Forum Discussion

Eric Adler's avatar
Eric Adler
Steel Contributor
Apr 25, 2017

Global Admin Showing up with Access to All Users OneDrive for Business

We are seeing one of the global admin accounts (mine) as having accesss to ever users OneDrive account.

 

While in OneDrive it says it Shared "Only You" when you click on it you see that two accounts have access. My user account and one of the global admin accounts (which happens to be mine as well).

 

Why is this? How can I remove this????

 

Thank you,

eZe

  • That's most likely the Secondary Owner option under SPO Admin Center -> User Profiles -> My Site Settings -> Setup My Sites -> My Site Cleanup. Similarly, check the My Site Secondary Admin option below that one.

  • I just found your post while researching on this as I realized I am secondary admin to 12k user profiles in our company! Credit to Microsoft support on this PowerShell below. Running the following script will remove you from the secondary admin to all the my.sharepoint.com sites, and it can be ran as SharePoint admin as well so Global admin isn't necessary to successfully run this. You would need to go back into the user profiles in the SharePoint admin center to add yourself back if needed, or rerun the script below and set the secondary admin name, and change the $false to $true on this line from in the script.

    $temp = Set-SPOUser -Site $sitename -LoginName $secondaryadmin -IsSiteCollectionAdmin $false

     

    Hope this helps!

     

    Run as administrator the SharePoint Online Management Shell

     

    # Run the below script (copy and paste into the shell window).

    Connect-sposervice

    https://YOURSITE-admin.sharepoint.com

    # Specify your organization admin central url

    $AdminURI = "https://YOURSITE-admin.sharepoint.com"

    # Specify the User account for an Office 365 global admin in your organization

    $AdminAccount = WHOAREYOU@YOURSITE.COM

    $AdminPass =

    # Specify the secondary admin account and the url for the onedrive site

    $secondaryadmin = "WHOAREYOU@YOURSITE.COM"

    $siteURI = "https://YOURSITE-my.sharepoint.com "

    $loadInfo1 = [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client")

    $loadInfo2 = [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client.Runtime")

    $loadInfo3 = [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client.UserProfiles")

    $sstr = ConvertTo-SecureString -string $AdminPass -AsPlainText -Force

    $AdminPass = ""

    $creds = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($AdminAccount, $sstr)

    $UserCredential = New-Object System.Management.Automation.PSCredential -argumentlist $AdminAccount, $sstr

    # Add the path of the User Profile Service to the SPO admin URL, then create a new webservice proxy to access it

    $proxyaddr = "$AdminURI/_vti_bin/UserProfileService.asmx?wsdl"

    $UserProfileService= New-WebServiceProxy -Uri $proxyaddr -UseDefaultCredential False

    $UserProfileService.Credentials = $creds

    # Set variables for authentication cookies

    $strAuthCookie = $creds.GetAuthenticationCookie($AdminURI)

    $uri = New-Object System.Uri($AdminURI)

    $container = New-Object System.Net.CookieContainer

    $container.SetCookies($uri, $strAuthCookie)

    $UserProfileService.CookieContainer = $container

    # Sets the first User profile, at index -1

    $UserProfileResult = $UserProfileService.GetUserProfileByIndex(-1)

    Write-Host "Starting- This could take a while."

    $NumProfiles = $UserProfileService.GetUserProfileCount()

    $i = 1

    Connect-SPOService -Url $AdminURI -Credential $UserCredential

    # As long as the next User profile is NOT the one we started with (at -1)...

    While ($UserProfileResult.NextValue -ne -1)

    {

    Write-Host "Examining profile $i of $NumProfiles"

    # Look for the Personal Space object in the User Profile and retrieve it

    # (PersonalSpace is the name of the path to a user's OneDrive for Business site. Users who have not yet created a

    # OneDrive for Business site might not have this property set.)

    $Prop = $UserProfileResult.UserProfile | Where-Object { $_.Name -eq "PersonalSpace" }

    $Url= $Prop.Values[0].Value

    # If OneDrive is activated for the user, then set the secondary admin

    if ($Url) {

    $sitename = $siteURI + $Url

    $temp = Set-SPOUser -Site $sitename -LoginName $secondaryadmin -IsSiteCollectionAdmin $false -ErrorAction SilentlyContinue

    Write-Host "Added secondary admin to the site $($sitename)"

    }

    # And now we check the next profile the same way...

    $UserProfileResult = $UserProfileService.GetUserProfileByIndex($UserProfileResult.NextValue)

    $i++

    }

    • MoshJohr's avatar
      MoshJohr
      Copper Contributor

      BrianBarbagallo Thanks for sharing this script! Had to do some minor changes for get it working but helped me a lot. Had the same issue because of sharegate. Now everything is like it should be :)

  • Check your site collection admin settings on the onedrive sites. You probably at some point or someone ran a script to add your to all sites as a site collection admin. Your going to have to undo this for it to go away. 

  • John Graham's avatar
    John Graham
    Brass Contributor

    I echo those remarks, it's likely a script that was run.  If you happen to use ShareGate, it will run that script for you. 

    • I have this same problem some weeks ago...and what's something totally unexpected so it seems something is doing "weird" things behind the scenes. By the way, use Vasil's advice
    • Chip Denton's avatar
      Chip Denton
      Copper Contributor

      It appears that ShareGate added mine for me to all the OneDrives. I turn the setting off and it gets turned back on.

      • zstjmb's avatar
        zstjmb
        Brass Contributor

        Did you get an upgrade from ShareGate?  I got an upgrade about three months ago and had to revert back to an older version because of problems I was having.  Now when I log into ShareGate, I am asked to upgrade, but have not done that yet.

  • Eric Adler 

     

    You can use this script I wrote to get a list of every OneDrive account and then remove the offending user:

     

    Edit - not sure why it is throwing HTML tags into the code, remove those - you get the point.

    SaschaBuehler 

     

     

     

     

     

    ###Script written by thestephenh@yahoo.com
    
    ###Change Tenant name below
    Connect-SPOService -url "<a href="https://TENANT-admin.sharepoint.com/" target="_blank">https://TENANT-admin.sharepoint.com/</a>"
    ###Export a CSV with every URL of every onedrive site -  Get-SPOSite -IncludePersonalSite $true -Limit all -Filter "Url -like '-my.sharepoint.com/personal/'" | select Url | export-csv -Path c:\test\sites.csv
    
    #type the person you want to remove on the following line
    $SecondaryAdmin ="REMOVETHISUSER@CONTOSO.COM"
    $users = Import-Csv -Path "C:\test\sites.csv"
    foreach ($user in $users){
                    $site= $user.'Url'
                    Set-SPOUser -Site $site -LoginName $SecondaryAdmin -IsSiteCollectionAdmin $false  
                    write-host "OneDrive Access for $SecondaryAdmin removed for $site"
    }

     

     

     

     

     

     

     
  • Eric Adler's avatar
    Eric Adler
    Steel Contributor

    So it was Sharegate that "did". I mean, I did it, through Sharegate. Sharegate also had the ability to undo it as well. I used a PowerShell script that MSFT provided instead (they were first).

     

    It was interesting to troubleshoot with MSFT.

     

    The setting is under the good old "central admin" now SharePoint admin. We used the user profile to check to see if "My Site" had a secondary admin, and it did.

     

    Funny to see how little they have changed the UI. We looked under  "Setup My Sites" to see if there was a default secondary admin or secodary owner.

     

    Thanks everyone for you help!!!

    • Paul McClenaghan's avatar
      Paul McClenaghan
      Copper Contributor

      Having serious issues with Share gate, It let me add these global permissions but not revoke them.
      Eric, could you perhaps share the script Microsft Supplied?

       

      Many thanks.

    • zstjmb's avatar
      zstjmb
      Brass Contributor

      I removed the secondary owner in the central admin center but it did not remove it - is this something that takes 24 hours to perform this task?

      • zstjmb's avatar
        zstjmb
        Brass Contributor

        I got a powershell script to remove my permissions from all OneDrive users. Thanks.

  • ambikad1575's avatar
    ambikad1575
    Copper Contributor
    1. Connect to SharePoint Tenant.

    Connect-SPOService -Url https://contoso-admin.sharepoint.com -credential email address removed for privacy reasons
    2. Get The list of OneDrive URLs of users in CSV format for whom this action needs to be performed.
    Below is the command to get the OneDrive URLs of the users if you don’t have it already
    Get-SPOSite -IncludePersonalSite $true -Limit all | Export-Csv D:\Onedrive.CSV
    3. Run below command: This will remove user’s ownership from OneDrive

    Import-Csv D:\OneDriveURL.csv | foreach {Set-SPOUser -Site $_.url -LoginName email address removed for privacy reasons -IsSiteCollectionAdmin $false}

Resources