Search This Blog

Monday, April 2, 2018

Get all List/Document/Folder Level Permission - SharePoint PowerShell


# This script gets permissions for all users in a web application on all objects (web application > site collection > web > list/library > item)


Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

Function GetUserAccessReport($WebAppURL, $FileUrl)
{
       Write-Host "Generating permission report..."

       #Get All Site Collections of the WebApp
       $SiteCollections = Get-SPSite -WebApplication $WebAppURL -Limit All

       #Write CSV- TAB Separated File) Header
       "URL`tSite/List/Folder/Item`tTitle/Name`tPermissionType`tPermissions `tLoginName" | out-file $FileUrl

       #Check Web Application Policies
       $WebApp= Get-SPWebApplication $WebAppURL
       #Loop through all site collections
       foreach($Site in $SiteCollections)
    {
         #Check Whether the Search User is a Site Collection Administrator
         foreach($SiteCollAdmin in $Site.RootWeb.SiteAdministrators)
      {
                     "$($Site.RootWeb.Url)`tSite`t$($Site.RootWeb.Title)`tSite Collection Administrator`tSite Collection Administrator`t$($SiteCollAdmin.DisplayName)" | Out-File $FileUrl -Append
              }
 
          #Loop throuh all Sub Sites
       foreach($Web in $Site.AllWebs)
       {     
                     if($Web.HasUniqueRoleAssignments -eq $True)
                     {
                           #Get all the users granted permissions to the list
                           foreach($WebRoleAssignment in $Web.RoleAssignments )
                           {
                                  #Is it a User Account?
                                  if($WebRoleAssignment.Member.userlogin)   
                                  {
                                         #Get the Permissions assigned to user
                                         $WebUserPermissions=@()
                                         foreach ($RoleDefinition  in $WebRoleAssignment.RoleDefinitionBindings)
                                         {
                                                $WebUserPermissions += $RoleDefinition.Name +";"
                                         }
                                        
                                         #Send the Data to Log file
                                         "$($Web.Url)`tSite`t$($Web.Title)`tDirect Permission`t$($WebUserPermissions) `t$($WebRoleAssignment.Member.DisplayName)" | Out-File $FileUrl -Append
                                  }
                                  #Its a SharePoint Group, So search inside the group and check if the user is member of that group
                                  else 
                                  {
                                         foreach($user in $WebRoleAssignment.member.users)
                                         {
                                                #Get the Group's Permissions on site
                                                $WebGroupPermissions=@()
                                                foreach ($RoleDefinition  in $WebRoleAssignment.RoleDefinitionBindings)
                                                {
                                                       $WebGroupPermissions += $RoleDefinition.Name +";"
                                                }
                                               
                                                #Send the Data to Log file
                                                "$($Web.Url)`tSite`t$($Web.Title)`tMember of $($WebRoleAssignment.Member.Name) Group`t$($WebGroupPermissions)`t$($user.DisplayName)" | Out-File $FileUrl -Append
                                         }
                                  }
                           }
                     }
                          
                     #********  Check Lists, Folders, and Items with Unique Permissions ********/
                     foreach($List in $Web.lists)
                     { Write-Host "Checking List "$List.Title" level permissions..." -ForegroundColor Green
                           if($List.HasUniqueRoleAssignments -eq $True -and ($List.Hidden -eq $false))
                           {
                                  #Get all the users granted permissions to the list
                                  foreach($ListRoleAssignment in $List.RoleAssignments )
                                  {
                                         #Is it a User Account?
                                         if($ListRoleAssignment.Member.userlogin)   
                                         {
                                                #Get the Permissions assigned to user
                                                $ListUserPermissions=@()
                                                foreach ($RoleDefinition  in $ListRoleAssignment.RoleDefinitionBindings)
                                                {
                                                       $ListUserPermissions += $RoleDefinition.Name +";"
                                                }
                                               
                                                #Send the Data to Log file
                                                "$($List.ParentWeb.Url)/$($List.RootFolder.Url)`tList`t$($List.Title)`tDirect Permission`t$($ListUserPermissions) `t$($ListRoleAssignment.Member.DisplayName)" | Out-File $FileUrl -Append
                                         }
                                         #Its a SharePoint Group, So search inside the group and check if the user is member of that group
                                         else 
                                         {
                                                foreach($user in $ListRoleAssignment.member.users)
                                                {
                                                       #Get the Group's Permissions on site
                                                       $ListGroupPermissions=@()
                                                       foreach ($RoleDefinition  in $ListRoleAssignment.RoleDefinitionBindings)
                                                       {
                                                              $ListGroupPermissions += $RoleDefinition.Name +";"
                                                       }
                                                      
                                                       #Send the Data to Log file
                                                       "$($List.ParentWeb.Url)/$($List.RootFolder.Url)`tList`t$($List.Title)`tMember of $($ListRoleAssignment.Member.Name) Group`t$($ListGroupPermissions)`t$($user.DisplayName)" | Out-File $FileUrl -Append
                                                }
                                         }     
                                  }
                           }
                          
                           #Get Folder level permissions
                           foreach($Folder in $List.folders)
                           {
                    Write-Host "Checking Folder "$Folder.Name" level permissions..." -ForegroundColor Magenta
                                  if($Folder.HasUniqueRoleAssignments -eq $True)
                                  {
                                         #Get all the users granted permissions to the folder
                                         foreach($FolderRoleAssignment in $Folder.RoleAssignments )
                                         {
                                                #Is it a User Account?
                                                if($FolderRoleAssignment.Member.userlogin)   
                                                {
                                                       #Get the Permissions assigned to user
                                                       $FolderUserPermissions=@()
                                                       foreach ($RoleDefinition  in $FolderRoleAssignment.RoleDefinitionBindings)
                                                       {
                                                              $FolderUserPermissions += $RoleDefinition.Name +";"
                                                       }
                                                      
                                                       #Send the Data to Log file
                                                       "$($Folder.Web.Url)/$($Folder.Url)`tFolder`t$($Folder.Name)`tDirect Permission`t$($FolderUserPermissions) `t$($FolderRoleAssignment.Member.DisplayName)" | Out-File $FileUrl -Append
                                                }
                        #Is it a domain Account?
                                                if($FolderRoleAssignment.Member.IsDo)   
                                                {
                                                       #Get the Permissions assigned to user
                                                       $FolderUserPermissions=@()
                                                       foreach ($RoleDefinition  in $FolderRoleAssignment.RoleDefinitionBindings)
                                                       {
                                                              $FolderUserPermissions += $RoleDefinition.Name +";"
                                                       }
                                                      
                                                       #Send the Data to Log file
                                                       "$($Folder.Web.Url)/$($Folder.Url)`tFolder`t$($Folder.Title)`tDirect Permission`t$($FolderUserPermissions) `t$($FolderRoleAssignment.Member.DisplayName)" | Out-File $FileUrl -Append
                                                }
                                                #Its a SharePoint Group, So search inside the group and check if the user is member of that group
                                                else 
                                                {
                                                       foreach($user in $FolderRoleAssignment.member.users)
                                                       {
                                                              #Get the Group's Permissions on site
                                                              $FolderGroupPermissions=@()
                                                              foreach ($RoleDefinition  in $FolderRoleAssignment.RoleDefinitionBindings)
                                                              {
                                                                     $FolderGroupPermissions += $RoleDefinition.Name +";"
                                                              }
                                                             
                                                              #Send the Data to Log file
                                                              "$($Folder.Web.Url)/$($Folder.Url)`tFolder`t$($Folder.Title)`tMember of $($FolderRoleAssignment.Member.Name) Group`t$($FolderGroupPermissions)`t$($user.DisplayName)" | Out-File $FileUrl -Append

                                                       }
                                                }     
                                         }
                                  }
                           }
               
                     }
              }     
       }
}

#Call the function to Check User Access
GetUserAccessReport "http://win-2016" "D:\PowerShell-help\April2018\3rd\SharePoint_Permission_Report.csv"
Write-Host "Complete"