Traverse all users permissions on SharePoint 2010,2013 Site Collection PowerShell

Hi There,

I have found a very useful PowerShell script to traverse all users permissions on SharePoint 2010,2013 Site Collection using PowerShell. Thanks to Johan Mayer for updating the PowerShell code and making it more useful.

This PowerShell code will traverse or extract all users having permissions through any of SharePoint group and any level of permission. For example, if a User has permissions using three groups Readers, Contributors and Owners, it will show all groups one by one and describe the user permissions level in each group. Sample screenshot below.



PowerShell Script:

You can copy and paste this PowerShell script in a simple notepad file and save as .ps1 file. Now run SharePoint Management Shell and point to the file where you have just saved.

This script will traverse users permissions inside the lists/libraries too. You can filter the data once exported in CSV.

function Get-SPUserEffectivePermissions(
    [object[]]$users, 
    [Microsoft.SharePoint.SPSecurableObject]$InputObject) {
    
    begin { }
    process {
        $so = $InputObject
        if ($so -eq $null) { $so = $_ }
        
        if ($so -isnot [Microsoft.SharePoint.SPSecurableObject]) {
            throw "A valid SPWeb, SPList, or SPListItem must be provided."
        }
        
        foreach ($user in $users) {
            # Set the users login name
            $loginName = $user
            if ($user -is [Microsoft.SharePoint.SPUser] -or $user -is [PSCustomObject]) {
                $loginName = $user.LoginName
            }
            if ($loginName -eq $null) {
                throw "The provided user is null or empty. Specify a valid SPUser object or login name."
            }
            
            # Get the users permission details.
            $permInfo = $so.GetUserEffectivePermissionInfo($loginName)
            
            # Determine the URL to the securable object being evaluated
            $resource = $null
            if ($so -is [Microsoft.SharePoint.SPWeb]) {
                $resource = $so.Url
            } elseif ($so -is [Microsoft.SharePoint.SPList]) {
                $resource = $so.ParentWeb.Site.MakeFullUrl($so.RootFolder.ServerRelativeUrl)
            } elseif ($so -is [Microsoft.SharePoint.SPListItem]) {
                $resource = $so.ParentList.ParentWeb.Site.MakeFullUrl($so.Url)
            }

            # Get the role assignments and iterate through them
            $roleAssignments = $permInfo.RoleAssignments
            if ($roleAssignments.Count -gt 0) {
                foreach ($roleAssignment in $roleAssignments) {
                    $member = $roleAssignment.Member
                    
                    # Build a string array of all the permission level names
                    $permName = @()
                    foreach ($definition in $roleAssignment.RoleDefinitionBindings) {
                        $permName += $definition.Name
                    }
                    
                    # Determine how the users permissions were assigned
                    $assignment = "Direct Assignment"
                    if ($member -is [Microsoft.SharePoint.SPGroup]) {
                        $assignment = $member.Name
                    } else {
                        if ($member.IsDomainGroup -and ($member.LoginName -ne $loginName)) {
                            $assignment = $member.LoginName
                        }
                    }
                    
                    # Create a hash table with all the data
                    $hash = @{
                        Resource = $resource
                        "Resource Type" = $so.GetType().Name
                        User = $loginName
                        Permission = $permName -join ", "
                        "Granted By" = $assignment
                    }
                    
                    # Convert the hash to an object and output to the pipeline
                    New-Object PSObject -Property $hash
                }
            }
        }
    }
    end {}
}


$site = $gc | Get-SPSite  http://localhost:2020
$groups = $site.RootWeb.sitegroups

 foreach ($grp in $groups) {
 foreach ($user in $grp.users) 
  {
   $user = $user.LoginName
   $webPermissions = $site | Get-SPWeb Limit All | Get-SPUserEffectivePermissions $user
   $listPermissions = $site | Get-SPWeb Limit All | %{$_.Lists | Get-SPUserEffectivePermissions $user}
   ($webPermissions + $listPermissions) | ConvertTo-Csv -NoTypeInformation | Add-Content -Path c:\perms.csv 
  } 
  Add-Content -Path c:\perms.csv -Value $justData -Encoding UTF8
}
$site.Dispose()






$gc | Stop-SPAssignment

You can also download the script from here.

Enjoy...!

Comments

Popular Posts

GREYCstoration Oil Paint plugin for Photoshop

Service Bus Gateway service stuck at Starting

PowerApps SubmitForm not clearing People Picker value

Apple iPhone sending SMS automatically 00447786205094

Download file failed signature verification and may have been tampered with - Workflow Manger 1.0 Refresh (CU2)