Retrieve and update/change access request on all the sites/webs inside a web application that has my email as the access request. Some sites have a branch site managers email group that need to be used as well. Sourced from PowerShell script to update Access Request Email Address for multiple sites and webs and Windows PowerShell: Build a Better Function.

function Replace-RequestAccessEmail {
Update Access Request containing Specified Email
Find all the Access Request Settings that have a specified email and replace it with either another account, another account and the Branch Site Managers email, or remove from string
Replace the email address with a new address and the Branch Site Managers email
Replace-RequestAccessEmail -webapp "https://WEBAPP1" -email "Joe.Cool@email" -replace "SPADMIN@email" -SPSiteMgrs
Removes the email address from the string
Replace-RequestAccessEmail -webapp "https://WEBAPP1" -email "Joe.Cool@email"
Web Application to cycle through.
Email in Access Request Setting to locate
.PARAMETER replace
(OPTIONAL) Email to use as replacement - leave off to have email removed from string.
(OPTIONAL) Include to replace using Site Managers email based on Site Collection
process {
$webapplication = Get-SPWebApplication -Identity $webapp
[string]$trimSites = $webapplication.URL
$trimSites = $trimSites + "sites/"
foreach($site in $webapplication.Sites)
foreach($web in $site.AllWebs)
if ($web.HasUniquePerm -and $web.RequestAccessEnabled)
if ($web.RequestAccessEmail -like "*$email*")
$siteCollection = $web.Site | %{$_.URL}
$siteCollection = $siteCollection.TrimStart($trimSites)
Write-Host "Site Collection: " $siteCollection
Write-Host "On Web" $web.Title ", URL" $web.URL
Write-Host "`tAccess requests go to :" $web.RequestAccessEmail
#Default with Admin Account
$replace = "SPADMIN@EMAIL"
switch ($siteCollection)
"BRANCH_A" {$requestAccessEmail = "$replace; BRANCH_A.SPSiteMgr@EMAIL"}
"BRANCH_B" {$requestAccessEmail = "$replace; BRANCH_B.SPSiteMgr@EMAIL"}
"BRANCH_C" {$requestAccessEmail = "$replace; BRANCH_C.SPSiteMgr@EMAIL"}
default {$requestAccessEmail = "$replace"}
} else
$requestAccessEmail = $web.RequestAccessEmail
$reqeustAccessEmail = $requestAccessEmail.ToLower()
$email = $email.ToLower()
$requestAccessEmail = $requestAccessEmail.Replace($email,$replace)
# If the Request Access Email would be blank, set to SharePoint Admins Email
If ($requestAccessEmail -eq "")
$requestAccessEmail = "SPADMIN@EMAIL"
Write-Host "`t***Will Update Request Access Email to: "$requestAccessEmail "***"
$web.RequestAccessEmail = $requestAccessEmail
} #end ForEachWeb
#Dispose of the site object
} #end ForEachSite
} #end Process
} #endFunction

Copy Users between SharePoint Groups

I had a situation where I needed to create a new site and copy over specific groups from the old site. The groups had already been created using another script. Thanks to Justin Kobel (the smartest person I personally know) for helping me with this script.

$allGroups = (“Eastern Mountain Contributors”, “Eastern Mountain Visitors”, “Salt River Contributors”, “Salt River Visitors”)
$fromWeb = ‘https://WEBAPP/sites/SITEA&#8217;
$toWeb = ‘https://WEBAPP/sites/SITEB&#8217;
foreach ($group in $allGroups){
Write-Host “Group: $group”
$users = Get-SPUser -Web $fromWeb -Group $group | Select-Object LoginName
foreach ($user in $users){
New-SPUser –UserAlias $user.LoginName –web $toWeb
Set-SPUser -Identity $user.LoginName -Group $group -Web $toWeb

Vanishing SharePoint Groups

It’s like an episode of CSI – all of the evidence points to one suspect for half the show and then the surprise evidence shows up and turns the case on its head. You don’t usually expect that to happen in IT.

The email comes in “Help please… sudden loss of access to Project Management SP Site.” I’m able to get to the site, so it’s not down. Further details come in and the group “All Projects Staff” is missing, of course they want to know what WE (our IT group) did to cause this. So I run the audit report and have the satisfaction of reporting that the business site manager (the one reporting the issue,) “Vinny Dadeleter”, deleted three groups that day. Now the tables are turned – he’s swearing up and down he’s done nothing to the permissions – hasn’t even been in the site settings. But it’s all there in the audit logs:

Item Type User Id Document Location Occurred (GMT) Event Event Data
Site Collection DOMAIN\vinny.dadeleter sites/PRJ


Security Group Delete <groupid>1019</groupid> DMS Staff
Site Collection DOMAIN\vinny.dadeleter sites/PRJ


Security Group Delete <groupid>785</groupid> All Projects Staff
Site Collection DOMAIN\vinny.dadeleter sites/PRJ


Security Group Delete <groupid>1018</groupid> CC Staff

Case closed – right?

Well Vinny wasn’t going to take the fall and did some research. He discovered this article on the forums about “Vanishing SharePoint Permissions” and sent it to us. He had indeed deleted a sub-site almost a month before. I had the backup from last night restore the content database to my test farm. I was able to see the groups there (from which we restored them to production), then cleared the recycle bin, and the groups disappeared.

I am now in the process of trying to reproduce this in my test environment without success. I’ll post more when I discover how to reproduce this. If this has happened to you, please let me know with as much detail as possible, what were the groups, where were they created, and what site templates were used.

Update Permission Set

I needed to create a script to update two permission sets throughout my farm:

$allWebApps = ("https://WEBAPP1.COM", "https://WEBAPP2.COM")
function fnUpdatePermSet {
    #Get the root Web site of the site collection.
    # Use the RoleDefinitions property of the SPWeb class to get the collection of role definitions for a Web site. Use an indexer to return a single item from the collection.
    # Use the BasePermissions property of the SPRoleDefinition class to set the base permissions for a role definition.
    # Use the Update Method of the SPRoleDefinition class
foreach ($siteUrl in $allWebApps){
   Write-Host "$siteUrl";
   $rootSite = New-Object Microsoft.SharePoint.SPSite($siteUrl);
   $spWebApp = $rootSite.WebApplication;
   foreach($SPSite in $spWebApp.Sites){
      #Get site collection
      $site = Get-SPSite $SPSite
      Write-Host $site
      $roleName = "Edit-Add";
      $rolePerms = "ViewListItems,AddListItems,EditListItems,OpenItems,ViewVersions,ViewFormPages,Open,ViewPages,BrowseDirectories,BrowseUserInfo,UseRemoteAPIs,UseClientIntegration,CreateAlerts,ManagePersonalViews";
      $roleName = "Add Only";
      $rolePerms = "ViewListItems,AddListItems,OpenItems,ViewVersions,ViewFormPages,Open,ViewPages,BrowseDirectories,BrowseUserInfo,UseRemoteAPIs,UseClientIntegration,CreateAlerts,ManagePersonalViews";

      #Dispose of the site object

Find all groups in Site Collection using a specific permission level

Find all groups in Site Collection using a specific permission level. Helpful for removing outdated custom permission levels.

$siteUrl = "https://WEBAPP/sites/SITECOLLECTION"
$permission = "Restricted Read"
function Get-SPGroupByPermissionLevel([string]$url, [string]$permLevel) {
$spWeb = Get-SPWeb $url
$spGroupCollection = $spWeb.SiteGroups;
$group = $spGroupCollection | ? {$_.Roles | ? {$_.Name -eq $permLevel} }
return $group;
$rootSite = New-Object Microsoft.SharePoint.SPSite($siteUrl);
$spWebApp = $rootSite.WebApplication;
foreach($SPSite in $spWebApp.Sites)
$siteURL = $SPSite.URL;
Write-Host "SITEURL: $siteURL"
        $groups = Get-SPGroupByPermissionLevel $siteURL $permission;
        foreach($group in $groups)
if($group -ne $NULL){
Write-Host "-Web "$siteURL "-Group "$group

“Add users to a SharePoint group” Disabled

In researching this error, the posted answers had to do with the site being created by code – and the solution was a change in the code.

However, it wasn’t my code creating the sites, but the migration tool I was using. Changing their code wasn’t an option. So if you have a site where the “Add users to a SharePoint group” drop-down is disabled, you can solve this in two ways.

Using the GUI:

Site Actions > Site Permissions – go into each group you want available in the drop down and make it the default group -leaving for last the actual group you want to make the default.

PowerShell Script:

Add all of the groups desired to be part of the dropdown – leaving the actual group you want to make the default last.

$snapIn = Get-PSSnapin | where-object {$_.Name -eq "Microsoft.SharePoint.PowerShell"}
if($snapIn -eq $null) {
Add-PsSnapin Microsoft.SharePoint.PowerShell
$Web=Get-SPweb https://WEBAPP/sites/SITE/SUBSITE
$Web.AssociatedMemberGroup=$Web.SiteGroups["SITENAME Contributors"]
$Web.AssociatedMemberGroup=$Web.SiteGroups["SITENAME Manager"]
$Web.AssociatedMemberGroup=$Web.SiteGroups["SITENAME CUSTOM Group"]
$Web.AssociatedMemberGroup=$Web.SiteGroups["SITENAME Visitors"]