<# The below PowerShell script enumerates through all sites with unique permissions and fetches users with Full Control Permission granted directly to the siteor through group membership.#>#Load SharePoint PowerShell Snapinif ((Get-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue) -eq $null) { Add-PSSnapin "Microsoft.SharePoint.PowerShell"}#Collection of user permission objects$SiteOwners =@();#Define all the properties for the user permission object$Properties = @{Title='';SiteID='';WebID='';WebSiteUrl='';AccessRequestEmail='';Scope='';Login='';UserID='';User='';Email='';LastItemModified='';};#Site Url$WebUrl ="";#Web Application URL$WebApplicationURL = "<WebAppUrl>";#Enumerate through all Site Collections and SitesGet-SPWebApplication -Identity $WebApplicationURL | Get-SPSite -limit all |%{$siteID=$_.ID;#Enumerate through all sites within the site collectionGet-SPWeb -limit all -Site $_|%{$web = $_;#Check if the site has unique permissionsif(($web.HasUniqueRoleAssignments -eq "True" -or $web.IsRootWeb -eq "True")){$WebUrl = $web.Url;#Full Control Role Definition$FullControl = $web.RoleDefinitions["Full Control"];#Collection of Groups with Full Control permissions$OwnerGroups=@();#Get all Owner groups with Full Control permission$web.Groups|?{$_.Name -match "Owners"}|%{$IsGroupFullControl = $_.Roles|?{$_.Name -eq $FullControl.Name;}$OwnerGroups += $_;}try{<#SPWeb.Users:This represents the collection of users or user objects who have been explicitly assigned permissions in the Web site . This does not return users who have access through a group.SPWeb.AllUsers:This gives us the collection of user objects who are either members of the site collection or who have atleast navigated to the site as authenticated members of a domain group in the site.#>#Enumerate through all Users in the Web$web.AllUsers|?{$_.LoginName -ne "SHAREPOINT\System" -and $_.Email.Length -gt 0}|%{#Check User Effective Permissionsif($web.DoesUserHavePermissions($_.LoginName,[Microsoft.SharePoint.SPBasePermissions]::FullMask)){$user=$_;#Full Control Permission could have been granted directly or through group membership. Scope will represent these details.$Scopes=@();try{$UserRoleAssignments = $web.RoleAssignments.GetAssignmentByPrincipal($user);}catch{}#Check if user has Full Control Permissionsif($UserRoleAssignments.RoleDefinitionBindings.Contains($FullControl)){ $Scopes += "Site"; #Check for group membership of user in Owners group i.e. groups with Full Control permission$user.Groups|%{$Group=$_;$IsOwnerGroup = $OwnerGroups|?{$_.Name -eq $Group.Name};if($IsOwnerGroup){$Scopes += $Group.Name;}} #Create an object for the user permission record$Owner = New-Object PSObject -Property $Properties;$Owner.Title = $web.Title;$Owner.WebID = $web.ID;$Owner.SiteID = $siteID;$Owner.WebSiteURL = $web.URL;$Owner.AccessRequestEmail=$web.RequestAccessEmail;$Owner.Scope = ($Scopes -join ",");$Owner.UserID=$user.LoginName.Split("\")[1];$Owner.Login=$user.LoginName;$Owner.User=$user.Name;$Owner.Email=$user.Email;$Owner.LastItemModified=$web.LastItemModifiedDate.ToString("MM/dd/yyyy"); $SiteOwners +=$Owner;}}}$web.Dispose();$_.Dispose();}catch [System.Exception]{Write-Host ($WebUrl + ":" + $_.Exception.Message + ":" + $_.Exception.StackTrace);}}}#Dispose SPSite$_.Dispose();}$SiteOwners|Export-CSV "D:\SharePoint Administration\SiteOwners.csv" -NoTypeInformation;Courtesy: https://social.technet.microsoft.com/wiki/contents/articles/5884.sharepoint-2010-get-site-users-with-full-controlowners-permissions-with-powershell-script.aspx
No comments:
Post a Comment