Retrieving Credentials from the Secure Store Service

I hate that once you set the credentials in a Secure Store Service, you can’t see what they are in the GUI. So this script from Bob Guidinger is a fabulous solution. Thanks Bob! (I would have left a comment on your site, but it wouldn’t let me for some reason ūüė¶ )

$context = Get-SPServiceContext -Site HTTPS://WEBAPP1

$provider = New-Object Microsoft.Office.SecureStoreService.Server.SecureStoreProvider
$provider.Context = $context

$marshal = [System.Runtime.InteropServices.Marshal]

    $apps = $provider.GetTargetApplications()
    foreach ($app in $apps)
       Write-Output "`n$($app.Name)"
        Write-Output "$('-'*80)"
            $creds = $provider.GetCredentials($app.Name)
            foreach ($cred in $creds)
                $ptr = $marshal::SecureStringToBSTR($cred.Credential)
                $str = $marshal::PtrToStringBSTR($ptr)

                Write-Output "$($cred.CredentialType): $($str)"
            Write-Output "Error getting credentials!"
        Write-Output "$('-'*80)"
    Write-Output "Error getting Target Applications."



Retrieve and update/change access request on all the sites/webs inside a web application that has my email as the access request. Some sites have a branch site managers email group that need to be used as well. Sourced from PowerShell script to update Access Request Email Address for multiple sites and webs and Windows PowerShell: Build a Better Function.

function Replace-RequestAccessEmail {
Update Access Request containing Specified Email
Find all the Access Request Settings that have a specified email and replace it with either another account, another account and the Branch Site Managers email, or remove from string
Replace the email address with a new address and the Branch Site Managers email
Replace-RequestAccessEmail -webapp "https://WEBAPP1" -email "Joe.Cool@email" -replace "SPADMIN@email" -SPSiteMgrs
Removes the email address from the string
Replace-RequestAccessEmail -webapp "https://WEBAPP1" -email "Joe.Cool@email"
Web Application to cycle through.
Email in Access Request Setting to locate
.PARAMETER replace
(OPTIONAL) Email to use as replacement - leave off to have email removed from string.
(OPTIONAL) Include to replace using Site Managers email based on Site Collection
process {
$webapplication = Get-SPWebApplication -Identity $webapp
[string]$trimSites = $webapplication.URL
$trimSites = $trimSites + "sites/"
foreach($site in $webapplication.Sites)
foreach($web in $site.AllWebs)
if ($web.HasUniquePerm -and $web.RequestAccessEnabled)
if ($web.RequestAccessEmail -like "*$email*")
$siteCollection = $web.Site | %{$_.URL}
$siteCollection = $siteCollection.TrimStart($trimSites)
Write-Host "Site Collection: " $siteCollection
Write-Host "On Web" $web.Title ", URL" $web.URL
Write-Host "`tAccess requests go to :" $web.RequestAccessEmail
#Default with Admin Account
$replace = "SPADMIN@EMAIL"
switch ($siteCollection)
"BRANCH_A" {$requestAccessEmail = "$replace; BRANCH_A.SPSiteMgr@EMAIL"}
"BRANCH_B" {$requestAccessEmail = "$replace; BRANCH_B.SPSiteMgr@EMAIL"}
"BRANCH_C" {$requestAccessEmail = "$replace; BRANCH_C.SPSiteMgr@EMAIL"}
default {$requestAccessEmail = "$replace"}
} else
$requestAccessEmail = $web.RequestAccessEmail
$reqeustAccessEmail = $requestAccessEmail.ToLower()
$email = $email.ToLower()
$requestAccessEmail = $requestAccessEmail.Replace($email,$replace)
# If the Request Access Email would be blank, set to SharePoint Admins Email
If ($requestAccessEmail -eq "")
$requestAccessEmail = "SPADMIN@EMAIL"
Write-Host "`t***Will Update Request Access Email to: "$requestAccessEmail "***"
$web.RequestAccessEmail = $requestAccessEmail
} #end ForEachWeb
#Dispose of the site object
} #end ForEachSite
} #end Process
} #endFunction

Get AD Group Member Users

Script pulls data from a group on the Exchange Domain and looks up user information in the Users domain. User name and email address are output to CSV file.

# -----------------------------------------------------------------------------
# Script: Get-ADGroupMemberUsers.ps1
# Author: Heather Van De Sande
# Date: 01/08/2013
# Keywords: PowerShell, Active Directory
# Comments: Recursively pull users from an Exchange Group and retrieve User information
#            from User Domain
# -----------------------------------------------------------------------------
Import-module ActiveDirectory
# Useful for finding the server information for below variables
#Get-ADDomain -Identity ""
#Get-ADDomain -Identity "" 
$strExchangeServer = "EXCHSV-DC1.EXCH.CORP.XX.COM"
$strUserServer = "USERSV-DC1.USER.CORP.XX.COM"
$strOutPutCSVFile = "C:\Temp\HR_All_Staff.csv"
$strParentGroupName = "HR All Staff"

$strParentGroupID = Get-ADGroup -Filter {Name -eq $strParentGroupName} -Server $strExchangeServer | Select DistinguishedName
$strMembers = Get-ADGroupMember -Identity $strParentGroupID.DistinguishedName -Server $strExchangeServer -Recursive
$strUsers = @()
foreach ($strMember in $strMembers){
    $strUsers += Get-ADUser -Identity $strMember.DistinguishedName -Server $strUserServer -Properties DisplayName,EmailAddress | Select DisplayName,EmailAddress
$strUsers | Export-Csv -Path $strOutPutCSVFile -NoTypeInformation

Copy Users between SharePoint Groups

I had a situation where I needed to create a new site and copy over specific groups from the old site. The groups had already been created using another script. Thanks to Justin Kobel (the smartest person I personally know) for helping me with this script.

$allGroups = (“Eastern Mountain Contributors”, “Eastern Mountain Visitors”, “Salt River Contributors”, “Salt River Visitors”)
$fromWeb = ‘https://WEBAPP/sites/SITEA&#8217;
$toWeb = ‘https://WEBAPP/sites/SITEB&#8217;
foreach ($group in $allGroups){
Write-Host “Group: $group”
$users = Get-SPUser -Web $fromWeb -Group $group | Select-Object LoginName
foreach ($user in $users){
New-SPUser ‚ÄďUserAlias $user.LoginName ‚Äďweb $toWeb
Set-SPUser -Identity $user.LoginName -Group $group -Web $toWeb

Get all Users in AD Group

UPDATE: Expanded script can be found here, where I needed to do this with the group being in the exchange domain and user information in a separate domain.

Recently I had a request to list all users to a particular site ‚Äď due to the unique nature of the site and the provisioning of those user accounts, those users are all members of an AD group (the AD group is then added to a SharePoint Group.)

Thanks to “Query for User Accounts in Active Directory with PowerShell” I was able to get onto the right track.

“Import-module ActiveDirectory” provides cmdlets that let you manage Active Directory domains.

I first pulled up all the information for a user I knew belonged to that group.

Get-ADUser -Filter {Surname -eq “Lastname”} -SearchBase ” DC=AD,DC=COMPANY,DC=COM ” -properties *

Looking at the MemberOf property, I was able to get the entire identity I needed for the Get-ADGroupMember cmdlet.

I created this script to retrieve the Display Name and Email Address for all members of the “Site_SP_Visitors” Group. List is then piped to a CSV file.

Get-ADGroupMember -Identity “CN=
Site_SP_Visitors,OU=Groups,OU=ZYG,OU=LKJS,OU=XYZ_Users,DC=AD,DC=COMPANY,DC=COM” | Get-ADUser -Properties DisplayName,EmailAddress | Select DisplayName,EmailAddress | Export-CSV “C:\temp\

No two choices should have the same ID

Add from existing site columns results in error. Looking up the Correlation ID in the ULS Logs gave a clue of “System.ArgumentException: No two choices should have the same ID.” You know, Microsoft, it would help to know what ID that was. But I guess that would deny me the fun of looking for it. I tried the advice given by Lars Lynch, but the SharePoint Manager didn’t allow me to sort the field’s information, so didn’t really help me.

Using PowerShell, I got a listing of all the fields, their ID’s and their Internal Names:

$web = Get-SPWeb https://webapp/sites/SITE/WEB 
foreach ($field in $web.Fields){ 
 write-output "$($field.Group) | $($field.Title) | $($field.Id) | $($field.InternalName)" 

This gave me a list I could sort in excel (after some manipulation) to try and find duplicates. Unfortunately that didn’t work. So I starting comparing the list it gave me to the one on the site columns page (_layouts/mngfield.aspx).

There I discovered a field listed twice on the site columns page, but only once in my list (note: the list output shown is the unsorted view):

After ensuring the field wasn’t used anywhere, I modified my script to remove the field:

$findGUID = "75af1e7d-ad81-4566-9edd-a582b2a7de13" 
$web = Get-SPWeb https://webapp/sites/SITE/WEB 
foreach ($field in $web.Fields){ 
 if($field.Id -eq $findGUID){
 write-output "$($field.Group) | $($field.Title) | $($field.Id) | $($field.InternalName)"
 $field.Allowdeletion = $true
 $field.Sealed = $false

The two instances of the field were removed from the site and I was able to “Add from existing site columns” again without error.

Update Permission Set

I needed to create a script to update two permission sets throughout my farm:

$allWebApps = ("https://WEBAPP1.COM", "https://WEBAPP2.COM")
function fnUpdatePermSet {
    #Get the root Web site of the site collection.
    # Use the RoleDefinitions property of the SPWeb class to get the collection of role definitions for a Web site. Use an indexer to return a single item from the collection.
    # Use the BasePermissions property of the SPRoleDefinition class to set the base permissions for a role definition.
    # Use the Update Method of the SPRoleDefinition class
foreach ($siteUrl in $allWebApps){
   Write-Host "$siteUrl";
   $rootSite = New-Object Microsoft.SharePoint.SPSite($siteUrl);
   $spWebApp = $rootSite.WebApplication;
   foreach($SPSite in $spWebApp.Sites){
      #Get site collection
      $site = Get-SPSite $SPSite
      Write-Host $site
      $roleName = "Edit-Add";
      $rolePerms = "ViewListItems,AddListItems,EditListItems,OpenItems,ViewVersions,ViewFormPages,Open,ViewPages,BrowseDirectories,BrowseUserInfo,UseRemoteAPIs,UseClientIntegration,CreateAlerts,ManagePersonalViews";
      $roleName = "Add Only";
      $rolePerms = "ViewListItems,AddListItems,OpenItems,ViewVersions,ViewFormPages,Open,ViewPages,BrowseDirectories,BrowseUserInfo,UseRemoteAPIs,UseClientIntegration,CreateAlerts,ManagePersonalViews";

      #Dispose of the site object