#This script generates a report which has entry of all users who have full control access to SharePoint Sites.
#Same script can be used for 2007 environment by removign try catch statements from the script

[Void][System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint")
# get local farm
$farm = [Microsoft.SharePoint.Administration.SPFarm]::Local
# get web services from local farm
$websrvcs = $farm.Services | where -FilterScript {$_.GetType() -eq [Microsoft.SharePoint.Administration.SPWebService]}
# format for .csv file output

function GetUserAccessReport($FileUrl)
{

# get all web services available in the farm
#"URL `t Type `t Users `t Last Modified `t Emails" | out-file $FileUrl
foreach ($websrvc in $websrvcs) {
# retrieve web applications
foreach ($webApp in $websrvc.WebApplications | where-object { $_.url -ne "<<http://webapp/>>" -and $_.url -ne "<<http://webapp/>>"}) {
# now get site collections from the web application
foreach ($Site in $webApp.Sites) {
# process each web site
$SCgroups=""
$SCEmail=""
foreach($SiteCollAdmin in $Site.RootWeb.SiteAdministrators){
if($SiteCollAdmin -ne $null){
$SCUserName = $SiteCollAdmin.LoginName.split("\") #Domain\UserName
$SCUserNameWDomain = $SiteCollAdmin.LoginName.split("|")
if($SCUserName[1] -ne $null){
$SCAccountName = $SCUserName[1]
}
else{
$SCAccountName = $SCUserName[0]
}
if ( (CheckUserExistsInAD $SCAccountName) -eq $true ){
if($SCUserNameWDomain[1] -ne $null){
$SCgroups += $SCUserNameWDomain[1] + ";"
$SCEmail += $SiteCollAdmin.Email + ";"
}
else {
$SCgroups += $SCUserNameWDomain[0] + ";"
$SCEmail += $SiteCollAdmin.Email + ";"
}
}

}
}
#Loop through all Sub Sites
foreach($Web in $Site.AllWebs){
$parentId =$Web.ParentWebId
if($Site.Url -eq $web.Url)
{
$type= "Site Collection"}
else
{
$type="Subsite"
}
if($Web.HasUniqueRoleAssignments -eq $True){
$counter= 0
$groups =""
$emails=""
foreach($WebRoleAssignment in $Web.RoleAssignments){
#Get all the users granted permissions to the Site
if($WebRoleAssignment.Member.email) {
$WebUserPermissions=@()
foreach ($RoleDefinition in $WebRoleAssignment.RoleDefinitionBindings)
{

$WebUserPermissions += $RoleDefinition.Name +";"
}
if($WebUserPermissions -Match "Full Control"){
write-host $WebRoleAssignment.Member.email
$UserName = $WebRoleAssignment.Member.LoginName.split("\") #Domain\UserName
$UserNameWDomain = $WebRoleAssignment.Member.LoginName.split("|") #Domain\UserName
if($UserName[1] -ne $null){
$AccountName = $UserName[1]
}
else{
$AccountName = $UserName[0]
} #UserName
if ( ( CheckUserExistsInAD $AccountName) -eq $true ){
if($UserNameWDomain[1] -ne $null){
$groups += $UserNameWDomain[1] + ";"
$emails += $WebRoleAssignment.Member.Email + ";"
}
else{
$groups += $UserNameWDomain[0] + ";"

$emails += $WebRoleAssignment.Member.Email + ";"
}
}
}
}
#Its a SharePoint Group, So search inside the group and check if the user is member of that group
else{
foreach($user in $WebRoleAssignment.Member.users)
{
$WebUserPermissions=@()
foreach ($RoleDefinition in $WebRoleAssignment.RoleDefinitionBindings)
{
$WebUserPermissions += $RoleDefinition.Name +";"
}
if($WebUserPermissions -match "Full Control"){
if($user -ne $null)
{
$UserName = $user.LoginName.split("\") #Domain\UserName
$UserNameWDomain = $user.LoginName.split("|") #Domain\UserName
if($UserName[1] -ne $null){
$AccountName = $UserName[1]
}
else{
$AccountName = $UserName[0]
} #UserName
if ( ( CheckUserExistsInAD $AccountName) -eq $true ){
if($UserNameWDomain[1] -ne $null){
$groups += $UserNameWDomain[1] +";"
$emails += $user.Email + ";"
}
else{
$groups += $UserNameWDomain[0] +";"
$emails += $user.Email + ";"
}
}
}
}


}
}

}
if($Web.LastItemModifiedDate)
{
"$($Web.Url)`t $type `t $emails `t $($Web.LastItemModifiedDate) `t $($Web.Title) " | Out-File $FileUrl -Append
}
else{
"$($Web.Url) `t $type `t $emails `t $($Site.LastContentModifiedDate) `t $($Web.Title) " | Out-File $FileUrl -Append
}
}

}
}


}
}
}

#Function to Check if an User exists in AD
function CheckUserExistsInAD()
{
Param([string]$UserLoginID )

#Search the User in AD
$forest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
foreach ($Domain in $forest.Domains)
{
$context = new-object System.DirectoryServices.ActiveDirectory.DirectoryContext("Domain", $Domain.Name)
$domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain($context)
try{
$root = $domain.GetDirectoryEntry()
$search = [System.DirectoryServices.DirectorySearcher]$root
$search.Filter = "(&(objectCategory=person)(objectCategory=User)(samAccountName=$UserLoginID))"
$result = $search.FindOne()
}
catch{
write-host $UserLoginID
}
if ($result -ne $null)
{
return $true
}
}
return $false
}


# Make a call to the function
GetUserAccessReport c:\FileName.csv