Managing SharePoint User Profile Service Application Permissions with PowerShell



Written by Chandrasekar Natarajan, Microsoft Premier Field Engineer.


When the User Profile service application is configured in Microsoft SharePoint 2010, by default NT Authority\Authenticated Users and All Authenticated Users are granted permissions to create My Sites and use other features (personal and social) provided by the user profile service.

Default permissions for the User Profile service application

 

But what if you don’t want to grant all of these permissions to all users?  PowerShell comes in handy to revoke these permissions.   The PowerShell cmdlets used are Revoke-SPObjectSecurity and Set-SPProfileServiceApplicationSecurity, as follows:

$upaproxyname="User Profile Service Application"
$upaproxy = Get-SPServiceApplicationProxy | Where-Object {$_.DisplayName -eq $upaproxyname}
$upasecurity = Get-SPProfileServiceApplicationSecurity -ProfileServiceApplicationProxy $upaproxy

#All Authenticated Users
$allauthusers = New-SPClaimsPrincipal -Identity 'c:0(.s|True' -IdentityType EncodedClaim
#To revoke Use Personal Features permission
Revoke-SPObjectSecurity -Identity $upasecurity -Principal $allauthusers -Rights "Use Personal Features"
#To revoke Create Personal Site permission
Revoke-SPObjectSecurity -Identity $upasecurity -Principal $allauthusers -Rights "Create Personal Site"
#To revoke Use Social Features permission
Revoke-SPObjectSecurity -Identity $upasecurity -Principal $allauthusers -Rights "Use Social Features"
Set-SPProfileServiceApplicationSecurity -Identity $allauthusers -ProfileServiceApplicationProxy $upaproxy

#NT AUTHORITY\authenticated users
$ntauthusers = New-SPClaimsPrincipal-Identity 'c:0!.s|windows' -IdentityType EncodedClaim
#To revoke Use Personal Features permission
Revoke-SPObjectSecurity -Identity $upasecurity -Principal $ntauthusers -Rights "Use Personal Features"
#To revoke Create Personal Site permission
Revoke-SPObjectSecurity -Identity $upasecurity -Principal $ntauthusers -Rights "Create Personal Site"
#To revoke Use Social Features permission
Revoke-SPObjectSecurity -Identity $upasecurity -Principal $ntauthusers -Rights "Use Social Features"
Set-SPProfileServiceApplicationSecurity -Identity $ntauthusers -ProfileServiceApplicationProxy $upaproxy

Hope you found this helpful.

Comments (2)

  1. Joe says:

    Thanks for posting this. I am having an issue with removing NT AUTHORITYauthenticated users. The powershell output: Revoke-SPObjectSecurity : The specified user or domain group was not found. I tried changing this to windows group rather than an encoded,
    but it still yielded the same results. (Windows 2012 R2, SQl 2014, SP 2013 with SP1)

  2. Joerg says:

    Hi,

    i am having the same problem with removing NT AUTHORITYauthenticated users 🙁
    Same error message, same environment

Skip to main content