SOLVED

Get SharePoint Groups or Security Groups and Permissions for each Sub Web.

%3CLINGO-SUB%20id%3D%22lingo-sub-90543%22%20slang%3D%22en-US%22%3EGet%20SharePoint%20Groups%20or%20Security%20Groups%20and%20Permissions%20for%20each%20Sub%20Web.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-90543%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20want%20produce%20%26nbsp%3Ba%20report%20or%20the%20SharePoint%20Groups%20and%20or%20Security%20Groups%20on%20each%20of%20the%20Sub%20Webs%20(%20one%20level%20only)%20%26nbsp%3Bin%20an%20SharePoint%20online%20intranet.%20Now%2C%20before%20I%20start%20creating%20a%20custom%20object%20and%20exporting%20to%20CSV%2C%20I%20thought%20I%20would%20have%20a%20go%20with%20the%20PnPCommandlets.%20In%20the%20code%20below%2C%20I%20just%20testing%20the%20owner%20groups%2C%20before%20looking%20at%20the%20other%20groups.%20%26nbsp%3BI%20am%20not%20sure%20this%20the%20best%20approach%20so%20be%20intersting%20in%20hearing%20about%20any%20suggested%20improvements.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3E%20%24subWebs%20%3D%20Get-PnPSubWebs%0A%0A%20Foreach%20(%24subWeb%20in%20%24subWebs)%0A%20%7B%0A%20%20%0A%20%20%20write-host%20-ForegroundColor%20DarkYellow%20%24subWeb.Title%0A%0A%20%20%20Connect-PnPOnline%20%24subWeb.Url%20-Credentials%20%24cred%0A%20%20%20%24ownerGroup%20%3D%20(Get-pnpweb%20-Includes%20AssociatedOwnerGroup).AssociatedOwnerGroup%0A%20%20%20%24memberGroup%20%3D%20(Get-pnpweb%20-Includes%20AssociatedMemberGroup).AssociatedMemberGroup%0A%20%20%20%24vistorGroup%20%3D%20(Get-pnpweb%20-Includes%20AssociatedVisitorGroup).AssociatedVisitorGroup%0A%0A%20%20%20%24groupTitle%20%3D%20%20%24ownerGroup.Title%20%0A%20%20%20%24groupPermissions%20%3D%20(Get-PnPGroupPermissions%20-Identity%20%20%24groupTitle%20)%0A%20%20%20write-host%20%24groupTitle%20%0A%20%20%20%24groupPermissions%20%7C%20ForEach%20%7BWrite-Host%20%24_.name%20'%20'%20%20%24_.RoleTypeKind%7D%0A%0A%20%7D%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-102205%22%20slang%3D%22en-US%22%3ERe%3A%20Get%20SharePoint%20%20Groups%20or%20Security%20Groups%20and%20Permissions%20for%20each%20%20Sub%20Web.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-102205%22%20slang%3D%22en-US%22%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F7507%22%20target%3D%22_blank%22%3E%40Robert%20Luck%3C%2FA%3E%20wrote%3A%3CBR%20%2F%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt's%20%3CSTRONG%3EAdminDroid%3C%2FSTRONG%3E.%20You%20can%20check%20out%20the%20interactive%20demo%20%3CA%20href%3D%22http%3A%2F%2Fdemo.admindroid.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%3CP%3EThanks%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F7507%22%20target%3D%22_blank%22%3E%40Robert%20Luck%3C%2FA%3E%26nbsp%3Bthe%26nbsp%3Bname%20did%20escape%20me%20monentarily.%20%26nbsp%3BIdeally%20this%20should%20be%20something%20we%20should%20get%20via%20the%20PnPCommandlet%20esp%20when%20considering%20there%20is%20%3CSTRONG%3E-Web%26nbsp%3B%3C%2FSTRONG%3Eparementer.%20%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-102126%22%20slang%3D%22en-US%22%3ERe%3A%20Get%20SharePoint%20%20Groups%20or%20Security%20Groups%20and%20Permissions%20for%20each%20%20Sub%20Web.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-102126%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt's%20%3CSTRONG%3EAdminDroid%3C%2FSTRONG%3E.%20You%20can%20check%20out%20the%20interactive%20demo%20%3CA%20href%3D%22http%3A%2F%2Fdemo.admindroid.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-102120%22%20slang%3D%22en-US%22%3ERe%3A%20Get%20SharePoint%20%20Groups%20or%20Security%20Groups%20and%20Permissions%20for%20each%20%20Sub%20Web.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-102120%22%20slang%3D%22en-US%22%3ENigel%3CBR%20%2F%3E%3CBR%20%2F%3EYep%2C%20been%20there.%20My%20advice%20is%20to%20install%20the%20excellent%20audit%20tool...%20I%20can't%20remember%20the%20exact%20name%20but%20it%20has%20droid%20in%20the%20name..%20You%20run%20it%20from%20localhost%20on%20your%20laptop.%20I%20asked%20them%20to%20include%20support%20for%20groups%20assigned%20to%20a%20Web..%20They%20said%20that%20was%20in%20development.%20You%20can%20export%20to.%20CSV.%20Can%20discuss%20later%20but%20I%20am%20on%20a%20beach%20in%20Wales!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-101607%22%20slang%3D%22en-US%22%3ERe%3A%20Get%20SharePoint%20%20Groups%20or%20Security%20Groups%20and%20Permissions%20for%20each%20%20Sub%20Web.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-101607%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Daniel%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20fallen%20over%20the%20same%20problem%20when%20I%20use%20Get-PnPGroup%20I%20get%20all%20of%20the%20groups%20in%20the%20site%20collection%20whereas%20I%20just%20want%20the%20groups%20for%20a%20particular%20web%20%2F%20subweb.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20this%20a%20bug%20in%20Get-PnPGroup%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%40ErwinVanHuen%20%40VesaJuvenon%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-91199%22%20slang%3D%22en-US%22%3ERe%3A%20Get%20SharePoint%20%20Groups%20or%20Security%20Groups%20and%20Permissions%20for%20each%20%20Sub%20Web.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-91199%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESorry%20for%20the%20delayed%20response%20but%20I%20seem%20to%20have%20stumbled%20upon%20a%20issue%20in%20both%20the%20link%20you%20mentioned%20and%20in%20my%20%26nbsp%3Borignal%20code%2C%20when%20trying%20to%20evaluate%20groups%20per%20web.%26nbsp%3BI%20will%20illustrate%20what%20I%20mean%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1)%20First%20I%20get%20a%20list%20of%20sub%20webs%20in%20my%20Intranet%3C%2FP%3E%3CPRE%3EConnect-PnPOnline%20%24webUrl%20-Credentials%20%24cred%0A%24subwebs%3DGet-PNPSubWebs%3C%2FPRE%3E%3CP%3E2)%20Now%20I%20want%20to%20iterate%20though%20my%20list%20of%20sub%20webs%20and%20get%20all%20groups%20aka%20site%20permissions%26nbsp%3B%3C%2FP%3E%3CPRE%3E%20%20foreach(%24subweb%20in%20%24subwebs)%0A%20%20%7B%0A%20%20%20%20Connect-PnPOnline%20%24subWeb.Url%20-Credentials%20%24cred%0A%20%20%20%20%23%20just%20doing%20one%20more%20check%20to%20see%20we%20are%20actually%20on%20the%20correct%20sub%20site%0A%20%20%20%20%24thisWeb%20%3D%20Get-PnPWeb%0A%20%20%20%20%24groups%3DGet-PNPGroup%20-Identity%20%24thisWeb.Title%0A%20%20%20%20%3C%2FPRE%3E%3CP%3EIn%20theory%2C%20it%20should%20provide%20me%20with%20%3CSTRONG%3Eonly%26nbsp%3B%3C%2FSTRONG%3Ethe%20groups%20in%20my%20current%20web.%20%26nbsp%3BAcurally%20it%20shows%20me%20all%20the%20Site%20Groups%2C%20regardless%20of%20what%20web%20I%20am%20connected%20to.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAgain%2C%20getting%20the%20owner%2Fmember%2Fvisitor%20groups%20will%20bring%20back%20only%20appropriate%20role%20groups%20at%20the%20%3CSTRONG%3Etop%20level%3C%2FSTRONG%3E%20site.%20%26nbsp%3BAlso%20if%20you%20have%20multiple%20owner%2Fmember%2Fvisitor%20groups%20assigned%20ot%20the%20current%20web%3B%20these%20are%20ignored%2C%20just%20the%20first%20for%20each%20role%20is%20%26nbsp%3Breturned.%3C%2FP%3E%3CPRE%3E%24ownerGroup%20%3D%20(Get-pnpweb%20%20-Includes%20AssociatedOwnerGroup).AssociatedOwnerGroup%0A%24memberGroup%20%3D%20(Get-pnpweb%20-Includes%20AssociatedMemberGroup).AssociatedMemberGroup%0A%24vistorGroup%20%3D%20(Get-pnpweb%20-Includes%20AssociatedVisitorGroup).AssociatedVisitorGroup%0A%20%20%20%3C%2FPRE%3E%3CP%3EIf%20I%20can't%20resolve%20this%20I%20think%20I%20will%20have%20to%20use%20csom%20%3B-(%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-90710%22%20slang%3D%22en-US%22%3ERe%3A%20Get%20SharePoint%20%20Groups%20or%20Security%20Groups%20and%20Permissions%20for%20each%20%20Sub%20Web.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-90710%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EYou%20can%20try%20similar%20script%20from%20technet%20gallery%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgallery.technet.microsoft.com%2FGet-SharePoint-Online-and-7e6afce2%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgallery.technet.microsoft.com%2FGet-SharePoint-Online-and-7e6afce2%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1227065%22%20slang%3D%22en-US%22%3ERe%3A%20Get%20SharePoint%20Groups%20or%20Security%20Groups%20and%20Permissions%20for%20each%20Sub%20Web.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1227065%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20works%20---%26gt%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EConnect-PnPOnline%20-%20%26lt%3B%3CGIVE%20details%3D%22%22%20here%3D%22%22%3E%26gt%3B%3CBR%20%2F%3E%24context.Load(%24context.Web.RoleAssignments)%3CBR%20%2F%3E%24context.Load(%24context.Web.RoleAssignments.Groups)%3CBR%20%2F%3EInvoke-PnPQuery%20-ErrorAction%20Stop%3CBR%20%2F%3EForEach(%24group%20in%20%24context.Web.RoleAssignments.Groups)%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%24context.Load(%24group)%3CBR%20%2F%3EInvoke-PnPQuery%20-ErrorAction%20Stop%3CBR%20%2F%3E%24perm%20%3D%20Get-PnPGroupPermissions%20-Identity%20%24group.Title%3CBR%20%2F%3Eif(%24perm.Name.Count%20-gt%200)%20%7B%3CBR%20%2F%3Efor(%24i%3D0%3B%20%24i%20-lt%20%24perm.Count%3B%24i%2B%2B)%7B%3CBR%20%2F%3ESet-PnPGroup%20-Identity%20%24group.Title%20-RemoveRole%20%24perm%5B%24i%5D.Name%3CBR%20%2F%3E%7D%3CBR%20%2F%3ESet-PnPGroup%20-Identity%20%24group.Title%20-AddRole%20%22Read%22%3CBR%20%2F%3E%7D%3C%2FGIVE%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Regular Contributor

 

Hi

 

I want produce  a report or the SharePoint Groups and or Security Groups on each of the Sub Webs ( one level only)  in an SharePoint online intranet. Now, before I start creating a custom object and exporting to CSV, I thought I would have a go with the PnPCommandlets. In the code below, I just testing the owner groups, before looking at the other groups.  I am not sure this the best approach so be intersting in hearing about any suggested improvements. 

 

 

 $subWebs = Get-PnPSubWebs

 Foreach ($subWeb in $subWebs)
 {
  
   write-host -ForegroundColor DarkYellow $subWeb.Title

   Connect-PnPOnline $subWeb.Url -Credentials $cred
   $ownerGroup = (Get-pnpweb -Includes AssociatedOwnerGroup).AssociatedOwnerGroup
   $memberGroup = (Get-pnpweb -Includes AssociatedMemberGroup).AssociatedMemberGroup
   $vistorGroup = (Get-pnpweb -Includes AssociatedVisitorGroup).AssociatedVisitorGroup

   $groupTitle =  $ownerGroup.Title 
   $groupPermissions = (Get-PnPGroupPermissions -Identity  $groupTitle )
   write-host $groupTitle 
   $groupPermissions | ForEach {Write-Host $_.name ' '  $_.RoleTypeKind}

 }

 

7 Replies
Highlighted
Highlighted

Hi 

 

Sorry for the delayed response but I seem to have stumbled upon a issue in both the link you mentioned and in my  orignal code, when trying to evaluate groups per web. I will illustrate what I mean:

 

1) First I get a list of sub webs in my Intranet

Connect-PnPOnline $webUrl -Credentials $cred
$subwebs=Get-PNPSubWebs

2) Now I want to iterate though my list of sub webs and get all groups aka site permissions 

  foreach($subweb in $subwebs)
  {
    Connect-PnPOnline $subWeb.Url -Credentials $cred
    # just doing one more check to see we are actually on the correct sub site
    $thisWeb = Get-PnPWeb
    $groups=Get-PNPGroup -Identity $thisWeb.Title
    

In theory, it should provide me with only the groups in my current web.  Acurally it shows me all the Site Groups, regardless of what web I am connected to. 

 

Again, getting the owner/member/visitor groups will bring back only appropriate role groups at the top level site.  Also if you have multiple owner/member/visitor groups assigned ot the current web; these are ignored, just the first for each role is  returned.

$ownerGroup = (Get-pnpweb  -Includes AssociatedOwnerGroup).AssociatedOwnerGroup
$memberGroup = (Get-pnpweb -Includes AssociatedMemberGroup).AssociatedMemberGroup
$vistorGroup = (Get-pnpweb -Includes AssociatedVisitorGroup).AssociatedVisitorGroup
   

If I can't resolve this I think I will have to use csom ;-(

 

 

 

 

 

 

Highlighted

Hi Daniel

 

I have fallen over the same problem when I use Get-PnPGroup I get all of the groups in the site collection whereas I just want the groups for a particular web / subweb.

 

Is this a bug in Get-PnPGroup ?

 

@ErwinVanHuen @VesaJuvenon

Highlighted
Nigel

Yep, been there. My advice is to install the excellent audit tool... I can't remember the exact name but it has droid in the name.. You run it from localhost on your laptop. I asked them to include support for groups assigned to a Web.. They said that was in development. You can export to. CSV. Can discuss later but I am on a beach in Wales!
Highlighted

 

It's AdminDroid. You can check out the interactive demo here.

Highlighted

@Robert Luck wrote:

 

It's AdminDroid. You can check out the interactive demo here.


Thanks @Robert Luck the name did escape me monentarily.  Ideally this should be something we should get via the PnPCommandlet esp when considering there is -Web parementer.   

Highlighted
Best Response confirmed by Daniel Westerdale (Regular Contributor)
Solution

 

It works --->

 

Connect-PnPOnline - <<Give details here>>
$context.Load($context.Web.RoleAssignments)
$context.Load($context.Web.RoleAssignments.Groups)
Invoke-PnPQuery -ErrorAction Stop
ForEach($group in $context.Web.RoleAssignments.Groups)
{
$context.Load($group)
Invoke-PnPQuery -ErrorAction Stop
$perm = Get-PnPGroupPermissions -Identity $group.Title
if($perm.Name.Count -gt 0) {
for($i=0; $i -lt $perm.Count;$i++){
Set-PnPGroup -Identity $group.Title -RemoveRole $perm[$i].Name
}
Set-PnPGroup -Identity $group.Title -AddRole "Read"
}