Lookup a security Scope via powershell RRS feed

  • Question

  • So here it my scenario.   I need to restore permissions that a user has accidentally deleted. 

    Only when I look in the audit logs this is my only indication of what was removed

    <roleid>-1</rolid><principalid>15</principalid><scope>longGUIDlookingnumber</scope><operation>ensure removed</operation>

    In this case, I can translate the following:

    1. <roleid>-1  - this from other blogs indicates a permissions being removed

                          - to grab the real role id, I would have to look where the same principal was added

                          - 1073741827 = Contribute

                            example below

    <roleid>1073741827</rolid><principalid>15</principalid><scope>longGUIDlookingnumber</scope><operation>ensure added</operation>

    2. <principalid>15 - translates to a user or group.

    3. <scope>longGUIDlookingnumber - this from what I understand is a combination of a permission level and where the permissions is applied.  but a bit more complicated.  This reference explains it better.

    Now, I know how to add a permissions to a web site using the below code below.

    My question is, Is there a way to add a permission back using the reference<scope>longGUIDlookingnumber</scope>

    Or at least translate it, so I know what where to add permissions back to a site?

    $web = Get-SPWeb "https://DOMAINName/Subsite/Sub-Subsite"
    function AddGroupToSite ($web, $groupName, $permLevel)
        $account = $web.SiteGroups[$groupName]
        $assignment = New-Object Microsoft.SharePoint.SPRoleAssignment($account)
        $role = $web.RoleDefinitions[$permLevel]
    AddGroupToSite -web $web -groupName "GROUP NAME HERE" -permLevel "READ-OnLY"

    • Edited by Chilly Moon Monday, February 6, 2017 8:01 PM
    Monday, February 6, 2017 7:58 PM


  • Ok, So with digging into the database itself, I found my answer.

    in the table dbo.perms  there is a column called ScopeURL and ScopeID.

    So if I query on the scope id is, I can find the base scope url where the permissions are applied.

    Wednesday, February 15, 2017 3:25 PM

All replies