to SharePoint sites and webs, but when it comes to scenarios where you need to "Replicate" someone's rights to another account, it can be an extremely difficult and time consuming process to do this manually.
This will be the first (Really the second, as we're now going 0 based :)) of a few posts in regards to Adding accounts via SPUserUtil.
Replicating Rights/Cloning.
Someone has just joined your team, and you want to replicate, or more precisely clone, your rights on webs/sites to his account. If you didn't use an NT Security Group to manage common rights, you would have to do the following to note all your rights so that you can then add the new team member to sites/webs with the same rights:
- Figure out exactly what you have access to across the farms you have access to :)
- Note your individual user Role/Rights where you have an individual ACE entry on a a site/web/
- Note the groups you are a member of and that groups Role/Rights on every single web, etc.
- Visit each site/web through the UI and and add the user.
If you have permissions spread across many webs and site collections (And across farms too) it can be a daunting task.
SPUserUtil to the rescue.
With SPUserUtil, you can automate all the above processes easily to help relieve the headache of managing users in SharePoint.
Note: Pay special attention to the new -asuonly and -usermask switches noted below
Replicating Rights using SPUserUtil
Using the clone operation in SPUserUtil, it's extremely simple to replicate account resource rights from one account to another, whether it be a user account or NT Security Group using the following steps:
- Perform an quick single user analysis to get a proper UserMap file, or create one from scratch (See SharePoint Account Management using SPUserUtil - Part 0 - Removing Accounts for more information)
WSSUserUtil –o analyze –url https://server -usermap singleuser.xml -asuonly -usermask "*margie.richie*"
Note: The –asuonly switch means Give me All Site Users associated on the site collection, regardless if they have any direct ACE entries on any webs, and prevents normal web scanning for the user. It implicitly includes the default -asu logic as noted above,
This will generate the file singleuser.xml. An additional file, singleuser-webs.xml, will be generated but it will be completely empty, because we're bypassing the normal web scanning that occurs in an analyze operation. It's a crude but effective way to generate a proper user map file for a single user (or multiple users based on the -usermask). All we're concerned about is getting one <user> element created for the user. You could of course, just create this file from scratch in notepad if you wanted to.
Note: A future version of this tool will eliminate the need to generate a UserMap file for single user operations. In other words, you'll be able to specify -userlogin to target a specific user without the need to generate the UserMap.
Here is a version prepared to work on a single user account.
<?xml version="1.0" standalone="no"?>
<!DOCTYPE SPUserUtilUserMapFile>
<!--This file represents the user information generated and used by SPUserUtil-->
<users>
<user loginname="MYDOMAIN\margie.richie" newloginname="" />
</users>
Edit the singleuser.xml file to add the newloginname attribute. For example:
<?xml version="1.0" standalone="no"?>
<!DOCTYPE SPUserUtilUserMapFile>
<!--This file represents the user information generated and used by SPUserUtil-->
<users>
<user loginname="MYDOMAIN\margie.richie" newloginname="MYDOMAIN\SomeSecurityGroup/>
</users>
Pass this file back into SPUserUtil to replicate the rights for MYDOMAIN\margie.richie to the security group MYDOMAIN\SomeSecurityGroup using the clone operation
WSSUserUtil –o clone –url https://server -usermap singleuser.xml -r -ac
This will enumerate over every single web (via the -r <recursive> switch) on every single site collection (via the -ac <all collections> switch) and replicate/clone the rights for MYDOMAIN\margie.richie to the security group MYDOMAIN\SomeSecurityGroup.
You could of course use a user account as the source or target, as well as a Security Group, or mix and match between them. Also, by using the UserMap, it allows you to batch up a series of cloning operations.
Note: A future version of this tool will eliminate the need to generate a UserMap file for single user operations. In other words, you'll be able to specify -userlogin to target a specific user without the need to generate the UserMap.
If you were to then do an analysis of the site collection now, you'll see where MYDOMAIN\SomeSecurityGroup matches the rights of MYDOMAIN\margie.richie.
Of course, it's always best to use NT Security groups for common rights so you don't have to perform this process all the time.
In a future post I'll cover Altering Rights using SPUserUtil as well as Auditing Rights.
I hope this helps, and let me know if you have any questions!
- Keith
For more information in regards to the Schema of the Various SharePoint Tables, see the Databases section in the SharePoint Products and Technologies SDK at:
https://msdn.microsoft.com/library/default.asp?url=/library/en-us/spptsdk/html/SPPTWSSDatabases_SV01072208.asp
For more information in regards to Managing Users and Cross Site Groups in SharePoint
https://office.microsoft.com/en-us/assistance/HA011608091033.aspx
SPUserUtil is contained in the The SharePoint Utility Suite at:
https://www.microsoft.com/sharepoint/downloads/components/detail.asp?a1=724
For More information on the Windows SharePoint Services MigrateUserAccount() API:
https://msdn.microsoft.com/library/default.asp?url=/library/en-us/spptsdk/html/tsamSPGlobalAdminMigrateUserAccount_SV01234066.asp
For More information on the SharePoint Portal Server MigrateAccount() API:
https://msdn.microsoft.com/library/default.asp?url=/library/en-us/spptsdk/html/mPortalAccountMigManagerMigrateAccount2_SV01187841.asp
For more information on Windows SharePoint Services and SharePoint Portal Server 2003:
https://www.microsoft.com/sharepoint
Comments
- Anonymous
May 19, 2006
Adding Accounts to SharePoint using SPUserUtil - Part 2 - Adding
&nbsp;
SPUserUtil will mean either... - Anonymous
May 22, 2006
SharePoint Account Management using SPUserUtil - Part 3 - Auditing Accounts
&nbsp;
SPUserUtil will... - Anonymous
June 19, 2006
SPSiteManager Postings
Throughout this week, I hope to get some SPSiteManager postings complete matching... - Anonymous
June 26, 2006
Keith Richie has been putting together a series of articles that describes the awesome tool that goes... - Anonymous
August 03, 2006
SharePoint Account Management using SPUserUtil - Part 4 - Replaying Permissions and Moving Webs
Originally... - Anonymous
August 04, 2006
SharePoint Account Management using SPUserUtil - Part 5 - Handling NT Login Name ChangesOriginally Posted... - Anonymous
August 07, 2006
SharePoint Account Management using SPUserUtil - Part 6 - Synchronizing Display Names and Email Addresses...