Identify Folders Breaking Permission Inheritance in SharePoint using PowerShell

Last week, I got contacted ​by a fellow MVP regarding a problem he had coming up with a PowerShell script to help him identify all folders in a specific library on which the permissions’ inheritance had been broken. His script had to be able to start looking at a specific parent folder inside the library and only scan its subfolders. For example, assume you have a document library with the following folder structure. folders with a * beside them indicates folders for which the permission inheritance has been broken.

Folder A

       – Folder A.1

       -Folder A.2 *

               — Folder A.2.1

Folder B *

Folder C

     – Folder C.1

             — Folder C.1.1*

What my colleague wanted to be able to do was to run a scan on a specific parent folder (e.g. Folder C.1) and find all subfolders contained within it for which the permissions’ inheritance was broken. He had a script that was doing the job, but performance wise, his script was still looping through every single folder in the library, and not only just the parent folder he identified and down. The solution I proposed was fairly simple: use an SPQuery to query all items having a content type of folder, loop through all subfolders starting at the specified parent and identified folders that have their permissions’ inheritance broken. The resulting script was the following:

Add-PSSnapin Microsoft.SharePoint.PowerShell

# Get a reference to the specified SharePoint Web. Replace http://localhost by your own url

$webUrl = “http://localhost/”

$web = Get-SPWeb $WebUrl

# Get a reference to the specified SharePoint List. Replace Documents by your library’s name;

$listName = “Documents”

$list = $web.Lists[$ListName]

# Declare the relative URL to the parent folder you wish to scan; Replace Folder C.1 by the name of the parent folder;

$folderUrl = “/Shared Documents/Folder C.1”

# Get an SPFolder object reference to the parent folder;

$folderRef = $web.GetFolder($folderUrl)

# Create a new SPQuery object and have it scan only for folders (skip over other list items);

$query = “<Where><Eq><FieldRef Name=’ContentType’ /><Value Type=’Text’>Folder</Value></Eq></Where>”

$spQuery = New-Object Microsoft.SharePoint.SPQuery

$spQuery.Query = $query;

# Specifies that we wish to include all subfolders in our query;

$spQuery.ViewAttributes = “Scope=’RecursiveAll'”;

# Specify the root folder for the SPQuery object to look into;

$spQuery.Folder = $folderRef

# Get all folders matching the query;

$subFolders = $list.GetItems($spQuery);

# Loop through all retrieved folders and check to see if their permissions’ inheritance are broken. If they are, print a message on screen;

foreach($item in $subFolders)




Write-Host “L’héritage des permissions est brisée sur:” $item.Name ” URL :” $item.Url




Register a Script Safe Domain for your SharePoint 2013 Site Collection using PowerShell

​Every now and then, I go mess around in the SharePoint object model using PowerShell to see if there are any hidden gems that could be of interest. Today, I’ve discovered a per-site collection setting called ScriptSafeDomains that contains a list of all domains from which SharePoint will allow loading scripts from. In order for you to get a list of those, you can execute the following line of PowerShell:

Get-SPSite http://<your site url> | Select ScriptSafeDomains


We can see from the figure above that default domains include,,, etc. It seems as if this property would be some kind of a Cross-Origin Resource Sharing (CORS) white list. To test my theory, I tried the following scenario where I tried to embed a video from Using the Embed code function from the SharePoint insert ribbon, I added the following iFrame tag to my site:


We can see from the figure above that SharePoint adds the mention This HTML will be inserted in a web part, and the resulting webpart doesn’t properly allow us to play the video very well. What we need to do here is to add  to our list of SafeScriptDomains. In order to do this, we can execute the following lines of PowerShell:

$site = Get-SPSite http://<your site url>


Then if you refresh the page and try to add the embeded code again, you should be able to do it just like you would be embedding a YouTube video. The notification that it will be inserted through a web part should now be gone!