Skip to content

Release v1.3.1 - harden SPSyncUserInfoList against silent ACCESS_DENIED runs#17

Merged
luigilink merged 2 commits into
mainfrom
release/1.3.1
Jul 8, 2026
Merged

Release v1.3.1 - harden SPSyncUserInfoList against silent ACCESS_DENIED runs#17
luigilink merged 2 commits into
mainfrom
release/1.3.1

Conversation

@luigilink

Copy link
Copy Markdown
Owner

Summary

Hardening release (v1.3.1) that makes SPSyncUserInfoList.ps1 fail loudly and early when it is run with the wrong service account (or a missing Shell Admin), instead of silently producing nothing. Follows a field case where the script was launched with an under-privileged account and produced no output and no visible error at all.

This PR fixes the following issues:

Root cause

Get-SPSite -Limit All used -ErrorAction SilentlyContinue. The collection is lazy, so the ACCESS_DENIED (E_ACCESSDENIED 0x80070005) only threw while the foreach enumerated it — inside the Get-SPSUniqueUsers try/catch that funneled the error only to the Windows Event Log. No JSON was written, then Export-SPSUserReport and Copy-Item failed on the missing file, burying the real cause under two secondary errors. Not a code bug (the account was wrong), but the tool was far too silent about it.

Changes

SPSyncUserInfoList.ps1 — fail fast, fail loud

  • Removed -ErrorAction SilentlyContinue on Get-SPSite.
  • The Get-SPSUniqueUsers catch now Write-Errors to the console/transcript and the Event Log, with an actionable ACCESS_DENIED message (Shell Admin / correct service account, showing the running account).
  • Anti-clobber guard: a zero-user result never overwrites/copies the previous good JSON — it raises an explicit error and leaves the file untouched.
  • The function signals success to the Main region; when the snapshot was not produced, the compare/report/copy steps are skipped and the script Exit 1s.

Test-SPSUserSyncReadiness.ps1 — catch the wrong account BEFORE the run

  • New "Site collection enumeration" check: Get-SPSite -Limit All under try/catch → FAIL on ACCESS_DENIED with the Shell Admin hint. This is the exact permission the real run needs; the previous Get-SPFarm check only proved config-database access.

Tests

  • New tests/SPSyncUserInfoList.Tests.ps1: Get-SPSUniqueUsers writes JSON + reports success on a healthy farm; zero users → no JSON + Error event; ACCESS_DENIED → no JSON + actionable Error event.

Release metadata

  • Module bumped to 1.3.1, CHANGELOG 1.3.1 section dated, RELEASE-NOTES rewritten, Getting-Started wiki updated.

Validation

  • Pester: 68/68 green locally (65 → 68, +3 new).
  • PSScriptAnalyzer on ./src with the repo settings: clean.
  • No functional change and identical JSON for a correctly-permissioned account.

Upgrade notes

Drop-in replacement for 1.3.0 — no configuration change required. A wrong account now fails the run explicitly (exit code 1) instead of silently producing nothing.

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown

Pester Test Results

68 tests   68 ✅  2s ⏱️
17 suites   0 💤
 1 files     0 ❌

Results for commit f51afce.

♻️ This comment has been updated with latest results.

luigilink added 2 commits July 8, 2026 14:37
Get-SPSite -Limit All used -ErrorAction SilentlyContinue, so an account that
cannot enumerate the farm site collections (wrong service account / missing
Shell Admin) produced no output and no visible error: the ACCESS_DENIED thrown
while enumerating the lazy collection was caught and written only to the Event
Log, the run then emitted two confusing secondary errors (report + copy) on a
JSON that was never written.

- Remove -ErrorAction SilentlyContinue on Get-SPSite; surface the error to the
  console/transcript AND the Event Log with an actionable Shell Admin message.
- Anti-clobber guard: a zero-user result never overwrites/copies the previous
  good JSON; it raises an explicit error and leaves the file untouched.
- Signal success to the Main region; skip the compare/report/copy steps and
  Exit 1 when the snapshot was not produced.
- Test-SPSUserSyncReadiness.ps1: new 'Site collection enumeration' check
  (Get-SPSite -Limit All under try/catch) that FAILs on ACCESS_DENIED with the
  Shell Admin hint - the exact permission the real run needs, which the
  Get-SPFarm-only check did not cover.
- Add Pester regression tests for Get-SPSUniqueUsers (healthy / zero-user /
  ACCESS_DENIED).

Fixes #16
Bump module to 1.3.1, date the CHANGELOG 1.3.1 section, rewrite RELEASE-NOTES
for 1.3.1, and document the new readiness site-collection enumeration check in
the Getting-Started wiki. (#16)
@luigilink luigilink merged commit 2096eeb into main Jul 8, 2026
3 checks passed
@luigilink luigilink deleted the release/1.3.1 branch July 8, 2026 12:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Harden SPSyncUserInfoList against silent ACCESS_DENIED (wrong account) runs

1 participant