Forum Discussion
Global Admin Showing up with Access to All Users OneDrive for Business
We are seeing one of the global admin accounts (mine) as having accesss to ever users OneDrive account.
While in OneDrive it says it Shared "Only You" when you click on it you see that two accounts have access. My user account and one of the global admin accounts (which happens to be mine as well).
Why is this? How can I remove this????
Thank you,
eZe
That's most likely the Secondary Owner option under SPO Admin Center -> User Profiles -> My Site Settings -> Setup My Sites -> My Site Cleanup. Similarly, check the My Site Secondary Admin option below that one.
- BrianBarbagalloBrass Contributor
I just found your post while researching on this as I realized I am secondary admin to 12k user profiles in our company! Credit to Microsoft support on this PowerShell below. Running the following script will remove you from the secondary admin to all the my.sharepoint.com sites, and it can be ran as SharePoint admin as well so Global admin isn't necessary to successfully run this. You would need to go back into the user profiles in the SharePoint admin center to add yourself back if needed, or rerun the script below and set the secondary admin name, and change the $false to $true on this line from in the script.
$temp = Set-SPOUser -Site $sitename -LoginName $secondaryadmin -IsSiteCollectionAdmin $false
Hope this helps!
Run as administrator the SharePoint Online Management Shell
# Run the below script (copy and paste into the shell window).
Connect-sposervice
https://YOURSITE-admin.sharepoint.com
# Specify your organization admin central url
$AdminURI = "https://YOURSITE-admin.sharepoint.com"
# Specify the User account for an Office 365 global admin in your organization
$AdminAccount = WHOAREYOU@YOURSITE.COM
$AdminPass =
# Specify the secondary admin account and the url for the onedrive site
$secondaryadmin = "WHOAREYOU@YOURSITE.COM"
$siteURI = "https://YOURSITE-my.sharepoint.com "
$loadInfo1 = [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client")
$loadInfo2 = [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client.Runtime")
$loadInfo3 = [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client.UserProfiles")
$sstr = ConvertTo-SecureString -string $AdminPass -AsPlainText -Force
$AdminPass = ""
$creds = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($AdminAccount, $sstr)
$UserCredential = New-Object System.Management.Automation.PSCredential -argumentlist $AdminAccount, $sstr
# Add the path of the User Profile Service to the SPO admin URL, then create a new webservice proxy to access it
$proxyaddr = "$AdminURI/_vti_bin/UserProfileService.asmx?wsdl"
$UserProfileService= New-WebServiceProxy -Uri $proxyaddr -UseDefaultCredential False
$UserProfileService.Credentials = $creds
# Set variables for authentication cookies
$strAuthCookie = $creds.GetAuthenticationCookie($AdminURI)
$uri = New-Object System.Uri($AdminURI)
$container = New-Object System.Net.CookieContainer
$container.SetCookies($uri, $strAuthCookie)
$UserProfileService.CookieContainer = $container
# Sets the first User profile, at index -1
$UserProfileResult = $UserProfileService.GetUserProfileByIndex(-1)
Write-Host "Starting- This could take a while."
$NumProfiles = $UserProfileService.GetUserProfileCount()
$i = 1
Connect-SPOService -Url $AdminURI -Credential $UserCredential
# As long as the next User profile is NOT the one we started with (at -1)...
While ($UserProfileResult.NextValue -ne -1)
{
Write-Host "Examining profile $i of $NumProfiles"
# Look for the Personal Space object in the User Profile and retrieve it
# (PersonalSpace is the name of the path to a user's OneDrive for Business site. Users who have not yet created a
# OneDrive for Business site might not have this property set.)
$Prop = $UserProfileResult.UserProfile | Where-Object { $_.Name -eq "PersonalSpace" }
$Url= $Prop.Values[0].Value
# If OneDrive is activated for the user, then set the secondary admin
if ($Url) {
$sitename = $siteURI + $Url
$temp = Set-SPOUser -Site $sitename -LoginName $secondaryadmin -IsSiteCollectionAdmin $false -ErrorAction SilentlyContinue
Write-Host "Added secondary admin to the site $($sitename)"
}
# And now we check the next profile the same way...
$UserProfileResult = $UserProfileService.GetUserProfileByIndex($UserProfileResult.NextValue)
$i++
}
- MoshJohrCopper Contributor
BrianBarbagallo Thanks for sharing this script! Had to do some minor changes for get it working but helped me a lot. Had the same issue because of sharegate. Now everything is like it should be :)
- BrianBarbagalloBrass Contributor
MoshJohr If you are ever in need to gain that access back or set another person to the OneDrive, say after a person leaves the company, you can grant permissions using this script.
$MySite="https://YOURSITE-my.sharepoint.com/personal/YOURUSER_YOURSITE_com/"
$SecondaryAdmin ="You@YOURSITE.com"
Set-SPOUser -Site $MySite -LoginName $SecondaryAdmin -IsSiteCollectionAdmin $true
- Deleted
Check your site collection admin settings on the onedrive sites. You probably at some point or someone ran a script to add your to all sites as a site collection admin. Your going to have to undo this for it to go away.
- John GrahamBrass Contributor
I echo those remarks, it's likely a script that was run. If you happen to use ShareGate, it will run that script for you.
- I have this same problem some weeks ago...and what's something totally unexpected so it seems something is doing "weird" things behind the scenes. By the way, use Vasil's advice
- Chip DentonCopper Contributor
It appears that ShareGate added mine for me to all the OneDrives. I turn the setting off and it gets turned back on.
- zstjmbBrass Contributor
Did you get an upgrade from ShareGate? I got an upgrade about three months ago and had to revert back to an older version because of problems I was having. Now when I log into ShareGate, I am asked to upgrade, but have not done that yet.
- Steve HollingsheadCopper Contributor
You can use this script I wrote to get a list of every OneDrive account and then remove the offending user:
Edit - not sure why it is throwing HTML tags into the code, remove those - you get the point.
###Script written by thestephenh@yahoo.com ###Change Tenant name below Connect-SPOService -url "<a href="https://TENANT-admin.sharepoint.com/" target="_blank">https://TENANT-admin.sharepoint.com/</a>" ###Export a CSV with every URL of every onedrive site - Get-SPOSite -IncludePersonalSite $true -Limit all -Filter "Url -like '-my.sharepoint.com/personal/'" | select Url | export-csv -Path c:\test\sites.csv #type the person you want to remove on the following line $SecondaryAdmin ="REMOVETHISUSER@CONTOSO.COM" $users = Import-Csv -Path "C:\test\sites.csv" foreach ($user in $users){ $site= $user.'Url' Set-SPOUser -Site $site -LoginName $SecondaryAdmin -IsSiteCollectionAdmin $false write-host "OneDrive Access for $SecondaryAdmin removed for $site" }
- BrianBarbagalloBrass ContributorThis is a new feature in ShareGate and wasn't around when this post was created. Nice to see this as an option. Looking at that link, that page was just updated today! 1/10/2020.
- SteveW_UCCSCopper Contributor
Steve Hollingshead Thank you for this. I did something similar, $sites = get-sposite -limit All, but it did not remove the admin from all OneDrives. -Steve
- Fliying_eagleCopper Contributor
- Eric AdlerSteel Contributor
So it was Sharegate that "did". I mean, I did it, through Sharegate. Sharegate also had the ability to undo it as well. I used a PowerShell script that MSFT provided instead (they were first).
It was interesting to troubleshoot with MSFT.
The setting is under the good old "central admin" now SharePoint admin. We used the user profile to check to see if "My Site" had a secondary admin, and it did.
Funny to see how little they have changed the UI. We looked under "Setup My Sites" to see if there was a default secondary admin or secodary owner.
Thanks everyone for you help!!!
- Paul McClenaghanCopper Contributor
Having serious issues with Share gate, It let me add these global permissions but not revoke them.
Eric, could you perhaps share the script Microsft Supplied?Many thanks.
- zstjmbBrass Contributor
I removed the secondary owner in the central admin center but it did not remove it - is this something that takes 24 hours to perform this task?
- zstjmbBrass Contributor
I got a powershell script to remove my permissions from all OneDrive users. Thanks.
- ambikad1575Copper Contributor1. Connect to SharePoint Tenant.
Connect-SPOService -Url https://contoso-admin.sharepoint.com -credential email address removed for privacy reasons
2. Get The list of OneDrive URLs of users in CSV format for whom this action needs to be performed.
Below is the command to get the OneDrive URLs of the users if you don’t have it already
Get-SPOSite -IncludePersonalSite $true -Limit all | Export-Csv D:\Onedrive.CSV
3. Run below command: This will remove user’s ownership from OneDrive
Import-Csv D:\OneDriveURL.csv | foreach {Set-SPOUser -Site $_.url -LoginName email address removed for privacy reasons -IsSiteCollectionAdmin $false}