다음을 통해 공유

OneDrive for Business Admin Tools

  • 아티클

While updating a script to remove the "Shared with Everyone" folder in OneDrive for business, it dawned that there are a number of bulk management tasks for OneDrive that are not easy to do, that we don't have specific guidance on, or only have little bits of information scattered around the interwebs. So, to help alleviate some of a headache in managing large OneDrive for Business collections, we've put together a general management tool that we'll be adding more features to in the coming days and weeks. The core features of the tool at this point:

  • Grant secondary site admin permission to a user or group
  • Revoke secondary site admin permission from a user or group
  • Provision a new folder in the 'Documents' library
  • Delete a folder from the 'Documents' library
  • Block access to log into a OneDrive site
  • Restore content in OneDrive sites

To use the tool, you'll need the SharePoint Client Components SDK as well as the SharePoint Online Management Shell. We've included a basic check of the script to download and install those components if you don't already have them, but you can save yourself some time by making sure you already have them installed. Now, on to the tool! Like most of the scripts and tools we develop, we try to add comment-based help, so that if I don't get to the point where we make a blog about the tool, at least you'll be able to figure it out. There are a bunch of parameters, so we'll just dive right into them.

BlockAccess

The BlockAccess parameter enables you to block or unblock access to an already-provisioned OneDrive for Business site. It's a validated parameter and translates to -AccessState NoAccess for Block and -AccessState Unlock for Unblock.

Confirm

This switch parameter is only used with the FolderToDelete parameter since it involves potential deletion of data.

Credential

This is a credential object that will be used for one or more parts: connecting to SharePoint Online, granting permissions (if no value is specified in GrantPermissionsTo), and revoking permissions (if no value is specified in RevokePermissionsFor).

FolderToAdd

If you want to deploy a particular folder to OneDrive for Business sites, you can do this using the FolderToAdd parameter. The folder is created under the Documents root.

FolderToDelete

If you want to delete a particular folder from OneDrive for Business sites, you can do this using the FolderToDelete parameter. It was originally implemented for a customer that wanted to remove the "Shared with Everyone" default folder.

GrantPermissions

If you are tasked with administering or delegating eDiscovery rights, you'll find that you need to delegate secondary site administrator permission to eDiscovery users. You can do this for all new OneDrive sites going forward by changing the defaults in the SharePoint Online Admin Center, but what do you do if all of your OneDrive sites have already been provisioned? This. This is what you do. This parameter uses the value in GrantPermissionsTo if present; otherwise, it uses the value stored in the credential.

GrantPermissionsTo

Use this parameter to specify the user or group to whom you want to grant secondary site administrator permissions.

Identity

The identity parameter allows you to specify an address of a user whose OneDrive site you want to modify.

InputFile

The InputFile parameter can be used to specify a list of users whose OneDrive sites will be modified. If no users are specified, then the script will enumerate all provisioned users.

Logfile

You should already know what this does.

RestoreVersions

Recently, I had a requirement come up to enable the bulk restore of content from a OneDrive for Business site in the event of a cryptoware or ransomware attack. OneDrive has versioning turned on, so we figured this would be an "easy" add. As with most initial thoughts on how long something should take (see "IT time"), it turned out to be a little more complicated than we originally thought. However, we felt that this tool could really be of benefit to organizations planning their migrations to OneDrive for Business who were concerned with the ability to recover from a malware attack that compromised user files.  A user self-service restore mechanism was recently announced at Ignite, which you can read about here. This version of the tool has several restore capabilities, that we've outlined below:

  • Restore Versions by Date
  • Restore Versions using the most recent previous saved version
  • Restore Versions by going back "n" number of versions

In order to successfully restore versions for a user's OneDrive, you will need to be granted access to their site, which you can do by running the following command:

.\OneDriveForBusinessAdmin.ps1 -Credential (Get-Credential) -GrantPermissions -Identity <onedriveuser@domain.com>

To restore the files in a user's library by date, using a modified date of four days ago:

.\OneDriveForBusinessAdmin.ps1 -Credential (Get-Credential) -RestoreVersions ByDate -FilesModifiedOnThisDate ((Get-Date).AddDays(-4)) -Identity <onedriveuser@domain.com> -Tenant <tenant>

https://msdnshared.blob.core.windows.net/media/2017/10/01.png This will enumerate the user's OneDrive for Business library, find files with versions matching the modified date, and restore the second most recent version on that date (since restoring the most "recent" version on an "infected" date would more than likely restore the infected file again). To restore the files in a user's library by just selecting the most recent previous version:

.\OneDriveForBusinessAdmin.ps1 -Credential (Get-Credential) -RestoreVersions ByNumberOfVersionsToGoBack -Identity <onedriveuser@domain.com> -Tenant <tenant>

https://msdnshared.blob.core.windows.net/media/2017/10/02.png
And, to restore the files in a user's library by specifying the number of versions to go back (keep in mind that the current version "counts" as a version)

.\OneDriveForBusinessAdmin.ps1 -Credential (Get-Credential) -RestoreVersions ByNumberOfVersionsToGoBack -Identity <onedriveuser@domain.com> -Tenant <tenant>03 -VersionsToGoBack 4

https://msdnshared.blob.core.windows.net/media/2017/10/03.png

RevokePermissions

If you need to revoke secondary site administrator privileges, you can use this parameter. If no value is specified in RevokePermissionsFor, then the value of the credential is used.

RevokePermissionsFor

Use this parameter to specify an address whose secondary site collection administrator permissions you want to remove.

Tenant

Specify the tenant name (either as 'contoso' or 'contoso.onmicrosoft.com') to use for connecting to SharePoint online and creating the My Sites and Admin Sites URLs. It's required.

If you missed the link earlier, you can get it here: https://gallery.technet.microsoft.com/OneDrive-for-Business-Tools-dfb52a4c.