Partager via

Managing User Profile Service Application permissions using PowerShell

  • Article

 

When User Profile Service application is configured in SP 2010, by default NT Authority\Authenticated Users and all authenticated users are granted permissions to create My Sites and use other features (personal and social) provided by user profile service. To disable users to create mysite and use other features, use Revoke-SPObjectSecurity and Set-SPProfileServiceApplicationSecurity powershell cmdlets.

image 

 $upaproxyname= "User Profile Service Application"
$upaproxy = Get-SPServiceApplicationProxy | Where-Object {$_.DisplayName -eq $upaproxyname} 
$upasecurity = Get-SPProfileServiceApplicationSecurity -ProfileServiceApplicationProxy $upaproxy

#All Authenticated Users
$allauthusers = New-SPClaimsPrincipal -Identity 'c:0(.s|true' -IdentityType EncodedClaim
#To revoke Use Personal Features permission
Revoke-SPObjectSecurity -Identity $upasecurity -Principal $allauthusers -Rights "Use Personal Features"
# To revoke Create Personal Site permission
Revoke-SPObjectSecurity -Identity $upasecurity -Principal $allauthusers -Rights "Create Personal Site"
#To revoke Use Social Features permission
Revoke-SPObjectSecurity -Identity $upasecurity -Principal $allauthusers -Rights "Use Social Features"
Set-SPProfileServiceApplicationSecurity -Identity $allauthusers -ProfileServiceApplicationProxy $upaproxy

#NT AUTHORITY\authenticated users
$ntauthusers = New-SPClaimsPrincipal -Identity 'c:0!.s|windows' -IdentityType EncodedClaim
#To revoke Use Personal Features permission
Revoke-SPObjectSecurity -Identity $upasecurity -Principal $ntauthusers -Rights "Use Personal Features"
# To revoke Create Personal Site permission
Revoke-SPObjectSecurity -Identity $upasecurity -Principal $ntauthusers -Rights "Create Personal Site"
#To revoke Use Social Features permission
Revoke-SPObjectSecurity -Identity $upasecurity -Principal $ntauthusers -Rights "Use Social Features"
Set-SPProfileServiceApplicationSecurity -Identity $ntauthusers -ProfileServiceApplicationProxy $upaproxy

  

Comments

  • Anonymous
    April 13, 2012
    Thanks for the very straightforward application of the Set-ProfileServiceApplicationSecurity cmdlet.  The help files are of no use in this situation.  Your explanation is perfect!
  • Anonymous
    June 11, 2014
    Thanks for the script saved my life.However, just a small typo, the parameter "Identity" on the last lines should be "$upasecurity" and not the principals.