Friday, 28 August 2015

User Permission Report for SharePoint 2013 (single user acces on list, library, site)

Hi Frnds,

I am a back with a very useful blog that you might be struglling in SharePoint Enviromenet.
Yes I have been talking about the user access report on all the site, list, library for a particular webapplication.

Manually going in each site, list and library may takes a lot of time. why cant we quickly take help of the most powerfull tool (Powershell)

With the below code, you can generate a csv file which you can use it for getting report for a single user.

You will require:

SharePoint Powershell
Admin Right (Run the powershell as a administrator)


Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue
  
Function GetUserAccessReport($WebAppURL, $SearchUser)
{
    #Output Report location
    $OutputReport = "C:\Report\SabinaPermission.csv"
    #Please delete the file, If already exist!
    if (Test-Path $OutputReport)
     {
        Remove-Item $OutputReport
     }
Write-host "I am scanning Farm Administrator Group..."
#Write CSV- TAB Separated File) Header
"URL `t Site/List `t Title `t PermissionType `t Permissions" | out-file $OutputReport
  
  ####Check Whether the Search Users is a Farm Administrator ###
  #Get the SharePoint Central Administration site
  $AdminWebApp= Get-SPwebapplication -includecentraladministration | where {$_.IsAdministrationWebApplication}
    $AdminSite = Get-SPweb($AdminWebApp.Url)
    $AdminGroupName = $AdminSite.AssociatedOwnerGroup
    $FarmAdminGroup = $AdminSite.SiteGroups[$AdminGroupName]
  
 #enumerate in farm adminidtrators groups
    foreach ($user in $FarmAdminGroup.users)
    {
     if($user.LoginName -eq $SearchUser)
     {
       "$($AdminWebApp.URL) `t Farm `t $($AdminSite.Title)`t Farm Administrator `t Farm Administrator" | Out-File $OutputReport -Append
     }    
    }
  
Write-host "I am Scanning Web Application Policies..."
 ### Check Web Application Policies ###
  $WebApp= Get-SPWebApplication $WebAppURL
  
  foreach ($Policy in $WebApp.Policies)
  {
      #Check if the search users is member of the group
     if($Policy.UserName -eq $SearchUser)
       {
       #Write-Host $Policy.UserName
        $PolicyRoles=@()
       foreach($Role in $Policy.PolicyRoleBindings)
       {
        $PolicyRoles+= $Role.Name +";"
       }
       #Write-Host "Permissions: " $PolicyRoles
      "$($AdminWebApp.URL) `t Web Application `t $($AdminSite.Title)`t  Web Application Policy `t $($PolicyRoles)" | Out-File $OutputReport -Append
   }
  }
 Write-host "I am Scanning Site Collections..."
 #Get All Site Collections of the WebApp
 $SiteCollections = Get-SPSite -WebApplication $WebAppURL -Limit All
     
  #Loop through all site collections
   foreach($Site in $SiteCollections)
    {
     Write-host "I am Scanning Site Collection:" $site.Url
     #Check Whether the Search User is a Site Collection Administrator
     foreach($SiteCollAdmin in $Site.RootWeb.SiteAdministrators)
        {
      if($SiteCollAdmin.LoginName -eq $SearchUser)
      {
       "$($Site.RootWeb.Url) `t Site `t $($Site.RootWeb.Title)`t Site Collection Administrator `t Site Collection Administrator" | Out-File $OutputReport -Append
      }    
    }
    
     #Loop throuh all Sub Sites
  foreach($Web in $Site.AllWebs)
  {
      if($Web.HasUniqueRoleAssignments -eq $True)
            {
             Write-host "I am Scanning Site:" $Web.Url
     
            #Get all the users granted permissions to the list
              foreach($WebRoleAssignment in $Web.RoleAssignments )
    {
                 #Is it a User Account?
          if($WebRoleAssignment.Member.userlogin)  
           {
              #Is the current user is the user we search for?
              if($WebRoleAssignment.Member.LoginName -eq $SearchUser)
             {
               #Write-Host  $SearchUser has direct permissions to site $Web.Url
               #Get the Permissions assigned to user
       $WebUserPermissions=@()
                foreach ($RoleDefinition  in $WebRoleAssignment.RoleDefinitionBindings)
                {
                 $WebUserPermissions += $RoleDefinition.Name +";"
                }
               #write-host "with these permissions: " $WebUserPermissions
           
         #Send the Data to Log file
               "$($Web.Url) `t Site `t $($Web.Title)`t Direct Permission `t $($WebUserPermissions)" | Out-File $OutputReport -Append
             }
           }
        #Its a SharePoint Group, So search inside the group and check if the user is member of that group
         else
          {
                        foreach($user in $WebRoleAssignment.member.users)
                            {
                #Check if the search users is member of the group
               if($user.LoginName -eq $SearchUser)
                {
                  #Write-Host  "$SearchUser is Member of " $WebRoleAssignment.Member.Name "Group"
                  #Get the Group's Permissions on site
                $WebGroupPermissions=@()
                  foreach ($RoleDefinition  in $WebRoleAssignment.RoleDefinitionBindings)
                  {
                      $WebGroupPermissions += $RoleDefinition.Name +";"
                     }
                #write-host "Group has these permissions: " $WebGroupPermissions
                
               #Send the Data to Log file
               "$($Web.Url) `t Site `t $($Web.Title)`t Member of $($WebRoleAssignment.Member.Name) Group `t $($WebGroupPermissions)" | Out-File $OutputReport -Append
              }
             }
     }
    }
      }
      
    ###*****  Check Lists with Unique Permissions *******###
   foreach($List in $Web.lists)
   {
             if($List.HasUniqueRoleAssignments -eq $True -and ($List.Hidden -eq $false))
                {
                 Write-host "Scanning List:" $List.RootFolder.Url
                    #Get all the users granted permissions to the list
     foreach($ListRoleAssignment in $List.RoleAssignments )
                    {
                     #Is it a User Account?
             if($ListRoleAssignment.Member.userlogin)  
              {
                 #Is the current user is the user we search for?
                 if($ListRoleAssignment.Member.LoginName -eq $SearchUser)
                {
                  #Write-Host  $SearchUser has direct permissions to List ($List.ParentWeb.Url)/($List.RootFolder.Url)
                  #Get the Permissions assigned to user
                   $ListUserPermissions=@()
                    foreach ($RoleDefinition  in $ListRoleAssignment.RoleDefinitionBindings)
                    {
                                 $ListUserPermissions += $RoleDefinition.Name +";"
                                }
                  #write-host "with these permissions: " $ListUserPermissions
               
                  #Send the Data to Log file
                  "$($List.ParentWeb.Url)/$($List.RootFolder.Url) `t List `t $($List.Title)`t Direct Permissions `t $($ListUserPermissions)" | Out-File $OutputReport -Append
                }
              }
              #Its a SharePoint Group, So search inside the group and check if the user is member of that group
             else
              {
       foreach($user in $ListRoleAssignment.member.users)
       {
                   if($user.LoginName -eq $SearchUser)
                    {
                     #Write-Host  "$SearchUser is Member of " $ListRoleAssignment.Member.Name "Group"
                      #Get the Group's Permissions on site
                    $ListGroupPermissions=@()
                      foreach ($RoleDefinition  in $ListRoleAssignment.RoleDefinitionBindings)
                      {
                                  $ListGroupPermissions += $RoleDefinition.Name +";"
                                 }
                    #write-host "Group has these permissions: " $ListGroupPermissions
                
                    #Send the Data to Log file
                    "$($Web.Url) `t Site `t $($List.Title)`t Member of $($ListRoleAssignment.Member.Name) Group `t $($ListGroupPermissions)" | Out-File $OutputReport -Append
                  }
                }
             }
                    }
                }
            }
     }
 }
      
 Write-host "`n Access Rights Report Generated!"
 }
  
#Call the function to Check User Access
GetUserAccessReport "http://Yoursharepointname.com" "i:0#.w|sharepoint\Sabina"

it will generate a tab separated CSV file.

as belolow

Credit goes to Salaudeen Rajack Rereferenced from Salaudeen SharePointDiary  

Isnt it simple !! Cheers!!

No comments:

Post a Comment