SharePoint - How to Reset Inheritance Permission set into an SP DocLib folder or file

%3CLINGO-SUB%20id%3D%22lingo-sub-1780387%22%20slang%3D%22en-US%22%3ESharePoint%20-%20How%20to%20Reset%20Inheritance%20Permission%20set%20into%20an%20SP%20DocLib%20folder%20or%20file%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1780387%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20we%20are%20importing%20File%20Server%20content%20into%20SharePoint%20using%20dedicated%20tools%20for%2C%20we%20can%20import%20permission%20set%20configured%20at%20the%20sub%20levels%20(subfolders%20or%20documents).%20That%20import%20can%20create%20some%20issues%20due%20to%20incorrect%20configuration%20in%20place%20on%20original%20File%20Server.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20how%20can%20we%20check%20one%20user%20complaining%20to%20not%20see%20or%20access%20the%20content%20as%20it%20was%20into%20the%20File%20Server%20%3F%3C%2FP%3E%3CP%3EThat%20need%20to%20be%20reviewed%20at%20any%20SharePoint%20Content%20Level%20with%20Permission%20Management%20with%20%22Administrator%20Permission%22%20with%20the%20link%20%22Manage%20Access%22.%3C%2FP%3E%3CP%3EYou%20have%20to%20select%20the%20link%20(at%20the%20bottom)%20%22Advanced%22%20to%20have%20the%20exact%20permission%20set%20configured%20at%20this%20level%26nbsp%3B%3C%2FP%3E%3CP%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBased%20on%20that%20situation%2C%20you%20can%20decide%20what%20to%20apply%20at%20this%20folder%20or%20file%20level.%20You%20can%3A%3C%2FP%3Eadd%20a%20colleague%20or%20a%20group%20with%20appropriate%20permission%20(Read%2C%20Write%20or%20full%20control)%20Remove%20the%20specific%20permission%20of%20that%20level%20clicking%20on%20%22Delete%20unique%20permissions%22%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20this%20config%20could%20concern%20many%20other%20sublevels%20and%20wait%20the%20user%20complains%20is%20probably%20not%20the%20best%20option.%3C%2FP%3E%3CP%3EHow%20to%20track%20folders%20or%20files%20with%20unique%20permissions%20%3F%3C%2FP%3E%3CP%3EYou%20can%20do%20that%20using%20the%20Document%20Library%20Permission%20Settings%20from%3A%3C%2FP%3ELibrary%20Settings%20%26gt%3B%20%22Permissions%20for%20this%20Document%20Library%22%3CP%3EYou%20will%20have%20the%20permission%20configuration%20in%20place%20at%20this%20root%20Document%20library%20level.%3C%2FP%3E%3CP%3EBut%20the%20first%20line%20will%20explain%20(if%20that%20is%20the%20case%20into%20your%20document%20library)%20the%20status%20of%20sublevel%3A%3C%2FP%3ESome%20items%20of%20this%20list%20may%20have%20unique%20permissions%20which%20are%20not%20controlled%20from%20this%20page.%26nbsp%3B%26nbsp%3BShow%20these%20items.%3CP%3EWhen%20you%20are%20clicking%20on%20that%20link%20it%20will%20show%20you%20a%20part%20of%20customized%20levels.%3C%2FP%3E%3CP%3EYou%20can%20change%20the%20permission%20set%20for%20each%20of%20those%20level%20clicking%20on%20%22Manage%20Permissions%22%20to%20have%20the%20same%20details%20we%20look%20in%20the%20first%20part%20of%20this%20message.%26nbsp%3B%3C%2FP%3E%3CP%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20as%20you%20can%20imagine%20with%20a%20document%20library%20could%20contains%20thousands%20of%20folders%2C%20this%20manual%20action%20is%20really%20huge.%3C%2FP%3E%3CP%3EHow%20reset%20all%20customized%20permissions%20configured%20at%20sublevel%20%3F%3C%2FP%3E%3CP%3EThat%20is%20the%20best%20option%20you%20can%20select%20as%20site%20admin%2C%20using%20PowerShell%20and%20an%20interesting%20PS%20Module%20named%3A%3C%2FP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fsharepoint%2Fsharepoint-pnp%2Fsharepoint-pnp-cmdlets%3Fview%3Dsharepoint-ps%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3ESharePointPnPPowerShellOnline%3C%2FA%3E%3CP%3EThis%20following%20script%20will%20help%20IT%20Team%20to%20reconfigure%20all%20content%20customized%20into%20the%20document%20library%20and%20cancel%20this%20and%20reconfigure%20permission%20inheritance%20instead.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%23install-module%20SharePointPnPPowerShellOnline%20-Force%20%23to%20install%20that%20module%20the%20first%20time%20only%20Write-Host%20%22%20----------------------------------------------%20%22%20Import-Module%20SharePointPnPPowerShellOnline%20Write-Host%20%22%20----------------------------------------------%20%22%20%23Config%20Variables%20%24SiteURL%20%3D%20%22%3CA%20href%3D%22https%3A%2F%2Fyourtenant.sharepoint.com%2Fsites%2FYourSiteCollection%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fyourtenant.sharepoint.com%2Fsites%2FYourSiteCollection%2F%3C%2FA%3E%22%20%24ListTitle%20%3D%20%22Document%20Library%20Name%22%20%24foldertoscope%20%3D%20%22%2Fsites%2FYourSiteCollection%2FYourDocumentLibrary%2F%22%20%23Connect%20to%20PnP%20Online%20Connect-PnPOnline%20-Url%20%24SiteURL%20-UseWebLogin%20%24ctx%20%3D%20Get-PnPContext%20%24ctx.Load(%24ctx.Web.Lists)%20%24ctx.Load(%24ctx.Web)%20%24ctx.Load(%24ctx.Web.Webs)%20%24ctx.ExecuteQuery()%20%24ll%3D%24ctx.Web.Lists.GetByTitle(%24ListTitle)%20%24ctx.Load(%24ll)%20%24ctx.ExecuteQuery()%20%23%23%20View%20XML%20%24qCommand%20%3D%20%40%22%20%3CVIEW%20scope%3D%22%26quot%3BRecursiveAll%26quot%3B%22%3E%20%3CQUERY%3E%20%3CORDERBY%3E%3CFIELDREF%20name%3D%22'ID'%22%20ascending%3D%22'TRUE'%2F%22%3E%3C%2FFIELDREF%3E%20%3C%2FORDERBY%3E%20%3CROWLIMIT%20paged%3D%22%26quot%3BTRUE%26quot%3B%22%3E5000%3C%2FROWLIMIT%3E%20%3C%2FQUERY%3E%20%22%40%20%23%23%20Page%20Position%20%24position%20%3D%20%24null%20%23%23%20All%20Items%20%24allItems%20%3D%20%40()%20Do%7B%20%24camlQuery%20%3D%20New-Object%20Microsoft.SharePoint.Client.CamlQuery%20%24camlQuery.ListItemCollectionPosition%20%3D%20%24position%20%24camlQuery.ViewXml%20%3D%20%24qCommand%20%23%23%20Executing%20the%20query%20%24currentCollection%20%3D%20%24ll.GetItems(%24camlQuery)%20%24ctx.Load(%24currentCollection)%20%24ctx.ExecuteQuery()%20%23%23%20Getting%20the%20position%20of%20the%20previous%20page%20%24position%20%3D%20%24currentCollection.ListItemCollectionPosition%20%23%20Adding%20current%20collection%20to%20the%20allItems%20collection%20%24allItems%20%2B%3D%20%24currentCollection%20Write-Host%20%22Collecting%20items.%20Current%20number%20of%20items%3A%20%22%20%24allItems.Count%20%7D%20while(%24position%20-ne%20%24null)%20Write-Host%20%22Total%20number%20of%20items%3A%20%22%20%24allItems.Count%20for(%24j%3D0%3B%24j%20-lt%20%24allItems.Count%20%3B%24j%2B%2B)%20%7B%20if(%24allItems%5B%24j%5D%5B%22FileRef%22%5D.StartsWith(%24foldertoscope))%20%7B%20Write-Host%20%22Resetting%20permissions%20for%20%22%20%24allItems%5B%24j%5D%5B%22Title%22%5D%20%22..%22%20%24allItems%5B%24j%5D%5B%22FileRef%22%5D%20%24allItems%5B%24j%5D.ResetRoleInheritance()%20%24ctx.ExecuteQuery()%20%7D%20%7D%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20you%20can%20adapt%20the%20permissions%20as%20much%20as%20you%20need%20to%3C%2FP%3E%3CP%3EFabrice%20Romelard%3C%2FP%3E%3C%2FVIEW%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1780387%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EFiles%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPermissions%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPowerShell%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2108175%22%20slang%3D%22en-US%22%3ERe%3A%20SharePoint%20-%20How%20to%20Reset%20Inheritance%20Permission%20set%20into%20an%20SP%20DocLib%20folder%20or%20file%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2108175%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F41125%22%20target%3D%22_blank%22%3E%40Fabrice%20Romelard%3C%2FA%3EYou%20sir%20are%20a%20genetleman%20and%20a%20scholar.%20Saved%20me%20a%20lot%20of%20time%20and%20effort.%2010%2F10%20works%20a%20treat.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Regular Contributor

When we are importing File Server content into SharePoint using dedicated tools for, we can import permission set configured at the sub levels (subfolders or documents). That import can create some issues due to incorrect configuration in place on original File Server.

 

But how can we check one user complaining to not see or access the content as it was into the File Server ?

That need to be reviewed at any SharePoint Content Level with Permission Management with "Administrator Permission" with the link "Manage Access".

You have to select the link (at the bottom) "Advanced" to have the exact permission set configured at this level 

DocLibFolderPermission-01.png

 

DocLibFolderPermission-02.png

 

DocLibFolderPermission-03.png

 

Based on that situation, you can decide what to apply at this folder or file level. You can:

  • add a colleague or a group with appropriate permission (Read, Write or full control)
  • Remove the specific permission of that level clicking on "Delete unique permissions"

 

But this config could concern many other sublevels and wait the user complains is probably not the best option.

How to track folders or files with unique permissions ?

You can do that using the Document Library Permission Settings from:

  • Library Settings > "Permissions for this Document Library"

You will have the permission configuration in place at this root Document library level.

But the first line will explain (if that is the case into your document library) the status of sublevel:

  • Some items of this list may have unique permissions which are not controlled from this page.  Show these items.

When you are clicking on that link it will show you a part of customized levels.

You can change the permission set for each of those level clicking on "Manage Permissions" to have the same details we look in the first part of this message. 

DocLibFolderPermission-04.png

 

DocLibFolderPermission-05.png

 

DocLibFolderPermission-06.png

 

DocLibFolderPermission-07.png

 

Now as you can imagine with a document library could contains thousands of folders, this manual action is really huge.

How reset all customized permissions configured at sublevel ?

That is the best option you can select as site admin, using PowerShell and an interesting PS Module named:

This following script will help IT Team to reconfigure all content customized into the document library and cancel this and reconfigure permission inheritance instead.

 

#install-module SharePointPnPPowerShellOnline -Force #to install that module the first time only
Write-Host " ---------------------------------------------- "
Import-Module SharePointPnPPowerShellOnline
Write-Host " ---------------------------------------------- "

#Config Variables
$SiteURL = "https://yourtenant.sharepoint.com/sites/YourSiteCollection/"
$ListTitle = "Document Library Name"

$foldertoscope = "/sites/YourSiteCollection/YourDocumentLibrary/"

#Connect to PnP Online
Connect-PnPOnline -Url $SiteURL -UseWebLogin

$ctx = Get-PnPContext

  $ctx.Load($ctx.Web.Lists)
  $ctx.Load($ctx.Web)
  $ctx.Load($ctx.Web.Webs)
  $ctx.ExecuteQuery()
  $ll=$ctx.Web.Lists.GetByTitle($ListTitle)
  $ctx.Load($ll)
  $ctx.ExecuteQuery()

  ## View XML
$qCommand = @"
<View Scope="RecursiveAll">
    <Query>
        <OrderBy><FieldRef Name='ID' Ascending='TRUE'/></OrderBy>
    </Query>
    <RowLimit Paged="TRUE">5000</RowLimit>
</View>
"@
## Page Position
$position = $null
 
## All Items
$allItems = @()
Do{
    $camlQuery = New-Object Microsoft.SharePoint.Client.CamlQuery
    $camlQuery.ListItemCollectionPosition = $position
    $camlQuery.ViewXml = $qCommand
 ## Executing the query
    $currentCollection = $ll.GetItems($camlQuery)
    $ctx.Load($currentCollection)
    $ctx.ExecuteQuery()
 
 ## Getting the position of the previous page
    $position = $currentCollection.ListItemCollectionPosition
 
 # Adding current collection to the allItems collection
    $allItems += $currentCollection

     Write-Host "Collecting items. Current number of items: " $allItems.Count
}
while($position -ne $null)

Write-Host "Total number of items: " $allItems.Count

for($j=0;$j -lt $allItems.Count ;$j++)
{
    if($allItems[$j]["FileRef"].StartsWith($foldertoscope))
    {
        Write-Host "Resetting permissions for " $allItems[$j]["Title"] ".." $allItems[$j]["FileRef"]
        $allItems[$j].ResetRoleInheritance()
        $ctx.ExecuteQuery()
    }
}

 

DocLibFolderPermission-08.png

 

Now you can adapt the permissions as much as you need to

Fabrice Romelard

7 Replies

@Fabrice RomelardYou sir are a genetleman and a scholar. Saved me a lot of time and effort. 10/10 works a treat.

This is working wonders for me, thanks, I just wonder if you are able to look at just folders within a Document Library?

Thanks

@aprietoYes, you can apply this just to a subfolder within a library. I found this site looking to do just that. You just need to set the "$foldertoscope =" parameter to the relative URL of the folder. The final loop of the script compares the path of every object to that string, and if it starts with that string, it resets the permissions.

@CFox-Merit

Thanks for that Ive done that, but it still seems to be counting the whole Library, not sure what im doing wrong, im using "/sites/sitename/library/folder/ the one I'm testing on only had around 50 files and folders and this counts 5000 starting but goes up so cancel it, only because last time i ran at library it stated error because of the amount of requests

@Fabrice Romelard Thanks.  I am trying to reset permissions for a specific folder within a library.  I have gotten the script to run, but it just returns the amount of items it found in the whole document library not just that specific folder.  It also does not go into the next step of resetting the permissions. Any advice would be much appreciated. 

I am also experiencing the same thing as well as the script never gets to the part of resetting any of the permissions. It runs it tells me the total number of items in the entire library and then does nothing more than that. I have tried changing my foldertoscope variable but nothing I seem to do ever gets it to a point that it tries to reset the permissions. I am trying this on a test site for right now before actually doing it on our live document library.