# This script gets permissions for all users in a web
application on all objects (web application > site collection > web >
list/library > item)
Add-PSSnapin Microsoft.SharePoint.PowerShell
-ErrorAction SilentlyContinue
Function GetUserAccessReport($WebAppURL, $FileUrl)
{
Write-Host
"Generating permission report..."
#Get All
Site Collections of the WebApp
$SiteCollections
= Get-SPSite
-WebApplication $WebAppURL
-Limit All
#Write CSV-
TAB Separated File) Header
"URL`tSite/List/Folder/Item`tTitle/Name`tPermissionType`tPermissions
`tLoginName" | out-file $FileUrl
#Check Web
Application Policies
$WebApp= Get-SPWebApplication
$WebAppURL
#Loop
through all site collections
foreach($Site in $SiteCollections)
{
#Check Whether the Search User is a Site Collection
Administrator
foreach($SiteCollAdmin
in $Site.RootWeb.SiteAdministrators)
{
"$($Site.RootWeb.Url)`tSite`t$($Site.RootWeb.Title)`tSite
Collection Administrator`tSite Collection Administrator`t$($SiteCollAdmin.DisplayName)" | Out-File $FileUrl
-Append
}
#Loop throuh all Sub Sites
foreach($Web in $Site.AllWebs)
{
if($Web.HasUniqueRoleAssignments
-eq $True)
{
#Get all the users granted permissions to the list
foreach($WebRoleAssignment
in $Web.RoleAssignments )
{
#Is it a User Account?
if($WebRoleAssignment.Member.userlogin)
{
#Get the Permissions assigned to user
$WebUserPermissions=@()
foreach ($RoleDefinition in $WebRoleAssignment.RoleDefinitionBindings)
{
$WebUserPermissions +=
$RoleDefinition.Name
+";"
}
#Send the Data to Log file
"$($Web.Url)`tSite`t$($Web.Title)`tDirect Permission`t$($WebUserPermissions) `t$($WebRoleAssignment.Member.DisplayName)" | Out-File $FileUrl
-Append
}
#Its a SharePoint Group, So search inside the group and
check if the user is member of that group
else
{
foreach($user in $WebRoleAssignment.member.users)
{
#Get the Group's Permissions on site
$WebGroupPermissions=@()
foreach ($RoleDefinition in $WebRoleAssignment.RoleDefinitionBindings)
{
$WebGroupPermissions +=
$RoleDefinition.Name
+";"
}
#Send the Data to Log file
"$($Web.Url)`tSite`t$($Web.Title)`tMember of $($WebRoleAssignment.Member.Name) Group`t$($WebGroupPermissions)`t$($user.DisplayName)"
| Out-File $FileUrl -Append
}
}
}
}
#******** Check Lists, Folders, and Items with Unique
Permissions ********/
foreach($List in $Web.lists)
{ Write-Host
"Checking List "$List.Title" level permissions..." -ForegroundColor Green
if($List.HasUniqueRoleAssignments -eq $True -and ($List.Hidden -eq $false))
{
#Get all the users granted permissions to the list
foreach($ListRoleAssignment
in $List.RoleAssignments )
{
#Is it a User Account?
if($ListRoleAssignment.Member.userlogin)
{
#Get the Permissions assigned to user
$ListUserPermissions=@()
foreach ($RoleDefinition in $ListRoleAssignment.RoleDefinitionBindings)
{
$ListUserPermissions +=
$RoleDefinition.Name
+";"
}
#Send the Data to Log file
"$($List.ParentWeb.Url)/$($List.RootFolder.Url)`tList`t$($List.Title)`tDirect Permission`t$($ListUserPermissions) `t$($ListRoleAssignment.Member.DisplayName)" | Out-File $FileUrl
-Append
}
#Its a SharePoint Group, So search inside the group and
check if the user is member of that group
else
{
foreach($user
in $ListRoleAssignment.member.users)
{
#Get the Group's Permissions on site
$ListGroupPermissions=@()
foreach ($RoleDefinition in $ListRoleAssignment.RoleDefinitionBindings)
{
$ListGroupPermissions +=
$RoleDefinition.Name
+";"
}
#Send the Data to Log file
"$($List.ParentWeb.Url)/$($List.RootFolder.Url)`tList`t$($List.Title)`tMember of $($ListRoleAssignment.Member.Name) Group`t$($ListGroupPermissions)`t$($user.DisplayName)"
| Out-File $FileUrl -Append
}
}
}
}
#Get Folder level permissions
foreach($Folder
in $List.folders)
{
Write-Host
"Checking Folder "$Folder.Name" level permissions..." -ForegroundColor Magenta
if($Folder.HasUniqueRoleAssignments -eq $True)
{
#Get all the users granted permissions to the folder
foreach($FolderRoleAssignment
in $Folder.RoleAssignments )
{
#Is it a User Account?
if($FolderRoleAssignment.Member.userlogin)
{
#Get the Permissions assigned to user
$FolderUserPermissions=@()
foreach ($RoleDefinition in $FolderRoleAssignment.RoleDefinitionBindings)
{
$FolderUserPermissions +=
$RoleDefinition.Name
+";"
}
#Send the Data to Log file
"$($Folder.Web.Url)/$($Folder.Url)`tFolder`t$($Folder.Name)`tDirect
Permission`t$($FolderUserPermissions) `t$($FolderRoleAssignment.Member.DisplayName)" | Out-File $FileUrl
-Append
}
#Is it a domain Account?
if($FolderRoleAssignment.Member.IsDo)
{
#Get the Permissions assigned to user
$FolderUserPermissions=@()
foreach ($RoleDefinition in $FolderRoleAssignment.RoleDefinitionBindings)
{
$FolderUserPermissions +=
$RoleDefinition.Name
+";"
}
#Send the Data to Log file
"$($Folder.Web.Url)/$($Folder.Url)`tFolder`t$($Folder.Title)`tDirect
Permission`t$($FolderUserPermissions) `t$($FolderRoleAssignment.Member.DisplayName)" | Out-File $FileUrl
-Append
}
#Its a SharePoint Group, So search inside the group and
check if the user is member of that group
else
{
foreach($user
in $FolderRoleAssignment.member.users)
{
#Get the Group's Permissions on site
$FolderGroupPermissions=@()
foreach ($RoleDefinition in $FolderRoleAssignment.RoleDefinitionBindings)
{
$FolderGroupPermissions +=
$RoleDefinition.Name
+";"
}
#Send the Data to Log file
"$($Folder.Web.Url)/$($Folder.Url)`tFolder`t$($Folder.Title)`tMember of $($FolderRoleAssignment.Member.Name) Group`t$($FolderGroupPermissions)`t$($user.DisplayName)" | Out-File $FileUrl
-Append
}
}
}
}
}
}
}
}
}
#Call the function to Check User Access
GetUserAccessReport "http://win-2016" "D:\PowerShell-help\April2018\3rd\SharePoint_Permission_Report.csv"
Write-Host "Complete"