Managing SharePoint User Profile Service Application Permissions with PowerShell

  • Article

Written by Chandrasekar Natarajan, Microsoft Premier Field Engineer.

When the User Profile service application is configured in Microsoft SharePoint 2010, by default NT Authority\Authenticated Users and All Authenticated Users are granted permissions to create My Sites and use other features (personal and social) provided by the user profile service.

Default permissions for the User Profile service application

 

But what if you don’t want to grant all of these permissions to all users?  PowerShell comes in handy to revoke these permissions.   The PowerShell cmdlets used are Revoke-SPObjectSecurity and Set-SPProfileServiceApplicationSecurity, as follows:

 $upaproxyname="User Profile Service Application"
 $upaproxy = Get-SPServiceApplicationProxy | Where-Object {$_.DisplayName -eq $upaproxyname}
 $upasecurity = Get-SPProfileServiceApplicationSecurity -ProfileServiceApplicationProxy $upaproxy
 
 #All Authenticated Users
 $allauthusers = New-SPClaimsPrincipal -Identity 'c:0(.s|True' -IdentityType EncodedClaim
 #To revoke Use Personal Features permission
 Revoke-SPObjectSecurity -Identity $upasecurity -Principal $allauthusers -Rights "Use Personal Features"
 #To revoke Create Personal Site permission
 Revoke-SPObjectSecurity -Identity $upasecurity -Principal $allauthusers -Rights "Create Personal Site"
 #To revoke Use Social Features permission
 Revoke-SPObjectSecurity -Identity $upasecurity -Principal $allauthusers -Rights "Use Social Features"
 Set-SPProfileServiceApplicationSecurity -Identity $allauthusers -ProfileServiceApplicationProxy $upaproxy
 
 #NT AUTHORITY\authenticated users
 $ntauthusers = New-SPClaimsPrincipal-Identity 'c:0!.s|windows' -IdentityType EncodedClaim
 #To revoke Use Personal Features permission
 Revoke-SPObjectSecurity -Identity $upasecurity -Principal $ntauthusers -Rights "Use Personal Features"
 #To revoke Create Personal Site permission
 Revoke-SPObjectSecurity -Identity $upasecurity -Principal $ntauthusers -Rights "Create Personal Site"
 #To revoke Use Social Features permission
 Revoke-SPObjectSecurity -Identity $upasecurity -Principal $ntauthusers -Rights "Use Social Features"
 Set-SPProfileServiceApplicationSecurity -Identity $ntauthusers -ProfileServiceApplicationProxy $upaproxy

Hope you found this helpful.