Get-spsite -limit all | Get-spweb -limit all fails

Question

_{Wednesday, March 20, 2013 3:16 PM}

I am trying to give an account I created the ability to run the command in the title. I am able to run this cmdlet with both the SP FARM and SP ADMIN accounts with no errors. however no matter what user I create or what rights I give them my users are unable to run the following cmdlet:

Get-spsite -limit all | Get-spweb -limit all

This cmdlet always returns the following error:

Get-SPWeb : Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))At line:1 char:23+ get-spsite | get-spweb <<<<+ CategoryInfo          : InvalidData: (Microsoft.Share....SPCmdletGetWeb: SPCmdletGetWeb) [Get-SPWeb], UnauthorizedAccessException+ FullyQualifiedErrorId : Microsoft.SharePoint.PowerShell.SPCmdletGetWebI can run each cmdlet seperate no issues it is when I pipe them together that the Get-SPWeb fails.

I have created a user in AD and made that user a local Admin on the SharePoint Server. This server also host the instance of SQL that houses the SharePoint Databases.  I logged into the SP server as SPFarm account and opened SharePoint PowerShell in an elevated window. I then run the following cmdlet to give the user access to all SPdatabases:

get-SPDatabase | addspshelladmin -username domain\user

After running this cmdlet I am able to open SQL Management Studio and verify the user has the SharePoint_Shell_Access role to all SharePoint Databases.

any ideas as to why this is happening would be really appreciated on my part.

All replies (8)

_{Thursday, March 21, 2013 3:44 AM ✅Answered}

Execute the below PowerShell script and it will help to identify the site collection with problematic web. Looking at the output, you can easily determine the site collection. It should give you error when trying to access problematic web site. 

$sites=Get-SPSite -limit all

foreach($site in $sites)

{

     Write-Host "Processing Site Collection:" $site.Url

     foreach($web in $sites.AllWebs)

   {

      Write-Host "Web:" $web.Url

    }

}

Pradip T. MCTS(SharePoint 2010/Web)|MCPD(Web Development) https://www.mcpvirtualbusinesscard.com/VBCServer/paddytakate/profile

_{Wednesday, March 20, 2013 3:20 PM}

The account running the command must be set as a Shell Admin. This involves a couple of different permission levels in various areas (see second link) You can in theory set this manually but it isn't reccomended as it is easy to set using PowerShell itself.

To do this you can use the Add-SPShellAdmin commandlet from the PowerShell console using SP Admin.

http://technet.microsoft.com/en-us/magazine/gg490648.aspx

http://sharepoint.microsoft.com/blogs/zach/Lists/Posts/Post.aspx?ID=56

_{Wednesday, March 20, 2013 3:31 PM}

Alex,

Thank you for the speedy reply, however as my original question states I have done this and then some. I only used SQL to verify the account did have the SharePoint_Shell_Access role. I understand the way the permissions work I just cant figre out why the Cmdlet in the title dont want to work paired together but they do seperate.

_{Wednesday, March 20, 2013 3:55 PM}

You did indeed. Sorry.

You don't need the -limit all parameter. It's assumed that you don't have any limits set.

Get-SPSite | Get-SPWeb

Will result in the exact same output. I've just run this on one of my VMs and get the same error, these relate to two of my web applications, one is my Mysites and one my portal. For both of those sites the account i was using didn't have access through the browser.

After granting my account secondary owner permissions to the site collection I didn't get the error for that site's webs again.

Try running this:

$sites = get-spsite
foreach ($site in $sites)
{
    Write-Host $site.URL
    Write-host $site.AllWebs
}

Which will list out which site collection the script is processing and assuming no errors, all the webs that exist beneath it. That will let you see which site collection it's failing in so you can ensure that the user you're using really does have access to the content.

_{Wednesday, March 20, 2013 4:26 PM}

Alex,

Thank you again, and I apologize I should have mentioned I want to accomplish this task without adding any permissions to the actual sites or site collections themselves. I was going to just use CA to create a user policy for the user and give them full control to all the Web Apps, however I would like to try and accomplish this without that. I believe this shoudl be possible just using the Add-SPShellAdmin cmdlet. I have even tried the daunting task of manually adding the user to each Content DB using the Add-SPShellAdmin cmdlet. What bothers me is that if I run the cmdlets one at a time as follows (the name isn't really domain):

PS C:\Users\newtest\desktop> get-spsite

Url

http://corporate.domain.com

http://corporate.domain.com/collaboration/EmployeeCe...

http://corporate.domain.com/sites/HelpDesk

http://corporate.domain.com/sites/SalesTeamDashboard

http://corporate.domain.com/sites/SeniorManagmentPortal

http://extranet.domain.com/employees/TimeClock

http://extranet.domain.com/sites/PurchaseRequest

http://intranet.domain.com/sites/FS

http://intranet.domain.com/sites/RemoteBlob

http://domain-sp1

http://domain-sp1/main

http://domain-sp1/my

http://domain-sp1/personal/spadmin

http://domain-sp1/personal/travis

PS C:\Users\newtest\desktop> get-spweb http://corporate.domain.com

Url

http://corporate.domain.com

These are the actual PowerShell results witht he domain name changed. However if I pipe them together as you saw they fail. This makes no sense to me maybe its because if they work seperate they should in theory work piped together as this has always been the case when I used cmdlets before. Thank you for the script it does as you said it would and shows me I dont have access to the sites. This however baffles me even more as how can I run the Get-SpWeb cmdlet and it work no matter the URL I specify If ran alone but fail when piped with the other cmdlet. Just so you know I have researched this issue very heavily and have yet to find the answer. 

_{Wednesday, March 20, 2013 4:49 PM}

The error occurs on Get-SPWeb. Is there any site where the user account you are using does not have any permission? Or are there any orphan sites? Validate it.

Pradip T. MCTS(SharePoint 2010/Web)|MCPD(Web Development) https://www.mcpvirtualbusinesscard.com/VBCServer/paddytakate/profile

_{Wednesday, March 20, 2013 4:56 PM}

Pradip,

Correct the error occurs on Get-SPWeb only when I pipe the cmdlets together. As for having permissions to the actual site no this account has none at all. I created the Account and only gave it SharePoint_Shell_Access role to all the SP content DB. This environment has no orphaned sites, however do you know the cmdlet to verify this? I apologize what did you mean by validate it? were you speaking of the orphaned sites?

_{Tuesday, December 10, 2013 10:07 AM}

Hi,

Probably its a good idea to dispose the Site object you created at the end of the code.

"The opinions expressed here represent my own and not those of anybody else"