Get Full Control Users permissions for SharePoint on premise and validate them against AD

%3CLINGO-SUB%20id%3D%22lingo-sub-283899%22%20slang%3D%22en-US%22%3EGet%20Full%20Control%20Users%20permissions%20for%20SharePoint%20on%20premise%20and%20validate%20them%20against%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-283899%22%20slang%3D%22en-US%22%3E%3CP%3E%23This%20script%20generates%20a%20report%20which%20has%20entry%20of%20all%20users%20who%20have%20full%20control%20access%20to%20SharePoint%20Sites.%3CBR%20%2F%3E%23Same%20script%20can%20be%20used%20for%202007%20environment%20by%20removign%20try%20catch%20statements%20from%20the%20script%3C%2FP%3E%3CP%3E%5BVoid%5D%5BSystem.Reflection.Assembly%5D%3A%3ALoadWithPartialName(%22Microsoft.SharePoint%22)%3CBR%20%2F%3E%23%20get%20local%20farm%3CBR%20%2F%3E%24farm%20%3D%20%5BMicrosoft.SharePoint.Administration.SPFarm%5D%3A%3ALocal%3CBR%20%2F%3E%23%20get%20web%20services%20from%20local%20farm%3CBR%20%2F%3E%24websrvcs%20%3D%20%24farm.Services%20%7C%20where%20-FilterScript%20%7B%24_.GetType()%20-eq%20%5BMicrosoft.SharePoint.Administration.SPWebService%5D%7D%3CBR%20%2F%3E%23%20format%20for%20.csv%20file%20output%3C%2FP%3E%3CP%3Efunction%20GetUserAccessReport(%24FileUrl)%3CBR%20%2F%3E%7B%3C%2FP%3E%3CP%3E%23%20get%20all%20web%20services%20available%20in%20the%20farm%3CBR%20%2F%3E%23%22URL%20%60t%20Type%20%60t%20Users%20%60t%20Last%20Modified%20%60t%20Emails%22%20%7C%20out-file%20%24FileUrl%3CBR%20%2F%3Eforeach%20(%24websrvc%20in%20%24websrvcs)%20%7B%3CBR%20%2F%3E%23%20retrieve%20web%20applications%3CBR%20%2F%3Eforeach%20(%24webApp%20in%20%24websrvc.WebApplications%20%7C%20where-object%20%7B%20%24_.url%20-ne%20%22%26lt%3B%26lt%3B%26gt%3B%26gt%3B%22%20-and%20%24_.url%20-ne%20%22%26lt%3B%26lt%3B%26gt%3B%26gt%3B%22%7D)%20%7B%3CBR%20%2F%3E%23%20now%20get%20site%20collections%20from%20the%20web%20application%3CBR%20%2F%3Eforeach%20(%24Site%20in%20%24webApp.Sites)%20%7B%3CBR%20%2F%3E%23%20process%20each%20web%20site%3CBR%20%2F%3E%24SCgroups%3D%22%22%3CBR%20%2F%3E%24SCEmail%3D%22%22%3CBR%20%2F%3Eforeach(%24SiteCollAdmin%20in%20%24Site.RootWeb.SiteAdministrators)%7B%3CBR%20%2F%3Eif(%24SiteCollAdmin%20-ne%20%24null)%7B%3CBR%20%2F%3E%24SCUserName%20%3D%20%24SiteCollAdmin.LoginName.split(%22%5C%22)%20%23Domain%5CUserName%3CBR%20%2F%3E%24SCUserNameWDomain%20%3D%20%24SiteCollAdmin.LoginName.split(%22%7C%22)%3CBR%20%2F%3Eif(%24SCUserName%5B1%5D%20-ne%20%24null)%7B%3CBR%20%2F%3E%24SCAccountName%20%3D%20%24SCUserName%5B1%5D%3CBR%20%2F%3E%7D%3CBR%20%2F%3Eelse%7B%3CBR%20%2F%3E%24SCAccountName%20%3D%20%24SCUserName%5B0%5D%3CBR%20%2F%3E%7D%3CBR%20%2F%3Eif%20(%20(CheckUserExistsInAD%20%24SCAccountName)%20-eq%20%24true%20)%7B%3CBR%20%2F%3Eif(%24SCUserNameWDomain%5B1%5D%20-ne%20%24null)%7B%3CBR%20%2F%3E%24SCgroups%20%2B%3D%20%24SCUserNameWDomain%5B1%5D%20%2B%20%22%3B%22%3CBR%20%2F%3E%24SCEmail%20%2B%3D%20%24SiteCollAdmin.Email%20%2B%20%22%3B%22%3CBR%20%2F%3E%7D%3CBR%20%2F%3Eelse%20%7B%3CBR%20%2F%3E%24SCgroups%20%2B%3D%20%24SCUserNameWDomain%5B0%5D%20%2B%20%22%3B%22%3CBR%20%2F%3E%24SCEmail%20%2B%3D%20%24SiteCollAdmin.Email%20%2B%20%22%3B%22%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%23Loop%20through%20all%20Sub%20Sites%3CBR%20%2F%3Eforeach(%24Web%20in%20%24Site.AllWebs)%7B%3CBR%20%2F%3E%24parentId%20%3D%24Web.ParentWebId%3CBR%20%2F%3Eif(%24Site.Url%20-eq%20%24web.Url)%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%24type%3D%20%22Site%20Collection%22%7D%3CBR%20%2F%3Eelse%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%24type%3D%22Subsite%22%3CBR%20%2F%3E%7D%3CBR%20%2F%3Eif(%24Web.HasUniqueRoleAssignments%20-eq%20%24True)%7B%3CBR%20%2F%3E%24counter%3D%200%3CBR%20%2F%3E%24groups%20%3D%22%22%3CBR%20%2F%3E%24emails%3D%22%22%3CBR%20%2F%3Eforeach(%24WebRoleAssignment%20in%20%24Web.RoleAssignments)%7B%3CBR%20%2F%3E%23Get%20all%20the%20users%20granted%20permissions%20to%20the%20Site%3CBR%20%2F%3Eif(%24WebRoleAssignment.Member.email)%20%7B%3CBR%20%2F%3E%24WebUserPermissions%3D%40()%3CBR%20%2F%3Eforeach%20(%24RoleDefinition%20in%20%24WebRoleAssignment.RoleDefinitionBindings)%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%3CBR%20%2F%3E%24WebUserPermissions%20%2B%3D%20%24RoleDefinition.Name%20%2B%22%3B%22%3CBR%20%2F%3E%7D%3CBR%20%2F%3Eif(%24WebUserPermissions%20-Match%20%22Full%20Control%22)%7B%3CBR%20%2F%3Ewrite-host%20%24WebRoleAssignment.Member.email%3CBR%20%2F%3E%24UserName%20%3D%20%24WebRoleAssignment.Member.LoginName.split(%22%5C%22)%20%23Domain%5CUserName%3CBR%20%2F%3E%24UserNameWDomain%20%3D%20%24WebRoleAssignment.Member.LoginName.split(%22%7C%22)%20%23Domain%5CUserName%3CBR%20%2F%3Eif(%24UserName%5B1%5D%20-ne%20%24null)%7B%3CBR%20%2F%3E%24AccountName%20%3D%20%24UserName%5B1%5D%3CBR%20%2F%3E%7D%3CBR%20%2F%3Eelse%7B%3CBR%20%2F%3E%24AccountName%20%3D%20%24UserName%5B0%5D%3CBR%20%2F%3E%7D%20%23UserName%3CBR%20%2F%3Eif%20(%20(%20CheckUserExistsInAD%20%24AccountName)%20-eq%20%24true%20)%7B%3CBR%20%2F%3Eif(%24UserNameWDomain%5B1%5D%20-ne%20%24null)%7B%3CBR%20%2F%3E%24groups%20%2B%3D%20%24UserNameWDomain%5B1%5D%20%2B%20%22%3B%22%3CBR%20%2F%3E%24emails%20%2B%3D%20%24WebRoleAssignment.Member.Email%20%2B%20%22%3B%22%3CBR%20%2F%3E%7D%3CBR%20%2F%3Eelse%7B%3CBR%20%2F%3E%24groups%20%2B%3D%20%24UserNameWDomain%5B0%5D%20%2B%20%22%3B%22%3C%2FP%3E%3CP%3E%24emails%20%2B%3D%20%24WebRoleAssignment.Member.Email%20%2B%20%22%3B%22%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%23Its%20a%20SharePoint%20Group%2C%20So%20search%20inside%20the%20group%20and%20check%20if%20the%20user%20is%20member%20of%20that%20group%3CBR%20%2F%3Eelse%7B%3CBR%20%2F%3Eforeach(%24user%20in%20%24WebRoleAssignment.Member.users)%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%24WebUserPermissions%3D%40()%3CBR%20%2F%3Eforeach%20(%24RoleDefinition%20in%20%24WebRoleAssignment.RoleDefinitionBindings)%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%24WebUserPermissions%20%2B%3D%20%24RoleDefinition.Name%20%2B%22%3B%22%3CBR%20%2F%3E%7D%3CBR%20%2F%3Eif(%24WebUserPermissions%20-match%20%22Full%20Control%22)%7B%3CBR%20%2F%3Eif(%24user%20-ne%20%24null)%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%24UserName%20%3D%20%24user.LoginName.split(%22%5C%22)%20%23Domain%5CUserName%3CBR%20%2F%3E%24UserNameWDomain%20%3D%20%24user.LoginName.split(%22%7C%22)%20%23Domain%5CUserName%3CBR%20%2F%3Eif(%24UserName%5B1%5D%20-ne%20%24null)%7B%3CBR%20%2F%3E%24AccountName%20%3D%20%24UserName%5B1%5D%3CBR%20%2F%3E%7D%3CBR%20%2F%3Eelse%7B%3CBR%20%2F%3E%24AccountName%20%3D%20%24UserName%5B0%5D%3CBR%20%2F%3E%7D%20%23UserName%3CBR%20%2F%3Eif%20(%20(%20CheckUserExistsInAD%20%24AccountName)%20-eq%20%24true%20)%7B%3CBR%20%2F%3Eif(%24UserNameWDomain%5B1%5D%20-ne%20%24null)%7B%3CBR%20%2F%3E%24groups%20%2B%3D%20%24UserNameWDomain%5B1%5D%20%2B%22%3B%22%3CBR%20%2F%3E%24emails%20%2B%3D%20%24user.Email%20%2B%20%22%3B%22%3CBR%20%2F%3E%7D%3CBR%20%2F%3Eelse%7B%3CBR%20%2F%3E%24groups%20%2B%3D%20%24UserNameWDomain%5B0%5D%20%2B%22%3B%22%3CBR%20%2F%3E%24emails%20%2B%3D%20%24user.Email%20%2B%20%22%3B%22%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%3CBR%20%2F%3E%7D%3CBR%20%2F%3Eif(%24Web.LastItemModifiedDate)%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%22%24(%24Web.Url)%60t%20%24type%20%60t%20%24emails%20%60t%20%24(%24Web.LastItemModifiedDate)%20%60t%20%24(%24Web.Title)%20%22%20%7C%20Out-File%20%24FileUrl%20-Append%3CBR%20%2F%3E%7D%3CBR%20%2F%3Eelse%7B%3CBR%20%2F%3E%22%24(%24Web.Url)%20%60t%20%24type%20%60t%20%24emails%20%60t%20%24(%24Site.LastContentModifiedDate)%20%60t%20%24(%24Web.Title)%20%22%20%7C%20Out-File%20%24FileUrl%20-Append%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%3C%2FP%3E%3CP%3E%23Function%20to%20Check%20if%20an%20User%20exists%20in%20AD%3CBR%20%2F%3Efunction%20CheckUserExistsInAD()%3CBR%20%2F%3E%7B%3CBR%20%2F%3EParam(%5Bstring%5D%24UserLoginID%20)%3CBR%20%2F%3E%3CBR%20%2F%3E%23Search%20the%20User%20in%20AD%3CBR%20%2F%3E%24forest%20%3D%20%5BSystem.DirectoryServices.ActiveDirectory.Forest%5D%3A%3AGetCurrentForest()%3CBR%20%2F%3Eforeach%20(%24Domain%20in%20%24forest.Domains)%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%24context%20%3D%20new-object%20System.DirectoryServices.ActiveDirectory.DirectoryContext(%22Domain%22%2C%20%24Domain.Name)%3CBR%20%2F%3E%24domain%20%3D%20%5BSystem.DirectoryServices.ActiveDirectory.Domain%5D%3A%3AGetDomain(%24context)%3CBR%20%2F%3Etry%7B%3CBR%20%2F%3E%24root%20%3D%20%24domain.GetDirectoryEntry()%3CBR%20%2F%3E%24search%20%3D%20%5BSystem.DirectoryServices.DirectorySearcher%5D%24root%3CBR%20%2F%3E%24search.Filter%20%3D%20%22(%26amp%3B(objectCategory%3Dperson)(objectCategory%3DUser)(samAccountName%3D%24UserLoginID))%22%3CBR%20%2F%3E%24result%20%3D%20%24search.FindOne()%3CBR%20%2F%3E%7D%3CBR%20%2F%3Ecatch%7B%3CBR%20%2F%3Ewrite-host%20%24UserLoginID%3CBR%20%2F%3E%7D%3CBR%20%2F%3Eif%20(%24result%20-ne%20%24null)%3CBR%20%2F%3E%7B%3CBR%20%2F%3Ereturn%20%24true%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%3CBR%20%2F%3Ereturn%20%24false%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%23%20Make%20a%20call%20to%20the%20function%3CBR%20%2F%3EGetUserAccessReport%20c%3A%5CFileName.csv%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Visitor

#This script generates a report which has entry of all users who have full control access to SharePoint Sites.
#Same script can be used for 2007 environment by removign try catch statements from the script

[Void][System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint")
# get local farm
$farm = [Microsoft.SharePoint.Administration.SPFarm]::Local
# get web services from local farm
$websrvcs = $farm.Services | where -FilterScript {$_.GetType() -eq [Microsoft.SharePoint.Administration.SPWebService]}
# format for .csv file output

function GetUserAccessReport($FileUrl)
{

# get all web services available in the farm
#"URL `t Type `t Users `t Last Modified `t Emails" | out-file $FileUrl
foreach ($websrvc in $websrvcs) {
# retrieve web applications
foreach ($webApp in $websrvc.WebApplications | where-object { $_.url -ne "<<http://webapp/>>" -and $_.url -ne "<<http://webapp/>>"}) {
# now get site collections from the web application
foreach ($Site in $webApp.Sites) {
# process each web site
$SCgroups=""
$SCEmail=""
foreach($SiteCollAdmin in $Site.RootWeb.SiteAdministrators){
if($SiteCollAdmin -ne $null){
$SCUserName = $SiteCollAdmin.LoginName.split("\") #Domain\UserName
$SCUserNameWDomain = $SiteCollAdmin.LoginName.split("|")
if($SCUserName[1] -ne $null){
$SCAccountName = $SCUserName[1]
}
else{
$SCAccountName = $SCUserName[0]
}
if ( (CheckUserExistsInAD $SCAccountName) -eq $true ){
if($SCUserNameWDomain[1] -ne $null){
$SCgroups += $SCUserNameWDomain[1] + ";"
$SCEmail += $SiteCollAdmin.Email + ";"
}
else {
$SCgroups += $SCUserNameWDomain[0] + ";"
$SCEmail += $SiteCollAdmin.Email + ";"
}
}

}
}
#Loop through all Sub Sites
foreach($Web in $Site.AllWebs){
$parentId =$Web.ParentWebId
if($Site.Url -eq $web.Url)
{
$type= "Site Collection"}
else
{
$type="Subsite"
}
if($Web.HasUniqueRoleAssignments -eq $True){
$counter= 0
$groups =""
$emails=""
foreach($WebRoleAssignment in $Web.RoleAssignments){
#Get all the users granted permissions to the Site
if($WebRoleAssignment.Member.email) {
$WebUserPermissions=@()
foreach ($RoleDefinition in $WebRoleAssignment.RoleDefinitionBindings)
{

$WebUserPermissions += $RoleDefinition.Name +";"
}
if($WebUserPermissions -Match "Full Control"){
write-host $WebRoleAssignment.Member.email
$UserName = $WebRoleAssignment.Member.LoginName.split("\") #Domain\UserName
$UserNameWDomain = $WebRoleAssignment.Member.LoginName.split("|") #Domain\UserName
if($UserName[1] -ne $null){
$AccountName = $UserName[1]
}
else{
$AccountName = $UserName[0]
} #UserName
if ( ( CheckUserExistsInAD $AccountName) -eq $true ){
if($UserNameWDomain[1] -ne $null){
$groups += $UserNameWDomain[1] + ";"
$emails += $WebRoleAssignment.Member.Email + ";"
}
else{
$groups += $UserNameWDomain[0] + ";"

$emails += $WebRoleAssignment.Member.Email + ";"
}
}
}
}
#Its a SharePoint Group, So search inside the group and check if the user is member of that group
else{
foreach($user in $WebRoleAssignment.Member.users)
{
$WebUserPermissions=@()
foreach ($RoleDefinition in $WebRoleAssignment.RoleDefinitionBindings)
{
$WebUserPermissions += $RoleDefinition.Name +";"
}
if($WebUserPermissions -match "Full Control"){
if($user -ne $null)
{
$UserName = $user.LoginName.split("\") #Domain\UserName
$UserNameWDomain = $user.LoginName.split("|") #Domain\UserName
if($UserName[1] -ne $null){
$AccountName = $UserName[1]
}
else{
$AccountName = $UserName[0]
} #UserName
if ( ( CheckUserExistsInAD $AccountName) -eq $true ){
if($UserNameWDomain[1] -ne $null){
$groups += $UserNameWDomain[1] +";"
$emails += $user.Email + ";"
}
else{
$groups += $UserNameWDomain[0] +";"
$emails += $user.Email + ";"
}
}
}
}


}
}

}
if($Web.LastItemModifiedDate)
{
"$($Web.Url)`t $type `t $emails `t $($Web.LastItemModifiedDate) `t $($Web.Title) " | Out-File $FileUrl -Append
}
else{
"$($Web.Url) `t $type `t $emails `t $($Site.LastContentModifiedDate) `t $($Web.Title) " | Out-File $FileUrl -Append
}
}

}
}


}
}
}

#Function to Check if an User exists in AD
function CheckUserExistsInAD()
{
Param([string]$UserLoginID )

#Search the User in AD
$forest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
foreach ($Domain in $forest.Domains)
{
$context = new-object System.DirectoryServices.ActiveDirectory.DirectoryContext("Domain", $Domain.Name)
$domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain($context)
try{
$root = $domain.GetDirectoryEntry()
$search = [System.DirectoryServices.DirectorySearcher]$root
$search.Filter = "(&(objectCategory=person)(objectCategory=User)(samAccountName=$UserLoginID))"
$result = $search.FindOne()
}
catch{
write-host $UserLoginID
}
if ($result -ne $null)
{
return $true
}
}
return $false
}


# Make a call to the function
GetUserAccessReport c:\FileName.csv

0 Replies