Replacing Everyone/Everyone except external users account with a different User/Group


 

 

Recently I had couple of customers asking me for a script where they can replace Everyone/Everyone except external users account in SPO with a different account/group.

Following script will copy permissions of an account to a new account.

  1. It will check for SharePoint Group membership
  2. It will check for SPWeb unique membership
  3. It will check for SPList unique membership
  4. It will check for SPFolder unique membership
  5. It will check for SPItem unique membership

After this script you can remove or even disable Everyone from showing in people picker.

 

Let me know your suggestions in comments. I will try to add your suggestions to my script.


[System.Reflection.Assembly]::LoadFile(“C:\Program Files\SharePoint Online Management Shell\Microsoft.Online.SharePoint.PowerShell\Microsoft.SharePoint.Client.dll”) | Out-Null

[System.Reflection.Assembly]::LoadFile(“C:\Program Files\SharePoint Online Management Shell\Microsoft.Online.SharePoint.PowerShell\Microsoft.SharePoint.Client.Runtime.dll”) | Out-Null

$username = “admin@MOD841120.onmicrosoft.com#Replace this with SPO Admin

$password = “password” #Replace this with SPO Admin password

$password = ConvertTo-SecureString $password -AsPlainText -Force

$spoCred = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($UserName, $Password)

$url = “https://mod841120.sharepoint.com/sites/DemoPerm#URL of the SPO Site Collection

$FindUser = “c:0-.f|rolemanager|spo-grid-all-users/c1051fd0-af79-4b55-8710-a34798fbe37b” #User Id for External Users

$New = “industrytrends@MOD841120.onmicrosoft.com#Group/User that you want to add

 

 

#No changes required from this point

$global:AllWebs = @()

Function Invoke-LoadMethod() {

param(

   [Microsoft.SharePoint.Client.ClientObject]$Object = $(throw “Please provide a Client Object”),

   [string]$PropertyName

)

   $ctx = $Object.Context

   $load = [Microsoft.SharePoint.Client.ClientContext].GetMethod(“Load”)

   $type = $Object.GetType()

   $clientLoad = $load.MakeGenericMethod($type)

   $Parameter = [System.Linq.Expressions.Expression]::Parameter(($type), $type.Name)

   $Expression = [System.Linq.Expressions.Expression]::Lambda(

            [System.Linq.Expressions.Expression]::Convert(

                [System.Linq.Expressions.Expression]::PropertyOrField($Parameter,$PropertyName),

                [System.Object]

            ),

            $($Parameter)

   )

   $ExpressionArray = [System.Array]::CreateInstance($Expression.GetType(), 1)

   $ExpressionArray.SetValue($Expression, 0)

   $clientLoad.Invoke($ctx,@($Object,$ExpressionArray))

}

function CheckGroup($SPOWeb , $UserID)

{

    $User = $SPOWeb.EnsureUser($New)

    $Context.Load($User)

    $Context.ExecuteQuery()

    $Groups = $SPOWeb.SiteGroups

    $context.Load($Groups)

    $context.ExecuteQuery()

    foreach($Group in $Groups)

        {

        $context.Load($Group)

        $context.ExecuteQuery()

        $GroupUser = $Group.Users.GetById($UserID)

        $context.Load($GroupUser)

            try

            {

            $context.ExecuteQuery()

            $Context.Load($Group)

            $Context.Load($Group.Users.AddUser($User))

            $Context.ExecuteQuery()

            }

            Catch

            {

            }

        }

}

function Get-SPOWebs(){

param(

   $Url = $(throw “Please provide a Site Collection Url”),

   $Credential = $(throw “Please provide a Credentials”)

)

  $context = New-Object Microsoft.SharePoint.Client.ClientContext($Url) 

  $context.Credentials = $spoCred

  $web = $context.Web

  $context.Load($web)

  $context.ExecuteQuery()

  $User = $web.SiteUsers.GetByLoginName($FindUser)

      $context.Load($User)

      try

      {

      $context.ExecuteQuery()

      CheckGroup $Web $User.ID

  $context.Load($web.webs)

  $context.ExecuteQuery()

  foreach($web in $web.Webs)

  {

       Get-SPOWebs -Url $web.Url -Credential $Credential

       $global:AllWebs += $web.url

  }

      }

      Catch

      {

      }

}

$global:AllWebs += $url

Get-SPOWebs -Url $Url -Credential $spoCred

function ReplaceUserInWeb($SPOW , $SPOWBinding)

{

$User = $SPOW.EnsureUser($New)

$Context.Load($User)

$Context.ExecuteQuery()

$Perm = $SPOw.RoleDefinitions.GetByName($SPOWBinding)

$Context.Load($Perm)

$Context.ExecuteQuery()

$Roleassignment = New-Object Microsoft.SharePoint.Client.RoleDefinitionBindingCollection($Context)

$Roleassignment.Add($Perm)

$Context.Load($SPOW.RoleAssignments.Add($User,$Roleassignment))

$SPOW.update()

$Context.ExecuteQuery()

}

function ReplaceUserInList($SPOW , $SPOLBinding , $SPOListID)

{

$User = $SPOW.EnsureUser($New)

$Context.Load($User)

$Context.ExecuteQuery()

$List = $SPOW.Lists.GetById($SPOListID)

$context.Load($List)

$context.ExecuteQuery()

$Perm = $SPOw.RoleDefinitions.GetByName($SPOLBinding)

$Context.Load($Perm)

$Context.ExecuteQuery()

$Roleassignment = New-Object Microsoft.SharePoint.Client.RoleDefinitionBindingCollection($Context)

$Roleassignment.Add($Perm)

$Context.Load($List.RoleAssignments.Add($User,$Roleassignment))

$List.update()

$Context.ExecuteQuery()

}

function ReplaceUserInListItem($SPOW , $SPOLBinding, $ListID,$ItemID)

{

$User = $SPOW.EnsureUser($New)

$Context.Load($User)

$Context.ExecuteQuery()

$List = $SPOW.Lists.GetById($ListID)

$context.Load($List)

$context.ExecuteQuery()

$ListItem = $List.GetItemById($ItemID)

$context.Load($ListItem)

$context.ExecuteQuery()

$Perm = $SPOw.RoleDefinitions.GetByName($SPOLBinding)

$Context.Load($Perm)

$Context.ExecuteQuery()

$Roleassignment = New-Object Microsoft.SharePoint.Client.RoleDefinitionBindingCollection($Context)

$Roleassignment.Add($Perm)

$Context.Load($ListItem.RoleAssignments.Add($User,$Roleassignment))

$ListItem.update()

$Context.ExecuteQuery()

}

function GetListItemsRoleBinding($SPOW , $UserID , $ListID,$ItemID)

{

$LIBindings = @()

$List = $SPOW.Lists.GetById($ListID)

$context.Load($List)

$context.ExecuteQuery()

$ListItem = $List.GetItemById($ItemID)

$context.Load($ListItem)

$context.ExecuteQuery()

$SPOLIRole = $ListItem.RoleAssignments.GetByPrincipalId($UserID)

$context.Load($SPOLIRole)

$context.ExecuteQuery()

$LIRoleBindings = $SPOLIRole.RoleDefinitionBindings

$context.Load($LIRoleBindings)

$context.ExecuteQuery()

    foreach($LIRoleBinding in $LIRoleBindings)

    {

    $context.load($LIRoleBinding)

    $context.ExecuteQuery()

          if($LIRoleBinding.Name -eq “Limited Access”)

        {

        }

        else

        {

        $LIBindings += $LIRoleBinding.Name

        }

    }

    return $LIBindings

}

function GetListRoleBinding($SPOW , $UserID , $ListID)

{

$LBindings = @()

$List = $SPOW.Lists.GetById($ListID)

$context.Load($List)

$context.ExecuteQuery()

$SPOLRole = $List.RoleAssignments.GetByPrincipalId($UserID)

$context.Load($SPOLRole)

$context.ExecuteQuery()

$LRoleBindings = $SPOLRole.RoleDefinitionBindings

$context.Load($LRoleBindings)

$context.ExecuteQuery()

    foreach($LRoleBinding in $LRoleBindings)

    {

    $context.load($LRoleBinding)

    $context.ExecuteQuery()

          if($LRoleBinding.Name -eq “Limited Access”)

        {

        }

        else

        {

        $LBindings += $LRoleBinding.Name

        }

    }

    $LBindings.count

    return $LBindings

}

function GetWebRoleBinding($SPOW , $UserID )

{

$Bindings = @()

$SPOWRole = $SPOW.RoleAssignments.GetByPrincipalId($UserID)

$context.Load($SPOWRole)

$context.ExecuteQuery()

$RoleBindings = $SPOWRole.RoleDefinitionBindings

$context.Load($RoleBindings)

$context.ExecuteQuery()

    foreach($RoleBinding in $RoleBindings)

    {

    $context.load($RoleBinding)

    $context.ExecuteQuery()

          if($RoleBinding.Name -eq “Limited Access”)

        {

        }

        else

        {

        $Bindings += $RoleBinding.Name

        }

    }

    return $Bindings

}

foreach($Web in $AllWebs)

{

$context = New-Object Microsoft.SharePoint.Client.ClientContext($web) 

$context.Credentials = $spoCred

$SPOWeb = $context.Web

$context.Load($SPOWeb)

$context.ExecuteQuery()

Invoke-LoadMethod -Object $SPOWeb -PropertyName “HasUniqueRoleAssignments”

$context.ExecuteQuery()

$SPOWebUser = $spoweb.SiteUsers.GetByLoginName($FindUser)

$context.Load($SPOWebUser)

try{

$context.ExecuteQuery()

}

catch

{

write-host “User does not Exist in the site collection”

}

    if ($SPOWeb.HasUniqueRoleAssignments -eq $true)

               {

                $SPOWebRoles = $SPOWeb.RoleAssignments.GetByPrincipalId($SPOWebUser.Id)

                $context.Load($SPOWebROles)

                      try{

                        $context.ExecuteQuery()

                        $GetWBindings = GetWebRoleBinding $SPOWeb $SPOWebUser.Id

                        foreach ($GetWBinding in $GetWBindings)

                                 {

                                   $ReplaceUser = ReplaceUserInWeb $SPOWeb $GetWBinding

                                 }

                        }

                        catch

                        {

                        }

               }

     else

               {

               }

    $Lists = $spoWeb.Lists

    $Context.Load($Lists)

    $context.ExecuteQuery()

    foreach($List in $Lists)

    {

       $Context.Load($List)

       Invoke-LoadMethod -Object $List -PropertyName “HasUniqueRoleAssignments”

       $context.ExecuteQuery()

       if (($List.HasUniqueRoleAssignments -eq $true) -and ($List.Hidden -eq $false)  )

           {

            $ListRoles = $List.RoleAssignments.GetByPrincipalId($SPOWebUser.Id)

            $context.Load($ListROles)

                try

                {

                $context.ExecuteQuery()

                $GetLBindings = $null

                $GetLBindings = GetListRoleBinding $SPOWeb $SPOWebUser.Id $List.id

                    foreach ($GetLBinding in $GetLBindings)

                            {

                            $Type = $GetLBinding.GetType()

                                if($Type.Name -eq “String”)

                                {

                                $ReplaceLUser = ReplaceUserInList $SPOWeb $GetLBinding $List.ID

                                }

                            }

                }

                catch

                {

                }

           }

           else

           {

           }

           $qry = [Microsoft.SharePoint.Client.CamlQuery]::CreateAllItemsQuery()

           $ListItems = $List.GetItems($qry)

           $context.Load($ListItems)

           $Context.ExecuteQuery()

            foreach($ListItem in $ListItems)

            {

                $Context.Load($ListItem)

                Invoke-LoadMethod -Object $ListItem -PropertyName “HasUniqueRoleAssignments”

                $context.ExecuteQuery()

                if ($ListItem.HasUniqueRoleAssignments -eq $true)

                    {

                        $ListItemRoles = $ListItem.RoleAssignments.GetByPrincipalId($SPOWebUser.Id)

                        $context.Load($ListItemRoles)

                            try

                            {

                            $context.ExecuteQuery()

                            $GetLIBindings = $null

                            $GetLIBindings = GetListItemsRoleBinding $SPOWeb $SPOWebUser.Id $List.id $ListItem.ID

                                foreach ($GetLIBinding in $GetLIBindings)

                                        {

                                        $Type = $GetLIBinding.GetType()

                                            if($Type.Name -eq “String”)

                                            {

                                            $ReplaceLUser = ReplaceUserInListItem $SPOWeb $GetLIBinding $List.ID $ListItem.ID

                                            }

                                        }

                            }

                            catch

                            {

                            }

                    }

            }

    }

}

$context.Dispose()


Comments (0)

Skip to main content