SharePoint Farm Freezing, Becomes Unusable Without An IISReset - A Lesson In Item-Level Permissions

-
Recently I was working with a client who's SharePoint 2010 environment had been poorly managed for years.  They had a single site collection on a single, large content database (650GB).  Not uncommon, however this environment also occasionally froze up, never loading any of the pages on any sites until an IISRESET was performed on the Web Front End (WFE).

It started off only happening once a month, then moved to once a week, a few times a week, to 5-10 times a day...

Begin Troubleshooting:

The issue was around too many lists, and items within those lists having their own permissions.

Each permission for an item counts as one row in the RoleAssignment table in the database.

apparently they say a healthy DB will only have 200,000 rows in that table.

Ours had 10,000,000 rows (You can check this by right-clicking the Database in SQL Management Studio and clicking Reports > Disk Usage by Top Tables.  Then look for the RoleAssignment Table).  and every time someone went to check permissions on a big list, bang.  it locks the table while it finds the data (which takes ages to traverse), meanwhile every other computer trying to do anything on the site dies while the table is locked.

The ONLY way to fix this is to remove any tables with HEAPS of item level permissions.

I got two handy scripts for this.  both below:


Script #1: a SQL script to find the lists that had the most item-level permissions

##SQL QUERY TO FIND INDIVIDUAL SECURITY SCOPES - PROVIDED BY MICROSOFT
select COUNT(ra.PrincipalId) as [Count],p.ScopeUrl from RoleAssignment ra with(nolock) 
join Perms p with(nolock) 
on p.SiteId = ra.SiteId and p.ScopeId = ra.ScopeId 
group by p.ScopeUrl 
order by p.ScopeUrl desc


Script #2: a SharePoint Powershell script that checks if a list has item-level permissions, then gives you the option to set every item in the list to inherit the Lists permissions:
  • Restore-Inheritance.ps1 "http://SPURL/SITE" "LIST NAME" true
############################################################################### 

##  ADD IN SHAREPOINT SNAP IN IF NOT ALREADY LOADED ## 
############################################################################### 
if ((Get-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue) -eq $null) { 
    Add-PSSnapin "Microsoft.SharePoint.PowerShell" 
}


############################################################################### 
##  SET VARIABLES FROM ARGUMENTS ## 
############################################################################### 

$webUrl = $args[0]
$listName = $args[1]
$listInherits = $args[2]

# Varibale to hold document count
$count = 0

############################################################################### 
##  OPEN OBJECTS & RESTORE INHERITANCE ## 
###############################################################################

try {
# Open the web and list objects
$web = Get-SPWeb $webUrl
$list = $web.Lists[$listName]

# If the list should inherit, reset the role inheritance
if ($listInherits -eq $true) {
$list.ResetRoleInheritance()
Write-Host "Updated permissions on list." -foregroundcolor Green
}

# Get all items with unique permissions
$itemsWithUniquePermissions = $list.GetItemsWithUniquePermissions()
Write-Host $itemsWithUniquePermissions.Count "number of items with unique permissions found."

# Only update items if some exist
if ($itemsWithUniquePermissions.Count -gt 0) {
foreach ($itemInfo in $itemsWithUniquePermissions) {
$item = $list.GetItemById($itemInfo.Id)
    $item.ResetRoleInheritance()
$count++
}

# Display number of items updated
Write-Host "Updated permissions on $count items." -foregroundcolor Green
}
else {
Write-Host "No items with unique permissions exist, nothing to update."
}

# Dispose of web object
$web.Dispose()
}
catch [Exception] {
Write-Host "Exception encountered.  Please ensure all arguments are valid." -foregroundcolor Red
Write-Host $_.Exception.Message -foregroundcolor Red
}


REFERENCES & THANKS
https://gallery.technet.microsoft.com/office/PowerShell-to-Reset-Unique-d885a93f 

Comments

Post a Comment

Popular posts from this blog

SharePoint - Field type [FieldName] is not installed properly. Go to the list settings page to delete this field.

-
Sorry, something went wrong Field type [FieldName]  is not installed properly. Go to the list settings page to delete this field.   This is caused when a FieldType has been created usually via a custom solution (WSP), and has been used somewhere, then uninstalled while still being used somewhere on the Site Collection.  This error message is similar on all versions of SharePoint 2007/2010/2013. Usually you will have one or more Site Columns that are using the FieldType, and possibly one or more Content Types that are using that Site Column, and then most likely one or more Lists/Librarires using the Site Columns or Site Content Types. If you want to remove the Field Type Completely, steps to resolve are as follows: Try to delete the Site Column or Content Type from every list it is being used on.  If you can't delete the Content Type from the list, you will have to delete the list. Delete the Content Types using the Site Column (Site Actions > Site Settings
Read more

Office 365 Groups - Quickly find the GUID of a O365 Group

-
Image
Looking for the GUID for a Office 365 Group and finding it slightly painful with PowerShell? Here's my trick for quickly finding it. I use Microsoft's Graph Explorer:  https://developer.microsoft.com/en-us/graph/graph-explorer Navigate to the Graph Explorer & click the Sign-In button in left-navigation Click the 'Show More Examples' link in the left-navigation Select 'Groups' from the right-hand popout Now you should be able to click ' All Groups in my organization ' on the left hand nav.  (You may need to add the permission ' Directory.Read.All ' to your account. Use Ctrl+F in the response pane to quickly find the group and grab it's ID
Read more

Export Group Membership From Active Directory Using Power Query

-
Image
If you need to export a list of staff from an Active Directory Group, follow these steps.  Allows you to gather all the names & usernames of staff in a particular group and save the information into Excel. Step By Step How To: Open up Excel > Power Query Tab Click From Other Sources > From Active Directory: (In Excel 2016 this is found under: Data Tab > New Query > From Other Sources > From Active Directory) screenshots from Excel 2016 on left, Excel 2010 w/ Power Query Add-on right A popup will ask you to enter your domain name.  It should already be populated with the correct information but if not, input your companies domain name & Click OK: In the Navigator that opens up, expand your domain tree and double click group: You should now see a list of all groups in Active Directory in the Power Query Editor: In order to find & filter for a specific Group, Click the Down-Arrow for the 'distinguishedName' column > T
Read more