Archive for the ‘Powershell’ Category

HOWTO Remove the Lock on a SharePoint File

April 10, 2015

A user on one of our SharePoint sites had a file in an Exclusive lock on their laptop, and couldn’t remove the lock. After checking a few sites for how to unlock:

I cobbled together this PowerShell function based on that. By default it displays the lock status of a file, and if you use the $unlock parameter it will also unlock the file.

Add-PSSnapin microsoft.sharepoint.powershell -ErrorAction SilentlyContinue
function SPUnlockFile()
 [Parameter(Mandatory=$True)][string] $webUrl
 ,[Parameter(Mandatory=$True)][string] $fileUrl
 ,[Parameter()][bool] $unlock = $false
#Get Web and File Objects
 $web = Get-SPWeb $WebURL
 $File = $web.GetFile($FileURL)
#Check if File is Checked-out
 if ($File.CheckOutType -ne "None")
 Write-host "File is Checked Out to user: " $File.CheckedOutByUser.LoginName
 Write-host "Checked Out Type: " $File.CheckOutType
 Write-host "Checked Out On: " $File.CheckedOutDate
#To Release from Checkout, Ask the checked out user to Checkin
 #$File.Checkin("Checked in by Administrator")
 #Write-host "File has been Checked-In"
#Check if File is locked
 if ($File.LockId -ne $null)
 Write-host "File is Locked by:" $File.LockedByUser.LoginName
 Write-host "File Lock Type: "$file.LockType
 Write-host "File Locked On: "$file.LockedDate
 Write-host "File Lock Expires on: "$file.LockExpires
 Write-host "File Lock Id: "$file.LockId
if ($unlock)
 Write-Host "Releasing lock..."
 $userId = $file.LockedByUser.ID
 $user = $web.AllUsers.GetByID($userId)
$impSite= New-Object Microsoft.SharePoint.SPSite($web.Url, $user.UserToken); $impWeb = $impSite.OpenWeb(); $impFile = $impweb.GetFile($FileURL)
 Write-Host "File is unlocked" -foregroundcolor Green
 #SPUnlockFile -weburl "http://weburl" -fileUrl "http://fullpathtofileurl"
 -unlock $false

Fixing “The user has not been granted the requested logon type at this computer” for SharePoint 2013 AutoSPInstaller

September 18, 2014

We are deploying SharePoint 2013 using the AutoSPInstaller PowerShell scripts in our Development environment and were getting the following issue:

Start-Process : This command cannot be run due to the error: Logon failure: the user has not been granted the requested logon at this computer.

We are using service accounts to manage security for our SharePoint 2013 applications and services, and the configuration for AutoSPInstaller includes which service accounts are applied to the various SharePoint components.

You can test a particular service account using the following PowerShell script:

Start-Process -FilePath cmd.exe -ArgumentList "/C" -LoadUserProfile -NoNewWindow -Credential Get-Credential

which will prompt you for the account credentials you want to test and then try and create a command prompt with the users profile.

The issue we found was as follows:
1. The Local Security Policy setting for Allow Log On Locally included Administrators, Users and Backup Operators. The service accounts are members of the Users group which should have allowed the required permissions.
2. The Local Security Policy setting for Deny log on locally was set to a specific security group, of which the service account was a member.

The Deny log on locally setting overrides the Allow log on locally setting. Once we removed the service account from the Deny log on locally setting, the AutoSPInstaller process worked perfectly!

HOWTO Use Powershell to Enable Remote Desktop on another Computer

May 15, 2012
$remoteComputerName = "my_remote_computer"
# Connect to another computer and start the remote registry service 
( Get-WmiObject -computername $remoteComputerName Win32_Service -filter "Name='RemoteRegistry'").startservice()
( Get-WmiObject -computername $remoteComputerName Win32_Service -filter "Name='RemoteAccess'").ChangeStartMode('Manual') 
( Get-WmiObject -computername $remoteComputerName Win32_Service -filter "Name='RemoteAccess'").startservice()

HOWTO: Enable Kerberos Logging via PowerShell

May 1, 2011

Our servers still have a RegEdit policy lock-down in affect. Yes, it is still silly. PowerShell however is allowed 🙂

Turning on Kerberos logging allows you to view detailed information on any Kerberos errors in the Windows event log via the System log. There is a Microsoft Knowledgebase article about how to turn it on, but that requires Regedit access. You can, however, turn this on via PowerShell. When the kerberos logging is turned on, check the Windows System event log for entries. The change is instantaneous – you do not need to log off or reboot to see the event logging.

# Get the value of the Kerberos logging property
Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters

If you do not have this key, it will return no data. However, if you do have this key it should return something similar to:

PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters


LogLevel : 1
# Add the log level key for Kerberos logging
New-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters -Name "LogLevel" -value "1" -PropertyType dword
# Enable Kerberos logging
Set-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters -Name "LogLevel" -value "1"
# Disable Kerberos logging
Set-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters -Name "LogLevel" -value "0"

HOWTO: Disable the Windows Server 2008 Loopback Check via PowerShell

December 23, 2010

Our servers have a RegEdit lock-down in affect. Yes, it is silly. PowerShell can do the job though!

# Get the value of the LSA keys
Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa

# Disable the loopback check
New-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name "DisableLoopbackCheck" -value "1" -PropertyType dword