Wednesday, April 27, 2016

Traverse all users permissions on SharePoint 2010,2013 Site Collection PowerShell

Hi There,

I have found a very useful PowerShell script to traverse all users permissions on SharePoint 2010,2013 Site Collection using PowerShell. Thanks to Johan Mayer for updating the PowerShell code and making it more useful.

This PowerShell code will traverse or extract all users having permissions through any of SharePoint group and any level of permission. For example, if a User has permissions using three groups Readers, Contributors and Owners, it will show all groups one by one and describe the user permissions level in each group. Sample screenshot below.

PowerShell Script:

You can copy and paste this PowerShell script in a simple notepad file and save as .ps1 file. Now run SharePoint Management Shell and point to the file where you have just saved.

This script will traverse users permissions inside the lists/libraries too. You can filter the data once exported in CSV.

[code]function Get-SPUserEffectivePermissions( [object[]]$users, [Microsoft.SharePoint.SPSecurableObject]$InputObject) { begin { } process { $so = $InputObject if ($so -eq $null) { $so = $_ } if ($so -isnot [Microsoft.SharePoint.SPSecurableObject]) { throw "A valid SPWeb, SPList, or SPListItem must be provided." } foreach ($user in $users) { # Set the users login name $loginName = $user if ($user -is [Microsoft.SharePoint.SPUser] -or $user -is [PSCustomObject]) { $loginName = $user.LoginName } if ($loginName -eq $null) { throw "The provided user is null or empty. Specify a valid SPUser object or login name." } # Get the users permission details. $permInfo = $so.GetUserEffectivePermissionInfo($loginName) # Determine the URL to the securable object being evaluated $resource = $null if ($so -is [Microsoft.SharePoint.SPWeb]) { $resource = $so.Url } elseif ($so -is [Microsoft.SharePoint.SPList]) { $resource = $so.ParentWeb.Site.MakeFullUrl($so.RootFolder.ServerRelativeUrl) } elseif ($so -is [Microsoft.SharePoint.SPListItem]) { $resource = $so.ParentList.ParentWeb.Site.MakeFullUrl($so.Url) } # Get the role assignments and iterate through them $roleAssignments = $permInfo.RoleAssignments if ($roleAssignments.Count -gt 0) { foreach ($roleAssignment in $roleAssignments) { $member = $roleAssignment.Member # Build a string array of all the permission level names $permName = @() foreach ($definition in $roleAssignment.RoleDefinitionBindings) { $permName += $definition.Name } # Determine how the users permissions were assigned $assignment = "Direct Assignment" if ($member -is [Microsoft.SharePoint.SPGroup]) { $assignment = $member.Name } else { if ($member.IsDomainGroup -and ($member.LoginName -ne $loginName)) { $assignment = $member.LoginName } } # Create a hash table with all the data $hash = @{ Resource = $resource "Resource Type" = $so.GetType().Name User = $loginName Permission = $permName -join ", " "Granted By" = $assignment } # Convert the hash to an object and output to the pipeline New-Object PSObject -Property $hash } } } } end {} } $site = $gc | Get-SPSite http://localhost:2020 $groups = $site.RootWeb.sitegroups foreach ($grp in $groups) { foreach ($user in $grp.users) { $user = $user.LoginName $webPermissions = $site | Get-SPWeb –Limit All | Get-SPUserEffectivePermissions $user $listPermissions = $site | Get-SPWeb –Limit All | %{$_.Lists | Get-SPUserEffectivePermissions $user} ($webPermissions + $listPermissions) | ConvertTo-Csv -NoTypeInformation | Add-Content -Path c:\perms.csv } Add-Content -Path c:\perms.csv -Value $justData -Encoding UTF8 } $site.Dispose() $gc | Stop-SPAssignment[/code]

You can also download the script from here.


No comments:

Post a Comment