Permissions – Keith Tuomi – Office 365 & SharePoint Consultant

SharePoint 2007 Anonymous MS Office Document Download Login Prompts

Written by Keith Tuomi on July 6, 2012. Posted in Document Library, Permissions, SharePoint 2007. 1 Comment

I ran into what I guess is a years old headbanger of a situation with a public-facing anonymous access-enabled SP 2007 site which allows document downloads. This one has probably caused many late nights and was probably a real friction point in SharePoint being considered for normal public website usage.

When certain Office Documents are downloaded (in this case, .DOT and .DOTX Word Document Templates, users:
– Click the download link and the file transfer initiates
– Are inappropriately given 2-3 login prompts, which when cancelled through, finally allow access to the downloaded document template

This behaviour does not occur when the user clicks “Save As”, only when the direct download link is clicked. I tried uploading new documents made from scratch and the same behaviour occured, so it didn’t seem to have anything to do with the content of the documents/templates downloaded.

Anonymous access appeared to be correctly configured and all IIS settings were ok. Nothing out of the ordinary seemed to appear when monitoring the download process with Fiddler. I tried turning off Client Integration since that seems to be the realm of the failure however it did not resolve the issue. More to that point, turning off Client Integration would remove that expected functionality for authenticated users with authoring rights. SP Permissions on the documents appear consistent with other documents that don’t exhibit this issue.

An excellent summary of this issue (which is essentially a “by-design” Microsoft trait) of this well-known problem is described here. That post also features one method of overcoming the issue.

Multiple Logon while open office Document from SharePoint
http://blogs.technet.com/b/steve_chen/archive/2010/06/25/multiple-logon-while-open-office-document-from-sharepoint.aspx

Office: Authentication prompts when opening Microsoft Office documents
http://support.microsoft.com/kb/2019105

NOTE: This issue has apparently been fixed for SharePoint 2010. These fixes only apply to SharePoint 2007.

See the end of this post for the final solution that worked for my situation the best. Methods 1-6 work to varying degrees and situations but none by themselves fulfilled the simple requirement of allowing anonymous users with IE to not get login prompts, without taking functionality away from someone else.

1. Editing the web.config to remove the “OPTION,PROPFIND” values from the for SharePoint.

Ref: http://support.microsoft.com/kb/2019105

If the web application is not intended to be used for WebDAV, the Web Service Extension that provides the WebDAV functionality can be set to Prohibited on a default server that is running IIS. (This might be WebDAV or FrontPage Server Extensions.) If the site provides WebDAV functionality through another extension, the provider of that extension should be involved. For example, to do this with Windows SharePoint Services (WSS), the site should be configured to disable Client Integration, or the OPTIONS and PROPFIND verb should be inhibited. (On IIS 6, remove the verbs from the registration line in the web.config file. On IIS 7.0, use the HTTP Verbs tab of the Request Filtering feature to deny the verbs.) Be aware that this approach will open the content in read-only mode because this approach disables direct-edit functionality.

Risks: Will disable client integration so if authenticated authors/users are expecting to open Office docs with integration Potentially disables site admin options in SharePoint Designer. Causes application recompile as we are committing change to web.config.
Rewards: Eliminates 1 out of the 2 login prompt windows that pop up. –IF- you are using IIS7 there is the potential that denying PROPFIND and OPTION in IIS > Site > Request Filtering would also be required. I don’t know of a deny method for IIS6 except using 3rd party tools such as LinkDeny.

2. Editing Core DOCICON.XML

Basically, hacking the code for the open/edit documents links that appear in list views, in the hive. Open the file:

C:Program FilesCommon FilesMicrosoft Sharedweb server extensions12TEMPLATEXML

Change the default settings for Office Document format files from:

<Mapping Key="dot" Value="icdot.gif" EditText="Microsoft Office Word" OpenControl="SharePoint.OpenDocuments"/>
<Mapping Key="dotm" Value="icdotx.gif" EditText="Microsoft Office Word" OpenControl="SharePoint.OpenDocuments"/>        
<Mapping Key="dotx" Value="icdotx.gif" EditText="Microsoft Office Word" OpenControl="SharePoint.OpenDocuments"/>

to:

<Mapping Key="dot" Value="icdot.gif" EditText="Microsoft Office Word" />
<Mapping Key="dotm" Value="icdotx.gif" EditText="Microsoft Office Word" />        
<Mapping Key="dotx" Value="icdotx.gif" EditText="Microsoft Office Word" />

Note: some of the “less advanced” formats such as Rich Text Format come out-of-the-box without the extra EditText=”Microsoft Office Word” OpenControl=”SharePoint.OpenDocuments” tags:

<Mapping Key="rtf" Value="icrtf.gif"/>

Risks: Disables Open in Office functionality for authenticated author/users
Rewards: Will disable the open with Office Client Integration on Office documents – users will just get a Save prompt.

3. Edit Publication Detail page by modifying Download Hyperlink to use Javascript download link

You can either modify existing custom page layouts (or create a new one) to include a user control which provides the actual download link for documents in a list grid or on a detail page. In my case I edited an existing user control embedded in the downloads masterpage:

Old link:

<a href=" <%= Utility.GetListItemServerRelativeUrl(PublicationItem) %> ">Download</a>

New Link:

<a href="javascript:STSNavigate('http://www.mysite.com/_layouts/download.aspx?SourceUrl=<%= Utility.GetListItemServerRelativeUrl(PublicationItem) %>' );">Download</a>

Risks: Disables Open/Edit in Office functionality for authenticated author/users
Rewards: Removes one of the two login prompts. Tried in combination with the technique of removing OPTIONS,PROPFIND from web.config

4. Custom Download Handler to Intercept Office documents being downloaded with specific format

Created an .ASPX page as per (the idea in the comments) http://www.theblackknightsings.com/CommentView,guid,1c85a4a8-879e-4974-b7c8-e48e6811eedd.aspx that forces the download to go through in binary for specific document formats, in this case .DOT/.DOTX. The same method as trick #3 is used (modifying the download link in the control that actually provides the download link). This time instead of using the JS method it points to the custom .ASPX page .

Here is an example of such as custom user control, which is specifically wired to intercept the .DOT and .DOTX mime types:

<%@ Control Language="C#" %>
<%@ Import Namespace="Microsoft.SharePoint" %>
<asp:Label ID="error" runat="server" />
<script runat="server">
    public partial class Office_Client_Integration_Override : System.Web.UI.UserControl
    {
        protected void Page_Load(object sender, EventArgs e)
        {
            try
            {
                if (!String.IsNullOrEmpty(Request.QueryString["open"]) && (Request.UserAgent != "Microsoft Office Protocol Discovery")
               && (Request.UserAgent != "Microsoft Data Access Internet Publishing Provider Protocol Discovery")
               && (Request.UserAgent != "Microsoft Office Existence Discovery")
               && (Request.UserAgent != "MSFrontPage/14.0"))
                {
                    string fullPath = Request.QueryString["open"].ToLower();
                    int start = fullPath.IndexOf("/PublicationDocuments/");
                    string webPath = fullPath.Substring(0, start);
                    if (webPath == "")
                        webPath = "/";
                    SPSecurity.RunWithElevatedPrivileges(delegate()
                    {
                        using (SPSite site = new SPSite("http://www.sharepoint.com"))
                        {
                            using (SPWeb web = site.OpenWeb(webPath))
                            {
                                string strContentType = "";

                                SPFile tempFile = web.GetFile(fullPath);
                                //Get the extension of File.
                                string[] fext = tempFile.Name.Split('.');
                                byte[] obj = (byte[])tempFile.OpenBinary();

                                // Get the extension of File to determine the file type
                                string casestring = "";
                                if (fext.Length > 1)
                                {
                                    casestring = fext[fext.Length - 1];
                                }

                                //set the content type of file according to extension
                                switch (casestring)
                                {
                                    case ".dotx": strContentType = "application/vnd.openxmlformats";
                                        break;
                                    case ".dot": strContentType = "application/msword";
                                        break;
                                    default: strContentType = "application/msword";
                                        break;
                                }
                                Response.ClearContent();
                                Response.ClearHeaders();
                                Response.AppendHeader("Content-Disposition", "attachment; filename= " + tempFile.Name);
                                Response.ContentType = strContentType;
                                //Check that the client is connected and has not closed the connection after the request
                                if (Response.IsClientConnected)
                                    Response.BinaryWrite(obj);
                                Response.Flush();
                                Response.Close();
                            }
                        }
                    });
                }
                else
                Error.Text = "<p>No file was specified.</p>";
            }
            catch
            {
                Error.Text = "<p>There was an error downloading that file.</p>";
            }
        }
    }
</script>

Risks: Uses SPRunWithElevatedPrivileges to access the doc which could circumvent security if there was ever a need to have secure .DOT/.DOTX/ in the same site (unlikely)
Rewards: None, gives a straight 401 unauthorized.

5. Modifying Core.js in SharePoint hive to hotwire document opening behaviours

As per the post at , the following .JS modification will selectively (based on what file extensions you leave in there) override the core opening behaviour.

Find this line in the core.js file at:

 
C:Program FilesCommon FilesMicrosoft Sharedweb server extensions12templatelayouts1033 folder.
[/sourceode]

 
function DispDocItemEx(ele, fTransformServiceOn, 
     fShouldTransformExtension, fTransformHandleUrl, strProgId)
{

Add the following directly after that opening {:

/*************************************************************
Suppress Document Authentication Prompt Mod for WSS 3.0
by Kevin Cornwell 2/28/2007
 
Open document without SharePoint hook to edit,
thus suppressing the authentication prompt.
*************************************************************/
var _ele;
if (_ele = ele.toString()){
    if (_ele_ext = _ele.substring(_ele.lastIndexOf('.')+1).toLowerCase()){
        /* list of office docs - add or remove Office file extensions as desired  */
        var arr_office_ext = new Array('doc','xls','dot','dotx','bmp','gif','jpeg',
                                       'jpg','csv','docm','docx','docmhtml',
                                       'docxml','dothtml','gcsx','ico','mdb',
                                       'mde','mdn','png','pot','pothtml','potm',
                                       'potx','pps','ppt','pptm','pptx','pub',
                                       'xlb','xlc','xls','xlsm','xlt','xltm',
                                       'xltx','xlw','xlxml');
        var _i;
        var b_office_doc = false;
        /* check for ext in array */
        for (_i=0; _i < arr_office_ext.length; _i++) {
        if (arr_office_ext[_i] === _ele_ext){
                //alert(_ele);
            b_office_doc = true;
    break;
        }
        }
 
        /* send only if office ext */
        if (b_office_doc){
 
        /* Open the doc via download.aspx (supress sp editing) */
             STSNavigate(ctx.HttpRoot + '/_layouts/download.aspx?SourceUrl=' + _ele);
 
        /* Kill the “regular” sp handling of the doc (edit mode)
               onClick(true) and simply download the doc. */
        return false;
        }       
    }
}
/* End mod ***************************************************/

Risks: You are modifying core SharePoint hive file which can be a maintenance/upgrade issue. Core.JS file will not be updated on end users browser until they refresh their caches or the JS expires naturally – they won’t see the new behaviour until that JS is refreshed.
Rewards: Overrides the open behaviour without requiring Office Integration in general to be turned off. Allows selected file extensions to be downloaded without the Office client producing the dummy login prompts.

6. Re-applying Anonymous permissions to Web App, Document Library

Risks: none
Rewards: There’s been reports that this would correct any issues with document prompts, however I didn’t see this result in my test cases.

The Winning Combination

The following is what worked consistently best and with minimal interference with standard Office Client Integration functionality for logged in users. Note that I only illustrate how to insert a download link in a detail page, if you want to wire this up to a document list view it will require adapting it yourself. 🙂

1. Create/modify a document detail page in SharePoint Designer. Add a User Control which references your desired document fields (title, description, image etc.) and add the following as the download link:

Note: the following assumes you have a working knowledge of how to use the SharePoint API to grab your server variables. The bolded text in the following link are the part you will have to sort out depending on where you will be applying this download link:

<a href="javascript:STSNavigate('http://<strong><servername>:<port></strong>/_layouts/download.aspx?SourceUrl=<strong>/doc lib name/documentname.doc</strong>');">download a copy</a>

2. Open the file:

C:Program FilesCommon FilesMicrosoft Sharedweb server extensions12templatelayoutsdownload.aspx

I dont have to tell you to make a backup first.
3. Make some modifications, so your file will end like this (note that I have added the vital runat=”server” which is required):

<%@ Assembly Name="Microsoft.SharePoint.ApplicationPages" %> <%@ Page Language="C#" Inherits="Microsoft.SharePoint.ApplicationPages.Download"      %>
<script runat="server">// <![CDATA[
    protected override bool AllowAnonymousAccess
    {
        get{
            return true;
        }
    }
// ]]></script>

3. That’s it! Needless to say, if you have the Publishing Cache feature turned on you may need refresh your cache in order for the changes to kick in on the download detail page you’ve made. Otherwise, no messy sticky client-side Javascript and a very light core modification. It’s up to you if you want to beef up the restrictions in the AllowAnonymousAccess override – you could potentially combine some of the file extension restriction methods referenced in Method 4 to lock it down.

(Credit to http://www.uv.mx/personal/gvera/sharepoint-login-prompt-when-accessing-files-in-a-document-library/ for the final clue needed to put this together)

vSharePoint Presentation May 31 – SharePoint 2010 Permissions

Written by Keith Tuomi on June 1, 2012. Posted in Permissions, Security, SharePoint 2010, vSharePoint. Leave a Comment

Thanks to all for showing up last night, we had a great turn out. Cheers to Chris Stone for his presentation on Business Intelligence and to Sector for hosting us again. If you are in Victoria BC be sure to check out the next SharePoint meetup at:

http://www.meetup.com/vSharePoint/
http://www.vsharepoint.com

SharePoint 2010 Permissions Presentation

vSharePoint-SharePoint 2010 Permissions (PowerPoint)
vSharePoint-SharePoint 2010 Permissions (PDF)

1. SharePoint 2010Permissions
2. Access Management Terminology- Permissions – single units of access that represent specific tasks that can be performed at the list, site, or personalization level – permission levels are made up of sets of permissions – SharePoint ships with a core list of permissions that cannot be edited, added to or deleted- Users – smallest value to which access can be granted – value corresponds to an account in Active Directory or another host application for user accounts- Groups – a set of users who will have identical access needs- Securable objects – levels within SharePoint 2010 that can be “locked down,” or secured, by setting specific user access- Inheritance – used to describe how user access is created by default within SharePoint- Security Trimming & Indexing – SharePoint will only show you search results for content you have access to, and for which SharePoint understands the security- Audiences – Used to target content to specific sets of users – Defined in the User Profile Service Application in Central Admin – NOT a security setting but simply a way to display pertinent content to specific users
3. Topology Web Application
4. Permission Levels- Permission Levels are collections of permissions – level of access that users with the assigned permission have is based on the permissions that make up the permission level.- Defined at the site collection- Managed by Site Collection Administrators – Customize an existing permission level – Copy an existing permissions level and edit the copy – Create a new permission level “from scratch”
5. Default Permission CollectionPermission Level DescriptionFull Control -Contains all permissions. -Assigned to the Owners SharePoint group, by default – cannot be customized or deleted.Design – Can create lists and document libraries, edit pages and apply themes, borders, and style – Not assigned to any SharePoint group, by default.Contribute – Can add, edit, and delete items in existing lists and document libraries. – Assigned to the Members SharePoint group, by default.Read – Read-only access to the Web site – Assigned to the Visitors SharePoint group, by default.Limited Access – Designed to be combined with fine-grained permissions to give users access to a specific list, document library, item, or document, without giving them access to the entire site. – To access a list or library a user must have permission to open the parent Web site and read shared data such as the theme and navigation bars of the Web site. – Cannot be customized or deleted. – You cannot assign this permission level to users or SharePoint groups, instead, SharePoint automatically assigns this permission level to users and SharePoint groups when you grant them access to an object on your site that requires that they have access to a higher level object on which they do not have permissions. For example, if you grant users access to an item in a list and they do not have access to the list itself, SharePoint automatically grants them Limited Access on the list, and also the site, if needed.
6. Web Application Policy- Central Administration > Manage Web Applications- Configures policy-based access to all content in a web application- Allow and Deny – Deny overrides any allow permissions- SharePoint 2010 allows you to define policies for any available permission
7. Site Security- Site Actions > Site Permissions- Groups are established at the site collection – Can be given permissions at the site level – Permission inherits down from there – When you create a group you do not have to assign a permission – A group without a permission at the site can still be assigned permissions to another securable object- Create a sub-site – Unique or Inherited Permissions
8. Default Groups- Owners: Full Control- Visitors: Read- Members: Contribute- Features add more groups (Designers, etc.)- The Members group is the “default members groups”
9. SharePoint Groups- Enable hierarchical membership management – Create a group named Site Managers > owned by site collection administrators > membership managed by owner (site collection administrators) – Site members (and other groups) > Owned by Site managers > Membership managed by owner (Site Managers)- Enable Access Requests – Add link to request page for the group – Optionally enable auto-accept of access requests- Control Member Visibility
10. Group Management Comparison- Active Directory – Technical user interface (AD Users & Computers) – No provisioning (requests, workflows) – Difficult delegation of membership management – Centralized security (group membership) management- SharePoint – Non-technical user interface – Easy delegation of group membership management – Optional provisioning of membership requests – Unified view of SharePoint groups & users – Only applies to SharePoint
11. Using Active Directory Groups- Assigning permissions directly to AD groups – Possible but not recommended > Assumes that content will always be hosted in a web application using AD as its authentication provider- Nest Active Directory groups in SharePoint groups – Add to a SharePoint group and give permissions (recommended) > user > Active Directory group > SharePoint group – Must be a security group (not a distribution group) > Distribution groups are expanded and then must be kept in sync- Distribution groups can be used to create audiences
12. To Nest or Not to NestUsers > Active Directory Group > SharePoint group- Ideal world: Synchronization of membership between Active Directory and SharePoint groups- “Intranet” sites: AD groups  SP groups to define access – Add site to users’ My Sites with personalization site links – Support easy management of access – Add site to users’ My Sites with personalization site links- “Collab” sites: Add users directly to SP groups – Provide My Site visibility – Provide visibility of user in user information list – Provide visibility to site owners and members – Support collaboration
13. List & Library Permissions- List > List Settings / Library > Library Settings- Stop Inheriting Permissions – Copies inherited permissions as initial explicit permissions – Can reset with Inherit Permissions button- Ribbon Actions for Selected Group(s)/user(s) – Grant Permissions – Remove User (or group) Permissions – Edit User (or group) Permissions – Check permissions: Resultant set of permissions – Anonymous Access
14. Folder & Item/Document SecurityItems & Documents will be referred to in this presentation as “Items” unless specific difference needsto be highlighted- Change permissions on a folder or item – Item > Arrow > Manage Permissions – When viewing the item properties in SharePoint > Edit Permissions
15. Inheritance- Permissions (role assignments) are inherited from the parent object- Inheritance can be broken – All permissions are explicit – Any changes to parent do not affect the child object- Inheritance can be reinstated – All customizations (explicit permissions) are lost- Use inheritance wherever possible – Simplicity, coherence, maintainability
16. Effective Permissions- SharePoint access is based on a per URI (web address) basis – The permission to the URI is all that matters – These kids are wild: no need to ask the parents permission – No equivalent to NTFS (Windows folder security) Traverse Folder permission- Explicit Inherited – One or the other – Different than NTFS (inherited + explicit)- Check Effective Permissions button – Shows you the actual effective permission level
17. Security Trimming & Indexing- The SharePoint interface and search results are security-trimmed – User don’t see what they do not have permission to read- Item-level permissions on pages in a Page Library – Problem: A Web Part displays items > Users don’t see items they don’t have access to > The crawler sees all items in the web part and indexes them – When inheritance is stopped within a site, all Web Part content on ASPX pages is not indexed by default – Site Settings > Search and Offline Availability > Indexing ASPX Page Content
18. Permission LevelsPublishing Feature Collection Manage – Available only with Publishing Features Hierarchy turned on Restricted Read Publishing Feature Approve
19. SharePoint Security Notes- Columns can not be secured uniquely (out of the box) – Performance – Conditional formatting – Related Lists – Third party solutions- Audiences – Make content visible to users – Effect can be close to security, but it is not security
20. Information Management Policies- In-place records management – New in SharePoint 2010 – Record library still supported for dedicated record libraries- Enable the feature at the site collection level- Declare records management attributes – Site Collection – Folder – Content type- Supports security at the document level withoutpermissions- Information rights policies – Relies on Active Directory Rights Management Services
21. Conclusion- Remember: limited access is for SharePoint to manage unique permissions. It neither means someone is limited to access something, nor does it mean they have limited access to something. Ignore it- Permissions can be defined at creation of a site (more options) but can’t be during creation of a new list or library (in the GUI at least)- When in doubt, check effective permissions- Help your users, set a valid email account for ‘manage access requests’- Finally, build sites based on a ‘team’ of people. Setting individual permissionsshouldn’t be something you do all the time, it should be in the ‘odd timesneeded’ not the goto action
22. Q&A + Contact Any Questions? Contact Details: Keith Tuomi ktuomi@itgroove.net itgroove.net

You don’t have Add and Customize Pages permissions required to perform this action

Written by Keith Tuomi on May 22, 2012. Posted in Document Library, Permissions, SharePoint 2010. 3 Comments

Steps to create the message “You don’t have Add and Customize Pages permissions required to perform this action”:

1. Make a new document library, set it the “Basic Page” template.
2. Assign a user Full Control on the document library
3. Have that user create a new document in the new document library.

>>> At this point you may receieve “Web Part Error: A Web Part or Web Form Control on this Page cannot be displayed or imported. You don’t have Add and Customize Pages permissions required to perform this action.”

This causes a lot of confusion as applying “Full Control” on the document ibrary would seem to imply to the layman that the users in that group would be granted access accordingly. However it’s clearly not working for you at this point, so what’s the scoop on this? Turns out SharePoints famed “inverted NTFS Permission”-style permission hierarchy is not as clear cut as simply saying “SharePoint Permissions are granted in order most permissive first”.

At this point, a frustrated admin would start looking at the next possible permissions to fiddle with, in order to work around the seemingly odd error message:

1. Clearly taking the next step up of giving someone “Full Control” of the entire site (Site Actions > Site Permissions), would not be desirable in most cases.
2. Giving the user “Add and Customize Pages” permissions on the entire site would allow them to edit, but is also probably not desirable in most circumstances since they could also “Add, change or delete HTML pages or Web Part pages and edit the web site using designer.

The solution:
1. You must have “Add and Customize Pages” permission from the site level to perform this action, the permission is not in the list permission level.
2. Add a new permission level which only includes “Add and Customize Pages” permission, and then create a new SharePoint group with this permission level.
3. Add the users into the SharePoint group and these users will get the “Add and Customize Pages” permission from the site level (site permission).
4. To Add/Edit a page, the users would also need the permission level “Contributor” in the list permission level.

It’s important to note that when you grant the full control to the users in the list permission level, that the users won’t get the permission from the site level.

Check SharePoint 2010 anonymous permissions

Written by Keith Tuomi on May 16, 2012. Posted in Permissions, Powershell, SharePoint 2010. Leave a Comment

Great PowerShell for checking the state of SharePoint anonymous permissions from Max Ruswell at Microsoft:

SharePoint PowerShell Script Series Part 6 – Is Anonymous Access Enabled?

Note: This PowerShell script is tested only on SharePoint 2010

Instructions for running the script:

1. Copy the below script and save it in notepad
2. Save it with a anyfilename.ps1 extension
3. To run, copy the file to a SharePoint Server
4. Select StartMicrosoft SharePoint 2010 ProductsSharePoint 2010 Management Shell
5. Browse to directory holding the copied script file
6. Run the script: .anyfilename.ps1 (assuming anyfilename is the name of the file)

<# ==============================================================
//
// Microsoft provides programming examples for illustration only,
// without warranty either expressed or implied, including, but not
// limited to, the implied warranties of merchantability and/or
// fitness for a particular purpose.
//
// This sample assumes that you are familiar with the programming
// language being demonstrated and the tools used to create and debug
// procedures. Microsoft support professionals can help explain the
// functionality of a particular procedure, but they will not modify
// these examples to provide added functionality or construct
// procedures to meet your specific needs. If you have limited
// programming experience, you may want to contact a Microsoft
// Certified Partner or the Microsoft fee-based consulting line at
// (800) 936-5200.
//
// For more information about Microsoft Certified Partners, please
// visit the following Microsoft Web site:
// </span><a href="https://partner.microsoft.com/global/30000104"><span style="font-size: x-small;">https://partner.microsoft.com/global/30000104</span></a>
<span style="font-size: x-small;">//
// Author: Russ Maxwell (russmax@microsoft.com)
//
// ---------------------------------------------------------- #></span>
<h3></h3>
<span style="font-size: x-small;">[Void][System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint") </span>
<h3></h3>
<span style="font-size: x-small;">Start-SPAssignment -Global</span>
<h3></h3>
<span style="font-size: x-small;">######################################
##Creating and Returning a DataTable##
######################################
function createDT()
{
###Creating a new DataTable###
$tempTable = New-Object System.Data.DataTable

##Creating Columns for DataTable##
$col1 = New-Object System.Data.DataColumn("Anonymous Access")
$col2 = New-Object System.Data.DataColumn("Level")
$col3 = New-Object System.Data.DataColumn("URL")
$col4 = New-Object System.Data.DataColumn("Configured ListLib")

###Adding Columns for DataTable###
$tempTable.columns.Add($col1)
$tempTable.columns.Add($col2)
$tempTable.columns.Add($col3)
$tempTable.columns.Add($col4)

return ,$tempTable
}</span>
<h3></h3>
<span style="font-size: x-small;">#####################################
##Check WebApp for Anonymous Access##
#####################################
function checkwebappAnon()
{
$webAnon = $site.IISAllowsAnonymous.tostring()
$tempanonCheck = 0;
if ($webAnon -eq "true")
{
#Add a row to DataTable
$row = $dTable.NewRow()
$row["Anonymous Access"] = "Enabled"
$row["Level"] = "WebApplication"
$row["URL"] = $site.WebApplication.Name
$dTable.rows.Add($row)
}

}</span>
<h3></h3>
<span style="font-size: x-small;">######################################
##Check the Site for Anonymous Access#
######################################
function checksiteAnon()
{
$tempanonCheck = 0
$checkWeb = $web.AllowAnonymousAccess.tostring()
$checkWebState = $web.AnonymousState.tostring()
$webMask = $web.AnonymousPermMask64.tostring()
Write-Host
Write-Host "Checking how Anonymous is set up on site: " $web.Url -ForegroundColor Magenta

if(($checkWeb -eq "True") -and ($checkWebState -eq "On"))
{
#Add a row to DataTable#
$row = $dTable.NewRow()
$row["Anonymous Access"] = "Enabled"
$row["Level"] = "Site Level: Entire WebSite"
$row["URL"] = $web.Url.tostring()
$dTable.rows.Add($row)
$tempResult = 1
}

elseif(($checkWeb -eq "False") -and ($checkWebState -eq "Enabled") -and ($webMask -eq "Open"))
{
#Add a row to DataTable#
$row = $dTable.NewRow()
$row["Anonymous Access"] = "Enabled"
$row["Level"] = "Site Level: Lists and Libraries"
$row["URL"] = $web.Url.tostring()
$dTable.rows.Add($row)
$tempResult = 2
}

else
{
$tempResult = 3
}

return $tempResult
}</span>
<h3></h3>
<span style="font-size: x-small;">############################################
##Check ListLibraries for Anonymous Access#
############################################
function checklistAnon()
{
###Checking each list and library for anonymous access###
$lists = $web.lists
$count1 = $lists.count
$hasAnon = 0

Write-Host "Checking " $lists.count " listslibaries for Anonymous Access" -ForegroundColor Magenta

###Setting String Vars###
$defMask1 = "OpenWeb"
$defMask2 = "EmptyMask"
$defTax = "TaxonomyHiddenList"

foreach($list in $lists)
{
$listUrl = $web.url + "/" + $list.Title
$listMask = $list.AnonymousPermMask.tostring()
$tax = $list.Title.ToString()

##Checking List eventhough Anonymous Access was disabled at SPWeb Level##
if(($webResult -eq '3') -and ($defTax.CompareTo($tax) -ne '0'))
{
if($listMask.CompareTo($defMask2) -ne '0')
{
if($listMask.CompareTo($defMask1) -eq '0')
{
#Anonymous Access is Enabled but not Configured on listlibrary#
$row = $dTable.NewRow()
$row["Anonymous Access"] = "Enabled"
$row["Level"] = "ListLibrary"
$row["URL"] = $listUrl
$row["Configured ListLib"] = "No"
$dTable.rows.Add($row)
$hasAnon++
}
else
{
#Anonymous Access Enabled and Configured on listlibrary#
$row = $dTable.NewRow()
$row["Anonymous Access"] = "Enabled"
$row["Level"] = "ListLibrary"
$row["URL"] = $listUrl
$row["Configured ListLib"] = "Yes"
$dTable.rows.Add($row)
$hasAnon++
}
}
}

elseif(($webResult -eq '2') -and ($defTax.CompareTo($tax) -ne '0'))
{
if(($listMask.CompareTo($defMask2) -ne '0') -and ($listMask.CompareTo($defMask1) -ne '0'))
{
#Anonymous Access Enabled and Configured on listlibrary#
$row = $dTable.NewRow()
$row["Anonymous Access"] = "Enabled"
$row["Level"] = "ListLibrary"
$row["URL"] = $listURL
$row["Configured ListLib"] = "Yes"
$dTable.rows.Add($row)
$hasAnon++
}
}
$count1--
if($count1 % '10' -eq '0')
{
Write-Host "Total # of listslibraries left to check: " $count1 -ForegroundColor DarkYellow
}
}
Write-Host
Write-Host "Total # of listslibraries with Anonymous Access Enabled: " $hasAnon -ForegroundColor Cyan
}
</span>
<h3></h3>
<span style="font-size: x-small;">########################
###Script Starts Here###
########################
$output = Read-Host "Enter a location for the output file (For Example: c:logs)"
$filename = Read-Host "Enter a filename"
$url = Read-Host "Please enter the URL of desired site collection and press enter"</span>
<h3></h3>
<span style="font-size: x-small;">###Getting a new DataTable###
[System.Data.DataTable]$dTable = createDT</span>
<h3></h3>
<span style="font-size: x-small;">###Getting Site Collection###
$site = Get-SPSite $url</span>
<h3></h3>
<span style="font-size: x-small;">###Checking if WebApp has Anonymous set###
checkwebappAnon</span>
<h3></h3>
<span style="font-size: x-small;">###Gathering web collection###
$webs = $site.Allwebs
$count = $webs.Count
Write-Host "Checking for Anonymous Access on " $count " Sites" -ForegroundColor Magenta</span>
<h3></h3>
<span style="font-size: x-small;">foreach($web in $webs)
{
$webResult = 0
###calling function to check anonymons on spweb###
$webResult = checksiteAnon

if(($webResult -eq '2') -or ($webResult -eq '3'))
{
Write-Host "Checking for Anonymous Access on List and Libraries" -ForegroundColor Magenta
###calling function to check anonymons on lists and libs###
checklistAnon
}

$count--

if($count -ne '0')
{
Write-Host
Write-Host "Total # of sites left to check: " $count -ForegroundColor DarkYellow
}

else{Write-Host "Operation Completed" -ForegroundColor DarkYellow}
}</span>
<h3></h3>
<span style="font-size: x-small;">if($dTable -ne $null)
{
$name = $output + "" + $filename + ".csv"
$dTable | Export-Csv $name -NoTypeInformation
Write-Host "Anonymous Access was detected" -ForegroundColor Green
Write-Host "Log File Created: " $name
}
else
{
Write-Host "Anonymous Access is Disabled for the entire Site Collection" -ForegroundColor Green
Write-Host "No Log File Created" -ForegroundColor Green
}

Stop-SPAssignment -Global