使用PowerShell为库中的SharePoint文件夹授予Active-Directory-Synced组权限

Posted 2021-04-13

我们有一个SharePoint Online站点，其中包含许多子站点，每个子站点都有一个包含15个文件夹的文档库。我们希望为每个文件夹设置不同的Active-Directory-Synced安全组的权限。例如

         Group1  Group2  Group3

Folder1    RO     RO       RW
Folder2    NA     RW       RO
..
Folder15   RW     RW       RO

（RO：只读，RW：读写，NA：无访问权限）

为此，我们首先需要打破父母对文件夹的继承，我设法使用这个PS代码来实现这一点，其中SPOMod.psm1可以在线免费获取这里https://gallery.technet.microsoft.com/office/SharePoint-Module-for-5ecbbcf0

---

$cred=Get-Credential
Import-Module "D:somepathSharePoint Onlince Client Components SDKSPOMod.psm1" -verbose

Connect-SPOCSOM -Credential $cred -Url "https://companyname.sharepoint.com/sites/Projects_Division/ProjectnameAndLocation"
Get-SPOListItems -ListTitle Documents  -Recursive  -IncludeAllProperties $true | select ID
Remove-SPOListItemInheritance -ListTitle Documents -KeepPermissions $false  -ItemID 1
Remove-SPOListItemInheritance -ListTitle Documents -KeepPermissions $false  -ItemID 2
Remove-SPOListItemInheritance -ListTitle Documents -KeepPermissions $false  -ItemID 3
Remove-SPOListItemInheritance -ListTitle Documents -KeepPermissions $false  -ItemID 4
Remove-SPOListItemInheritance -ListTitle Documents -KeepPermissions $false  -ItemID 5
Remove-SPOListItemInheritance -ListTitle Documents -KeepPermissions $false  -ItemID 6
Remove-SPOListItemInheritance -ListTitle Documents -KeepPermissions $false  -ItemID 7
Remove-SPOListItemInheritance -ListTitle Documents -KeepPermissions $false  -ItemID 8
Remove-SPOListItemInheritance -ListTitle Documents -KeepPermissions $false  -ItemID 9
Remove-SPOListItemInheritance -ListTitle Documents -KeepPermissions $false  -ItemID 10
Remove-SPOListItemInheritance -ListTitle Documents -KeepPermissions $false  -ItemID 11
Remove-SPOListItemInheritance -ListTitle Documents -KeepPermissions $false  -ItemID 12
Remove-SPOListItemInheritance -ListTitle Documents -KeepPermissions $false  -ItemID 13
Remove-SPOListItemInheritance -ListTitle Documents -KeepPermissions $false  -ItemID 14
Remove-SPOListItemInheritance -ListTitle Documents -KeepPermissions $false  -ItemID 15

其中ItemID 1到15是首次在此库中创建的文件夹ID。这对我很好。

下一步是为每个文件夹分配AD组权限。为此我试图使用我从这里得到的PS代码（http://www.sharepointdiary.com/2016/09/sharepoint-online-set-folder-permissions-powershell.html）

#Load SharePoint CSOM Assemblies
Add-Type -Path "C:Program FilesCommon FilesMicrosoft SharedWeb Server Extensions16ISAPIMicrosoft.SharePoint.Client.dll"
Add-Type -Path "C:Program FilesCommon FilesMicrosoft SharedWeb Server Extensions16ISAPIMicrosoft.SharePoint.Client.Runtime.dll"

#Variables
$SiteURL="https://companyname.sharepoint.com/sites/Projects_Division/Project1nameAndLocation"
$FolderURL="Documents/Folder1" #Relative URL of the 1st Folder
$GroupName="ActiveDirectory Group1 Name" #The AD Group that we want to assign for Folder1
$UserAccount="useraccount@company.com" An AD Account that we want to also assign
$PermissionLevel="Read"


$Cred= Get-Credential
$Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.Username, $Cred.Password)

#Setup the context
$Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
$Ctx.Credentials = $Credentials
$Web = $Ctx.web

#Get the Folder
$Folder = $Web.GetFolderByServerRelativeUrl($FolderURL)
$Ctx.Load($Folder)
$Ctx.ExecuteQuery()

#Break Permission inheritence - Remove all existing list permissions & keep Item level permissions
$Folder.ListItemAllFields.BreakRoleInheritance($False,$True)
$Ctx.ExecuteQuery()
Write-host -f Yellow "Folder's Permission inheritance broken..."

#Get the SharePoint Group & User
$Group =$Web.SiteGroups.GetByName($GroupName)
$User = $Web.EnsureUser($UserAccount)
$Ctx.load($Group)
$Ctx.load($User)
$Ctx.ExecuteQuery() #The error is happening here and the script stopps

#Grant permission
#Get the role required
$Role = $web.RoleDefinitions.GetByName($PermissionLevel)
$RoleDB = New-Object Microsoft.SharePoint.Client.RoleDefinitionBindingCollection($Ctx)
$RoleDB.Add($Role)

#Assign permissions
$GroupPermissions =     $Folder.ListItemAllFields.RoleAssignments.Add($Group,$RoleDB)
$UserPermissions = $Folder.ListItemAllFields.RoleAssignments.Add($User,$RoleDB)
$Folder.Update()
$Ctx.ExecuteQuery()
Write-host "Permission Granted Successfully!" -ForegroundColor Green 
-----

我在#Get the SharePoint Group＆User执行查询时遇到错误：

------
PS C:UsersuserDesktopcode> $Ctx.ExecuteQuery()
Exception calling "ExecuteQuery" with "0" argument(s): "Group cannot be found."
At line:1 char:5
+     $Ctx.ExecuteQuery()
+     ~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : ServerException
----

尽管该组已成功进行AD同步，但如果我尝试从GUI执行相同操作，它将出现在SharePoint GUI中。

我注意到并测试了如果该组是本地SharePoint Online Group（不是AD Synched），此代码可以正常工作吗？是否有一个命令允许我以相同的方式使用AD-Synched组？

答案

$ Group = $ Web.SiteGroups.GetByName（$ GroupName）仅获取SharePoint组。

使用：$ ADGroup = $ Web.EnsureUser（“Domain ADGroup”）来解析AD组！