Repairing List Item Permission Actions in Exported Nintex Workflows

While working on a sizeable SharePoint and Nintex Workflow development project recently, I came across a significant issue in Nintex Workflow that the support engineers at Nintex said was not a bug. I disagree with them, and had to find a workaround anyway, so thought I would share it.

The Problem

If you export a workflow from one SharePoint system (e.g. a development farm), and import it into a different SharePoint system (e.g. a production farm), if you are using the “Set Item Permissions” action within your workflow, you will discover that it is broken after importing. I did a bit of digging, and discovered why – the exported workflow describes the permissions sets in XML by both their name, and their internal IDs (large integers) – but only seems to use the IDs when importing – Nintex Workflow doesn’t try to correlate the permission sets by name on the destination system, so presumes it cannot find the permission sets described in the workflow actions.

It’s worth repeating – the Nintex support engineer I dealt with said this was by design. I was quite shocked.

The Solution

If you’re working on a sizeable project, you probably have all the workflows exported to a folder on the filesystem. You can therefore process the files to replace the IDs from the original system with those of the target system. So – we can run the following PowerShell script on the files, while they are sitting on the destination server(s):

$url = "https://server/sites/site_collection/subsite"

$uri = [System.Uri]$url

# Loop through files in Workflows subdirectory
foreach ( $source_file in $(Get-ChildItem './Workflows' -File | Sort-Object -Property Name) ) {

    Write-Host $("Processing [" + $source_file.Name + "]") -foregroundcolor white
    $file_content = Get-Content "../Workflows/$source_file"
    # repair the role definitions in the XML
    Write-Host " - Repairing Role Definition IDs in XML"
    foreach ($role_definition in $web.RoleDefinitions){
        $pattern     = $('\#' + $role_definition.Name + '\;\#None\;\#[0-9]+\$\$\#\#')
        $replacement = $('#' + $role_definition.Name + ';#None;#' + $role_definition.Id + '$$$$##')
        $file_content = $file_content -replace $pattern , $replacement
    # Write the file into the modified directory
    $file_content | out-file -encoding utf8 "./Workflows/Modified/$source_file"
    Write-Host $(" - Finished Processing [" + $source_file.Name + "]")


The above snippet presumes you have all your workflows in a folder called “Workflows”, alongside the PowerShell script. It also presumes a sub-folder called “Modified” exists within the Workflows folder, to put the modified workflows into. The script does a regex search for the role definition names in the XML (the permission sets), and swaps them out for the matching ones for the destination system. After running the script, you end up with a set of workflow export files that work.

In my mind, this entire situation could have been avoided if the developers at Nintex had been a bit more forward thinking. At least there is a solution.

Posted by Jonathan Beckett in Notes, 0 comments

Removing Webparts from SharePoint Site Pages with Powershell

The following PowerShell snippet shows how to remove a WebPart from a page in SharePoint by it’s title. I wrote it up because it’s not as straightforward as you might imagine – you need to loop through the WebParts in the page via the “webpartmanager” object – there is no enumeration of WebParts in a page.

$webpart_title = "Hello World"
$page_filename = "home.aspx"

# Connect to Web
$web = Get-SPWeb ""

# Instantiate Webpart Manager
$webpartmanager = $web.GetLimitedWebPartManager($($web.Url + "/SitePages/" + $page_filename),[System.Web.UI.WebControls.WebParts.PersonalizationScope]::Shared)

$webpartsarray = @()

for($i=0;$i -lt $webpartmanager.WebParts.Count;$i++) {
  if($webpartmanager.WebParts[$i].title -eq $webpart_title) {
    $webpartsarray = $webpartsarray + $webpartmanager.WebParts[$i].ID

$num_webparts = $webpartsarray.length

if ($num_webparts -gt 0)
  Write-Host "Found Webpart [$webpart_title]"
  for($j=0; $j -lt $num_webparts; $j++)
    Write-Host $("Deleting WebPart [" + $webpartsarray[$j] + "]")
  Write-Host "WebPart Not found"

# release resources

Posted by Jonathan Beckett in Notes, 0 comments

Provisioning SharePoint WebPart Pages, and WebParts with PowerShell

One of the more common exercises you might undertake in a PowerShell script when automating the deployment of infrastructure is the creation of WebPart pages, adding WebParts onto those pages, and potentially making one of those pages the default front page for a given site.

The following code snippets illustrate the methods required for each step of the process.

Connect to SharePoint

Before we can issue any instructions to SharePoint we need to add the SharePoint SnapIn to PowerShell, and connect to a web.

if ((Get-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue) -eq $null)
  Add-PSSnapin "Microsoft.SharePoint.PowerShell"
$web = Get-SPWeb ""

Create a WebPart Page in the Site Pages Library

Next we create a page in the site pages library – notice that the layout template is chosen by it’s internal ID – you can find these out by searching MSDN for “SharePoint Page Layout Template enumeration”.

$site_pages_library = $web.lists["Site Pages"]
$pageTitle = "My Page"
$layoutTemplate = 4 # Template code
$xml = "" + $site_pages_library.ID + "NewWebPageNewWebPartPage" + $layoutTemplate + "true" + $pageTitle + ""
$result = $web.ProcessBatchData($xml)

Add a WebPart to the Page

First we need to instantiate a WebPart manager object, which will be used to manipulate the webparts within a given page.

$webpartmanager = $web.GetLimitedWebPartManager($web.Url + "/SitePages/My%20Page.aspx", [System.Web.UI.WebControls.WebParts.PersonalizationScope]::Shared)

Add a Content Editor WebPart to the Page

Some example code to add a content editor WebPart to a WebPart page. Notice in particular the final command to the WebPart Manager object, which details the section of the page, and an index number within that section to place the WebPart.

$webpart = new-object Microsoft.SharePoint.WebPartPages.ContentEditorWebPart
$webpart.ChromeType = [System.Web.UI.WebControls.WebParts.PartChromeType]::None
$webpart.Title = "Example Content Editor WebPart"
$docXml = New-Object System.Xml.XmlDocument
$contentXml = $docXml.CreateElement("Content")
$inner_xml = "Hello World!"
$contentXml.set_InnerText($inner_xml) > $null
$docXml.AppendChild($contentXml) > $null
$webpart.Content = $contentXml
$webpartmanager.AddWebPart($webpart, "Header", 1) > $null

Add a List View WebPart to the Page

It turns out adding list views to the page is a bit easier than a content editor webpart. Note that the webpart will take a copy of the view, so if you change the underlying view it is using within the list, it will not affect the WebPart.

$list = $web.Lists["My List"]
$view = "All Items"
$webpart = new-object Microsoft.SharePoint.WebPartPages.ListViewWebPart
$webpart.ChromeType = [System.Web.UI.WebControls.WebParts.PartChromeType]::TitleOnly
$webpart.Title = "Example List View WebPart"
$webpart.ListName = $list.ID
$webpart.ViewGuid = $view.ID
$webpartmanager.AddWebPart($webpart, "Body", 1) > $null

Make the new Page the default front page for the site

One of the more common reasons to provision a page through Powershell is as part of a dashboard that will become the user interface for the SharePoint site – this is how you do that.

$root_folder = $web.RootFolder
$root_folder.WelcomePage = "SitePages/My%20Page.aspx"

Release Resources

Finally, we need to release the resources PowerShell is holding onto with SharePoint.

Posted by Jonathan Beckett in Notes, 0 comments

Problems with Breaking Inheritance and Limited Access User Permission Lock Down Mode in SharePoint

What is “Limited Access User Permission Lock Down Mode” ?

Lets start this by describing a little known site collection feature called “Limited Access User Permission Lock Down Mode”. When enabled, it stops users from viewing the list that a file they have been given specific access to exists within. In some cases it seems to stop Microsoft Office from working correctly too.

The reason you might use it, is to allow a user read access to a specific file within a SharePoint Library, but not let them modify the URL in order to see the list – essentially only the URL to the file will work for them.

If you switch off the site collection feature, the user will be able to at least see the library within SharePoint containing the file they have access to.

How does this relate to Permissions ?

It just so happens I developed a PowerShell script for a client that creates sub-sites for projects – breaking permissions inheritance on each sub-site, and wiring up custom groups, and permissions for them for each sub-site (e.g. “Project A”, with groups “Project A Owners”, “Project A Members”, and so on).

It turns out the method used in the PowerShell script to break permissions inheritance on the sub-site was incorrect (although advocated by Microsoft I might add).

I used the following method :


It turns out this does something that is impossible through the SharePoint interface – it not only breaks inheritance, and copies the Group assignments to the subsite, it also breaks inheritance of the Permission Levels (aka “permission sets”), and creates new permission sets tied to the sub-site with the same names as the parent. The tell-tale that this has happened is that checkboxes appear next to the permission set names when viewed from the sub-site (via “view site permissions”).

Why is this important? Because when the permission sets are copied, the configuration of the Limited Access User Permission Lock Down Mode feature is also copied – and then if it is enabled, or disabled at the site collection level (it’s a site collection feature, remember), it will not affect sub-sites with broken inheritance.

How can it be fixed ?

When you create a sub-site via Powershell, you need to use a slightly different method to break permissions inheritance :


This method copies the existing group assignments, but inherits the permission sets. It’s obviously the method used by the SharePoint interface, which exhibits the same behaviour.

If you have already created a number of sub-sites, they can be repaired by writing a PowerShell script to iterate through them, first reading the groups and roles assigned to them, then re-inheriting, and re-breaking permission inheritance correctly, before re-building the group and role assignments appropriately.

Posted by Jonathan Beckett in Notes, 0 comments

Deploying Nintex Forms with PowerShell

When working on a sizeable project with Microsoft SharePoint, Nintex Workflow, and Nintex Forms, it makes sense to automate deployment as much as possible. While it’s straightforward to automate the provisioning of SharePoint assets such as lists, content types, fields, and views through PowerShell, and it’s fairly easy to call NWAdmin to deploy workflows, Nintex Forms have always been something of a problem – until Nintex released a Forms Webservice that is.

It’s still not easy to deploy Nintex Forms via PowerShell, as evidenced by the numerous discussions on both the Nintex community forms, and elsewhere on the internet – with people trying to stick bits of the solution together, and nobody really having the “whole story”. Well this post describes the whole story. I debated for some time about writing this up, because the amount of effort to do it was significant – it gets into that grey area of “this has commercial value”. In the end I decided to share it because I have taken so much from the community over the years, so it might be time to pay something back.

The following PowerShell snippet essentially loops through an arraylist describing the titles of lists, and associated form XML files, and communicates with the Nintex Forms webservice to upload the XML, and publish the forms. It sounds straightforward – it’s anything but. In reality, the script does the following:

  • Calls SharePoint to get a Form Digest
  • Extracts the Form Digest from the response
  • Prepares a POST Web Request to the Nintex Forms Webservice
  • Reads the Form XML file into a byte array
  • Sends the request to the Forms Webservice, streaming the byte array
  • Captures the response from the Forms Webservice

Here’s the guts of it…

$web = Get-SPWeb "https://server/sites/site_collection/subsite"

[System.Reflection.Assembly]::LoadWithPartialName("System.IO") >> $null
[System.Reflection.Assembly]::LoadWithPartialName("Nintex.Forms.SharePoint") >> $null
[System.Reflection.Assembly]::LoadWithPartialName("Nintex.Forms") >> $null

# Build an arraylist of List names, and form xml filenames
$items = New-Object System.Collections.ArrayList
$items.Add(("List A","form_a.xml")) > $null
$items.Add(("List B","form_b.xml")) > $null
$items.Add(("List C","form_c.xml")) > $null

# Check we can see the folder where the form files are
$forms_path = Resolve-Path $(".\Forms\")
if (Test-Path($forms_path)) {

    # loop through the form files
    foreach ($item in $items) {
        $list_name = $item[0]
        $form_filename = $item[1]
        $form_path = "$forms_path$form_filename"

        Write-Host $(" - Deploying [" + $form_filename + "] to [" + $list_name + "]") -foregroundcolor white
        if (Test-Path($form_path)) {

            Write-Host $(" - Form XML File Found")
            if ($web.Lists[$list_name]){
                # Get Form Digest
                Write-Host " - Getting Form Digest" -NoNewLine
                    # Call SharePoint for the Form Digest
                    $form_digest_request = [Microsoft.SharePoint.Utilities.SPUtility]::ConcatUrls($web.Site.RootWeb.Url, "_api/contextinfo")
                    $form_digest_uri = New-Object System.Uri($form_digest_request)
                    $credential_cache = New-Object System.Net.CredentialCache
                    $credential_cache.Add($form_digest_uri, "NTLM", [System.Net.CredentialCache]::DefaultNetworkCredentials)
                    $http_request = [System.Net.HttpWebRequest] [System.Net.HttpWebRequest]::Create($form_digest_request)
                    $http_request.Credentials = $credential_cache
                    $http_request.Method = "POST"
                    $http_request.Accept = "application/json;odata=verbose"
                    $http_request.ContentLength = 0
                    [System.Net.HttpWebResponse] $http_response = [System.Net.HttpWebResponse] $http_request.GetResponse()
                    [System.IO.Stream]$response_stream = $http_response.GetResponseStream()
                    [System.IO.StreamReader] $stream_reader = New-Object System.IO.StreamReader($response_stream)
                    $results = $stream_reader.ReadToEnd()

                    # Extract the Form Digest Value from the Response
                    $start_tag = "FormDigestValue"
                    $end_tag = "LibraryVersion"
                    $start_tag_index = $results.IndexOf($start_tag) + 1
                    $end_tag_index = $results.IndexOf($end_tag, $start_tag_index)
                    [string] $form_digest = $null
                    if (($start_tag_index -ge 0) -and ($end_tag_index -gt $start_tag_index))
                        $form_digest = $results.Substring($start_tag_index + $start_tag.Length + 2, $end_tag_index - $start_tag_index - $start_tag.Length - 5)
                    Write-Host $(" - Form Digest Retrieved")
                # Prepare Web Request
                Write-Host " - Preparing Web Request" -NoNewLine
                    $webservice_url = [Microsoft.SharePoint.Utilities.SPUtility]::ConcatUrls($web.Url, "_vti_bin/NintexFormsServices/NfRestService.svc/PublishForm")
                    $webservice_uri = New-Object System.Uri($webservice_url)

                    # Create the web request
                    [System.Net.HttpWebRequest] $request = [System.Net.WebRequest]::Create($webservice_uri)

                    # Add authentication to request 
                    $request.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials

                    # Configure Request
                    $request.Method = "POST";
                    $request.ContentType = "application/json; charset=utf-8";
                    $request.Accept = "application/json, text/javascript, */*; q=0.01"
                    $request.Headers.Add("X-RequestDigest", $form_digest); 
                    $request.Headers.Add("X-Requested-With", "XMLHttpRequest")
                    Write-Host " - Request Prepared"

                # Read XML file into byte array
                Write-Host " - Reading XML File" -NoNewLine
                    [] $stream = []::OpenRead($form_path)
                    [byte[]] $file_bytes = New-Object byte[] $stream.length
                    [void] $stream.Read($file_bytes, 0, $stream.Length)
                        $form = [Nintex.Forms.FormsHelper]::XmlToObject([Nintex.Forms.NFUtilities]::ConvertByteArrayToString($file_bytes))
                    } catch [Exception] {
                        $form = [Nintex.Forms.FormsHelper]::XmlToObject([Nintex.Forms.NFUtilities]::ConvertByteArrayToString($file_bytes, [System.Text.Encoding]::UTF8))

                    $form.LiveSettings.Url = ""
                    $form.LiveSettings.ShortUrl = ""
                    $form.Id = [guid]::NewGuid()

                    $form_json = [Nintex.Forms.FormsHelper]::ObjectToJson($form);
                    Write-Host $(" - Json Prepared - [" + $form_json.Length + "] chars")

                # Create the data we want to send
                Write-Host " - Generating Data to Send" -NoNewLine
                    $list = $web.Lists[$list_name]
                    $id = "{$($list.ID)}"
                    $data = "{`"contentTypeId`": `"`", `"listId`": `"$id`", `"form`": $form_json }"

                    # Create a byte array of the data we want to send 
                    $utf8 = New-Object System.Text.UTF8Encoding 
                    [byte[]] $byte_array = $utf8.GetBytes($data.ToString())

                    # Set the content length in the request headers 
                    $request.ContentLength = $byte_array.Length;
                    Write-Host $(" - [" + $byte_array.Length + "] bytes prepared")

                # Send the Request
                Write-Host " - Sending the Request" -NoNewLine
                    try {
                        $post_stream = $request.GetRequestStream()
                        $post_stream.Write($byte_array, 0, $byte_array.Length);
                    } catch [Exception]{
                        write-host -f red $_.Exception.ToString() 
                    } finally {
                        if($post_stream) {
                    Write-Host $(" - Sent [" + $byte_array.Length + "] bytes")

                # Get the Response
                Write-Host " - Processing Response"
                    try {
                        [System.Net.HttpWebResponse] $response = [System.Net.HttpWebResponse] $request.GetResponse()

                        # Get the response stream 
                        [System.IO.StreamReader] $reader = New-Object System.IO.StreamReader($response.GetResponseStream())

                        try {
                            $strResult = $reader.ReadToEnd()
                            $jsonResult = ConvertFrom-Json $strResult

                        } catch [Exception] {
                            write-host -f red $_.Exception.ToString() 
                    } catch [Exception] {
                        write-host -f red $_.Exception.ToString() 
                    } finally {
                        if($response) {
            } else {
                # List not found
                Write-Host $(" - List [" + $list_name + "] not found") -foreground-color red
        } else {
            # form_path not found
            Write-Host $(" - Form Path [" + $form_filename + "] not found") -foregroundcolor red
    } # foreach item in arraylist

} else {

    # forms_path not found
    Write-Host $(" - Forms Path [ " + $forms_path + "] not found") -foregroundcolor red

# release resources

Hopefully this will be useful to somebody, somewhere. I read a lot of documentation to come up with this method, and also looked at pieces of the puzzle that other people had completed before solving it. Of course as with any solution like this, the complexity vanishes at runtime – with forms importing and publishing at a rate of one or two per second into SharePoint – certainly faster than importing and publishing them by hand.

Posted by Jonathan Beckett in Notes, 0 comments

Deploying Nintex Workflows via PowerShell

One of the more common tasks when working on a large project is to deploy Nintex Workflows via a PowerShell script. It’s not too difficult, because the SharePoint web front ends will have a copy of NWAdmin on them – installed in the 15 hive by Nintex during installation. If you’re not aware of it, NWAdmin is a command line tool that can – drum-roll – deploy workflows (among many other things).

The snippet of code below shows the general pattern I use to deploy many workflows in one go – essentially listing them all out in an arraylist, and then looping through it, calling NWAdmin via Powershell. If nothing else, this is a great example of the horrible syntax PowerShell forces upon you to call command line applications with parameters.

$web = Get-SPWeb "https://server/sites/site_collection/subsite"

$cmd = "C:\Program Files\Common Files\microsoft shared\Web Server Extensions\15\BIN\NWAdmin.exe"

$workflows = New-Object System.Collections.ArrayList

# Fill an array with the worklow names, list names and filenames to process
$workflows.Add(("Process A","List A","process_a.nwf")) > $null
$workflows.Add(("Process B","List B","process_b.nwf")) > $null
$workflows.Add(("Process C","List C","process_c.nwf")) > $null

if (Test-Path($cmd)) {
	Write-Host " - NWAdmin Found" -foregroundcolor green
	$list_workflows_path = Resolve-Path $(".\Workflows\")
	if (Test-Path($list_workflows_path)) {
		foreach ($workflow in $workflows) {

			$workflow_name     = $workflow[0]
			$list_name         = $workflow[1]
			$workflow_filename = $workflow[2]

			$nwf_path = "$list_workflows_path$workflow_filename"

			if (Test-Path($nwf_path)) {
				if ($web.Lists[$list_name]){

					write-host $("Deploying '" + $workflow_name + "' to list '" + $list_name + "'") -foregroundcolor white
					$prm = "-o","DeployWorkflow","-workflowName",$("`"" + $workflow_name + "`""),"-nwfFile",$("`"" + $nwf_path + "`""),"-siteUrl",$("`"" + $web.Url + "`""),"-targetList",$("`"" + $list_name + "`""),"-overwrite"
					& $cmd $prm

				} else {
					Write-Host $("SharePoint List not found [" + $list_name + "]") -foregroundcolor red
			} else {
				write-host $("Workflow File Not Found [" + $nwf_path + "]") -foregroundcolor red
	} else {
		write-host $("Workflows Directory Not Found [" + $list_workflows_path + "]") -foregroundcolor red
	write-host "Complete!" -foregroundcolor green
} else {
	Write-Host " - NWAdmin Not Found" -foregroundcolor red

# release resources
Posted by Jonathan Beckett in Notes, 0 comments

Provisioning Large SharePoint Projects with Powershell

It makes sense when building a sizeable project in SharePoint on-premises to script the provisioning of all assets – the lists, content types, columns, views, and so on. This inevitably ends up with a colossal powershell script, so it makes sense to look for ways to break it up, and make it easier to work on (or for multiple people to work on individual parts of the whole). The following is a method I have come up with over the course of several projects – I figured it might be useful for others.


The basic approach is to run one powershell file that loads all the others, and executes them. Therefore we have one core file (e.g. “deploy.ps1”), and a folder (“lib”) full of scripts it runs. It occurred to me while building the core script that we could copy the way Unix and Linux often do things – and number the files in the folder – then if the core file sorts them, we can control the execution of the children purely by filename order (e.g. “lib/1000_provision_list.ps1”, “lib/2000_provision_content_type.ps1”, and so on).

The Core Deployment Script

So – the following snippet is an example of what the core deployment script looks like – expecting a couple of parameters – the name of the SharePoint site to deploy everything into, and a filter to optionally run a subset, or even a single script, based on it’s filename.

param( [string]$url = "https://server/sites/site_collection/subsite", [string]$filter = "" )

# record results to a text file in the same path as the deploy script
start-transcript ./deploy_log.txt -Append

# Add SharePoint Snap-In
if ((Get-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue) -eq $null) 
    Add-PSSnapin "Microsoft.SharePoint.PowerShell"

if ($url -ne ""){

    Write-Host "Connecting to [$url]" -foregroundcolor green
    $web = Get-SPWeb $url

    # Loop through all files in the lib folder and execute them in order of their filename
    # and if their name matches the filter parameter passed to the script
    foreach ( $source_file in $(Get-ChildItem './lib' | Sort-Object -Property Name) ) {
        if ($source_file.Name -like "*$filter*") {
            Write-Host $("***** Start  [" + $source_file.Name + "] *****") -foregroundcolor green
            & $source_file.FullName
            Write-Host $("***** Finish [" + $source_file.Name + "] *****") -foregroundcolor green


    # Release Assets
    $web.Close() > $null
    $web.Dispose() > $null

} else {
    Write-Host "No URL supplied" -foregroundcolor red

Write-Host ""
Write-Host "Finished!" -foregroundcolor green


It’s worth noting that the above example uses the “Start-Transcript” and “Stop Transcript” powershell functions, that very neatly record anything we write out through standard output to a text file. I only discovered this a few months ago – it’s very useful.

Writing the Worker Scripts

Apart from knowing we need to put the scripts in the “lib” folder, it’s useful to see what one of the child scripts might look like. The example below shows a good example – which might be saved as “lib/1000_provision_list.ps1”:

function provision_list($web){
    $list_internal_name = "mylist"
    $list_display_name = "My List"
    Write-Host $("Provisioning List [" + $list_display_name + "]")
    if ($web.Lists[$list_display_name]) {
        Write-Host " - $list_display_name Already Exists"
        $list = $web.Lists[$list_internal_name]
    } else {
        Write-Host " - $list_display_name ($list_internal_name)"
        $web.Lists.Add($list_internal_name, "", "GenericList") > $null
        $list = $web.Lists[$list_internal_name]
        $list.Title = $list_display_name
        $list.ContentTypesEnabled = $true
        $list.EnableVersioning = $true
        $list.NavigateForFormsPages = $false
        $list.Update() > $null


The take-away from the library files is that they share any objects already instantiated by the core script – therefore we can presume $web already contains a valid SharePoint object. Therefore all each file contains is a function definition, and a call to run the function (using functions helps keep working variables scoped).

So there you have it – a working method of building large, flexible, and extendable provisioning scripts. Do comment if you’ve done something similar, or if you found this useful.

Posted by Jonathan Beckett in Notes, 0 comments

Bulk Uploading Files into Libraries in SharePoint with PowerShell

The following snippet shows a method of uploading a folder of files on the filesystem into a library in SharePoint. In this case the filesystem folder is presumed to exist in the same location as the PowerShell script, called “SiteAssets”, uploading to a library in the SharePoint subsite called “SiteAssets”.

# Connect to SharePoint Site
$web = get-spweb "https://server/sites/site_collection/subsite"

# loop through all files in the local siteassets subfolder
foreach ( $source_file in $(Get-ChildItem './SiteAssets' | Sort-Object -Property Name) ) {
    if ($source_file.Attributes -match 'Directory') {
        # its a folder - ignore it
    } else {
        $library = $web.GetFolder("SiteAssets")
        $library_files = $library.Files

        $file = Get-ChildItem $source_file.FullName

        $library_files.Add("SiteAssets/" + $source_file.Name,$file.OpenRead(),$true) > $null

# Release resources
Posted by Jonathan Beckett in Notes, 0 comments

Provisioning Groups and Assigning Permissions within SharePoint Subsites with PowerShell

The following snippet shows how you might provision a new group within a subsite of SharePoint using PowerShell. Note that you not only need to create the group – you also need to associate it with the subsite, and assign permissions to the relationship between the group and the subsite. It’s not obvious at all.

# Connect to SharePoint Site
$web = get-spweb "https://server/sites/site_collection/subsite"

$group_name = "My Group"

# Remove group if it already exists
if ($web.SiteGroups[$group_name] -ne $null)
    $web.SiteGroups.Remove($group_name) > $null
    $web.Update() > $null

# Create the group
$web.SiteGroups.Add($group_name, $web.Site.Owner, $web.Site.Owner, $group_name) > $null
$web.Update() > $null

# Add Group to Associated Groups Collection
if ($web.AssociatedGroups[$group_name] -eq $null)

# Assign Permissions to the Group
$group = $web.SiteGroups[$group_name]
$group_role_assignment = new-object Microsoft.SharePoint.SPRoleAssignment($group)
$full_control_role_definition = $web.RoleDefinitions["Full Control"]
$group_role_assignment.RoleDefinitionBindings.Add($full_control_role_definition) > $null
$web.RoleAssignments.Add($group_role_assignment) > $null

# Release resources
Posted by Jonathan Beckett in Notes, 0 comments

Breaking Permissions Inheritance and Setting up new Permission Sets in SharePoint with PowerShell

The following snippet shows how you might create a new permission set in a subsite of SharePoint. One of the more common permission sets you might need in a production application is ‘restricted contribute’ – contribute without delete. This shows one method of doing that (there are many) – by duplicating the contribute permission set, minus the delete permission.

# Connect to SharePoint Site
$web = get-spweb "https://server/sites/site_collection/subsite"

# Break Inheritance for the subsite
$web.RoleDefinitions.BreakInheritance($false, $false) > $null
$web.Update() > $null

# Get the Contribute Definition
$contribute_role_definition = $web.RoleDefinitions["Contribute"]
$contribute_base_permissions = $contribute_role_definition.BasePermissions

# Delete the role definition if it exists
if ($web.RoleDefinitions["Restricted Contribute"]) {
    Write-Host " - Removing Existing Role Definition"
    $web.RoleDefinitions.Delete("Restricted Contribute")

# Create a new Role Definition, and copy the Base permissions minus Delete Items
$restricted_contribute_role_definition = New-Object Microsoft.SharePoint.SPRoleDefinition
$restricted_contribute_role_definition.BasePermissions = $contribute_base_permissions -bxor [Microsoft.SharePoint.SPBasePermissions]::DeleteListItems

# Set the name and description of the new role definition
$restricted_contribute_role_definition.Name = "Restricted Contribute"
$restricted_contribute_role_definition.Description = "Contribute without Delete Items"

# Apply the new role definition to the web

# Release Resources
Posted by Jonathan Beckett in Notes, 0 comments