This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 16%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENT%3C/text%3E%3C/svg%3E)
All, I want to generate SharePoint 2013 permission report for all site collection with 1 web application. I only need the report for 1 specific security group, for example "ACME/allUS-Users" account. Report from PowerShell script is preferred
Thanks
Hi @Nguyen, Tee
You could use this script to get the report for entire Web Application in a .CSV File.
Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue
Function GetUserAccessReport($WebAppURL, $FileUrl)
{
Write-Host "Generating permission report..."
#Get All Site Collections of the WebApp
$SiteCollections = Get-SPSite -WebApplication $WebAppURL -Limit All
#Write CSV- TAB Separated File) Header
"URL`tSite/List/Folder/Item`tTitle/Name`tPermissionType`tPermissions `tLoginName" | out-file $FileUrl
#Check Web Application Policies
$WebApp= Get-SPWebApplication $WebAppURL
foreach ($Policy in $WebApp.Policies)
{
$PolicyRoles=@()
foreach($Role in $Policy.PolicyRoleBindings)
{
$PolicyRoles+= $Role.Name +";"
}
"$($AdminWebApp.URL)`tWeb Application`t$($AdminSite.Title)`tWeb Application Policy`t$($PolicyRoles)`t$($Policy.UserName)" | Out-File $FileUrl -Append
}
#Loop through all site collections
foreach($Site in $SiteCollections)
{
#Check Whether the Search User is a Site Collection Administrator
foreach($SiteCollAdmin in $Site.RootWeb.SiteAdministrators)
{
"$($Site.RootWeb.Url)`tSite`t$($Site.RootWeb.Title)`tSite Collection Administrator`tSite Collection Administrator`t$($SiteCollAdmin.LoginName)" | Out-File $FileUrl -Append
}
#Loop throuh all Sub Sites
foreach($Web in $Site.AllWebs)
{
if($Web.HasUniqueRoleAssignments -eq $True)
{
#Get all the users granted permissions to the list
foreach($WebRoleAssignment in $Web.RoleAssignments )
{
#Is it a User Account?
if($WebRoleAssignment.Member.userlogin)
{
#Get the Permissions assigned to user
$WebUserPermissions=@()
foreach ($RoleDefinition in $WebRoleAssignment.RoleDefinitionBindings)
{
$WebUserPermissions += $RoleDefinition.Name +";"
}
#Send the Data to Log file
"$($Web.Url)`tSite`t$($Web.Title)`tDirect Permission`t$($WebUserPermissions) `t$($WebRoleAssignment.Member.LoginName)" | Out-File $FileUrl -Append
}
#Its a SharePoint Group, So search inside the group and check if the user is member of that group
else
{
foreach($user in $WebRoleAssignment.member.users)
{
#Get the Group's Permissions on site
$WebGroupPermissions=@()
foreach ($RoleDefinition in $WebRoleAssignment.RoleDefinitionBindings)
{
$WebGroupPermissions += $RoleDefinition.Name +";"
}
#Send the Data to Log file
"$($Web.Url)`tSite`t$($Web.Title)`tMember of $($WebRoleAssignment.Member.Name) Group`t$($WebGroupPermissions)`t$($user.LoginName)" | Out-File $FileUrl -Append
}
}
}
}
#******** Check Lists, Folders, and Items with Unique Permissions ********/
foreach($List in $Web.lists)
{
if($List.HasUniqueRoleAssignments -eq $True -and ($List.Hidden -eq $false))
{
#Get all the users granted permissions to the list
foreach($ListRoleAssignment in $List.RoleAssignments )
{
#Is it a User Account?
if($ListRoleAssignment.Member.userlogin)
{
#Get the Permissions assigned to user
$ListUserPermissions=@()
foreach ($RoleDefinition in $ListRoleAssignment.RoleDefinitionBindings)
{
$ListUserPermissions += $RoleDefinition.Name +";"
}
#Send the Data to Log file
"$($List.ParentWeb.Url)/$($List.RootFolder.Url)`tList`t$($List.Title)`tDirect Permission`t$($ListUserPermissions) `t$($ListRoleAssignment.Member)" | Out-File $FileUrl -Append
}
#Its a SharePoint Group, So search inside the group and check if the user is member of that group
else
{
foreach($user in $ListRoleAssignment.member.users)
{
#Get the Group's Permissions on site
$ListGroupPermissions=@()
foreach ($RoleDefinition in $ListRoleAssignment.RoleDefinitionBindings)
{
$ListGroupPermissions += $RoleDefinition.Name +";"
}
#Send the Data to Log file
"$($List.ParentWeb.Url)/$($List.RootFolder.Url)`tList`t$($List.Title)`tMember of $($ListRoleAssignment.Member.Name) Group`t$($ListGroupPermissions)`t$($user.LoginName)" | Out-File $FileUrl -Append
}
}
}
}
#Get Folder level permissions
foreach($Folder in $List.folders)
{
if($Folder.HasUniqueRoleAssignments -eq $True)
{
#Get all the users granted permissions to the folder
foreach($FolderRoleAssignment in $Folder.RoleAssignments )
{
#Is it a User Account?
if($FolderRoleAssignment.Member.userlogin)
{
#Get the Permissions assigned to user
$FolderUserPermissions=@()
foreach ($RoleDefinition in $FolderRoleAssignment.RoleDefinitionBindings)
{
$FolderUserPermissions += $RoleDefinition.Name +";"
}
#Send the Data to Log file
"$($Folder.Web.Url)/$($Folder.Url)`tFolder`t$($Folder.Title)`tDirect Permission`t$($FolderUserPermissions) `t$($FolderRoleAssignment.Member)" | Out-File $FileUrl -Append
}
#Its a SharePoint Group, So search inside the group and check if the user is member of that group
else
{
foreach($user in $FolderRoleAssignment.member.users)
{
#Get the Group's Permissions on site
$FolderGroupPermissions=@()
foreach ($RoleDefinition in $FolderRoleAssignment.RoleDefinitionBindings)
{
$FolderGroupPermissions += $RoleDefinition.Name +";"
}
#Send the Data to Log file
"$($Folder.Web.Url)/$($Folder.Url)`tFolder`t$($Folder.Title)`tMember of $($FolderRoleAssignment.Member.Name) Group`t$($FolderGroupPermissions)`t$($user.LoginName)" | Out-File $FileUrl -Append
}
}
}
}
}
#Get Item level permissions
foreach($Item in $List.items)
{
if($Item.HasUniqueRoleAssignments -eq $True)
{
#Get all the users granted permissions to the item
foreach($ItemRoleAssignment in $Item.RoleAssignments )
{
#Is it a User Account?
if($ItemRoleAssignment.Member.userlogin)
{
#Get the Permissions assigned to user
$ItemUserPermissions=@()
foreach ($RoleDefinition in $ItemRoleAssignment.RoleDefinitionBindings)
{
$ItemUserPermissions += $RoleDefinition.Name +";"
}
#Prepare item's absolute Url and Name
$ItemDispForm = $Item.ParentList.Forms | where { $_.Type -eq "PAGE_DISPLAYFORM" } | Select-Object -first 1
if ($ItemDispForm.Url)
{
$ItemUrl = "$($Item.Web.Url)/$($ItemDispForm.Url)?ID=$($Item.ID)"
}
else
{
$ItemUrl = "$($Item.Url)"
}
if ($Item.Name)
{
$ItemTitle = $Item.Name
}
else
{
$ItemTitle = $Item.Title
}
#Send the Data to Log file
"$($ItemUrl)`tItem`t$($ItemTitle)`tDirect Permission`t$($ItemUserPermissions) `t$($ItemRoleAssignment.Member)" | Out-File $FileUrl -Append
}
#Its a SharePoint Group, So search inside the group and check if the user is member of that group
else
{
foreach($user in $ItemRoleAssignment.member.users)
{
#Get the Group's Permissions on site
$ItemGroupPermissions=@()
foreach ($RoleDefinition in $ItemRoleAssignment.RoleDefinitionBindings)
{
$ItemGroupPermissions += $RoleDefinition.Name +";"
}
#Prepare item's absolute Url and Name
$ItemDispForm = $Item.ParentList.Forms | where { $_.Type -eq "PAGE_DISPLAYFORM" } | Select-Object -first 1
if ($ItemDispForm.Url)
{
$ItemUrl = "$($Item.Web.Url)/$($ItemDispForm.Url)?ID=$($Item.ID)"
}
else
{
$ItemUrl = "$($Item.Url)"
}
if ($Item.Name)
{
$ItemTitle = $Item.Name
}
else
{
$ItemTitle = $Item.Title
}
#Send the Data to Log file
"$($ItemUrl)`tItem`t$($ItemTitle)`tMember of $($ItemRoleAssignment.Member.Name) Group`t$($ItemGroupPermissions)`t$($user.LoginName)" | Out-File $FileUrl -Append
}
}
}
}
}
}
}
}
}
#Call the function to Check User Access
GetUserAccessReport "http://mysite" "C:\SharePoint_Permission_Report.csv"
Write-Host "Complete"
Then in the csv file you could use fileter function to delete other accounts you do not want.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@Yi Lu_MSFT , the script did not return any security group at all. It just returned regular user accounts only. Is there something missing?
Thanks
Hi @Nguyen, Tee
Sorry for the misunderstanding. If you want to export a security group to a csv file, you could try the code:
#Variables
$ADGroup = "domain\Domain Admins"
$MemberCollection= @()
$ReportPath ="C:\ADGroups.csv"
#Extract AD Group Name
$ADGroupName = $ADGroup.Substring($ADGroup.IndexOf("\") + 1)
#Get All Members of the AD Group
$GroupMembers = Get-ADGroupMember -Identity $ADGroupName -Recursive
Write-host "Total Members Found:"$GroupMembers.Count
ForEach($GroupMember in $GroupMembers)
{
#Send Data to an object array
$ADGroup = new-object psobject
$ADGroup | add-member noteproperty -name "Display Name" -value $GroupMember.Name
$ADGroup | add-member noteproperty -name "Type" -value $GroupMember.objectClass
$ADGroup | add-member noteproperty -name "Account" -value $GroupMember.SamAccountName
$MemberCollection+=$ADGroup
}
#Export Data to CSV
$MemberCollection | export-csv $ReportPath -notypeinformation
Write-host "SharePoint Security Groups data exported to a CSV file at:"$ReportPath -ForegroundColor Cyan
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi @Nguyen, Tee
Is this answer helpful for you? If you have some doubts on it, you could contact me in time.