question

NguyenTee-6512 avatar image
0 Votes"
NguyenTee-6512 asked YiLu-MSFT commented

SharePoint 2013 Permission PowerShell Report Entire Web Application for Specific Security Group

All, I want to generate SharePoint 2013 permission report for all site collection with 1 web application. I only need the report for 1 specific security group, for example "ACME/allUS-Users" account. Report from PowerShell script is preferred

Thanks

office-sharepoint-server-administration
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

YiLu-MSFT avatar image
0 Votes"
YiLu-MSFT answered NguyenTee-6512 commented

Hi @NguyenTee-6512
You could use this script to get the report for entire Web Application in a .CSV File.

 Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue 
     
 Function GetUserAccessReport($WebAppURL, $FileUrl) 
 { 
     Write-Host "Generating permission report..." 
     
     #Get All Site Collections of the WebApp 
     $SiteCollections = Get-SPSite -WebApplication $WebAppURL -Limit All 
     
     #Write CSV- TAB Separated File) Header 
     "URL`tSite/List/Folder/Item`tTitle/Name`tPermissionType`tPermissions `tLoginName" | out-file $FileUrl 
     
     #Check Web Application Policies 
     $WebApp= Get-SPWebApplication $WebAppURL 
     
     foreach ($Policy in $WebApp.Policies)  
       { 
         $PolicyRoles=@() 
         foreach($Role in $Policy.PolicyRoleBindings) 
         { 
             $PolicyRoles+= $Role.Name +";" 
         } 
             
         "$($AdminWebApp.URL)`tWeb Application`t$($AdminSite.Title)`tWeb Application Policy`t$($PolicyRoles)`t$($Policy.UserName)" | Out-File $FileUrl -Append 
     } 
     
     #Loop through all site collections 
     foreach($Site in $SiteCollections)  
     { 
       #Check Whether the Search User is a Site Collection Administrator 
       foreach($SiteCollAdmin in $Site.RootWeb.SiteAdministrators) 
           { 
             "$($Site.RootWeb.Url)`tSite`t$($Site.RootWeb.Title)`tSite Collection Administrator`tSite Collection Administrator`t$($SiteCollAdmin.LoginName)" | Out-File $FileUrl -Append 
         } 
       
        #Loop throuh all Sub Sites 
        foreach($Web in $Site.AllWebs)  
        {     
             if($Web.HasUniqueRoleAssignments -eq $True) 
             { 
                 #Get all the users granted permissions to the list 
                 foreach($WebRoleAssignment in $Web.RoleAssignments )  
                 {  
                     #Is it a User Account? 
                     if($WebRoleAssignment.Member.userlogin)     
                     { 
                         #Get the Permissions assigned to user 
                         $WebUserPermissions=@() 
                         foreach ($RoleDefinition  in $WebRoleAssignment.RoleDefinitionBindings) 
                         { 
                             $WebUserPermissions += $RoleDefinition.Name +";" 
                         } 
                             
                         #Send the Data to Log file 
                         "$($Web.Url)`tSite`t$($Web.Title)`tDirect Permission`t$($WebUserPermissions) `t$($WebRoleAssignment.Member.LoginName)" | Out-File $FileUrl -Append 
                     } 
                     #Its a SharePoint Group, So search inside the group and check if the user is member of that group 
                     else   
                     { 
                         foreach($user in $WebRoleAssignment.member.users) 
                         { 
                             #Get the Group's Permissions on site 
                             $WebGroupPermissions=@() 
                             foreach ($RoleDefinition  in $WebRoleAssignment.RoleDefinitionBindings) 
                             { 
                                 $WebGroupPermissions += $RoleDefinition.Name +";" 
                             } 
                                 
                             #Send the Data to Log file 
                             "$($Web.Url)`tSite`t$($Web.Title)`tMember of $($WebRoleAssignment.Member.Name) Group`t$($WebGroupPermissions)`t$($user.LoginName)" | Out-File $FileUrl -Append 
                         } 
                     } 
                 } 
             } 
                     
             #********  Check Lists, Folders, and Items with Unique Permissions ********/ 
             foreach($List in $Web.lists) 
             { 
                 if($List.HasUniqueRoleAssignments -eq $True -and ($List.Hidden -eq $false)) 
                 { 
                     #Get all the users granted permissions to the list 
                     foreach($ListRoleAssignment in $List.RoleAssignments )  
                     {  
                         #Is it a User Account? 
                         if($ListRoleAssignment.Member.userlogin)     
                         { 
                             #Get the Permissions assigned to user 
                             $ListUserPermissions=@() 
                             foreach ($RoleDefinition  in $ListRoleAssignment.RoleDefinitionBindings) 
                             { 
                                 $ListUserPermissions += $RoleDefinition.Name +";" 
                             } 
                                 
                             #Send the Data to Log file 
                             "$($List.ParentWeb.Url)/$($List.RootFolder.Url)`tList`t$($List.Title)`tDirect Permission`t$($ListUserPermissions) `t$($ListRoleAssignment.Member)" | Out-File $FileUrl -Append 
                         } 
                         #Its a SharePoint Group, So search inside the group and check if the user is member of that group 
                         else   
                         { 
                             foreach($user in $ListRoleAssignment.member.users) 
                             { 
                                 #Get the Group's Permissions on site 
                                 $ListGroupPermissions=@() 
                                 foreach ($RoleDefinition  in $ListRoleAssignment.RoleDefinitionBindings) 
                                 { 
                                     $ListGroupPermissions += $RoleDefinition.Name +";" 
                                 } 
                                     
                                 #Send the Data to Log file 
                                 "$($List.ParentWeb.Url)/$($List.RootFolder.Url)`tList`t$($List.Title)`tMember of $($ListRoleAssignment.Member.Name) Group`t$($ListGroupPermissions)`t$($user.LoginName)" | Out-File $FileUrl -Append 
                             } 
                         }     
                     } 
                 } 
                     
                 #Get Folder level permissions 
                 foreach($Folder in $List.folders) 
                 { 
                     if($Folder.HasUniqueRoleAssignments -eq $True) 
                     { 
                         #Get all the users granted permissions to the folder 
                         foreach($FolderRoleAssignment in $Folder.RoleAssignments )  
                         {  
                             #Is it a User Account? 
                             if($FolderRoleAssignment.Member.userlogin)     
                             { 
                                 #Get the Permissions assigned to user 
                                 $FolderUserPermissions=@() 
                                 foreach ($RoleDefinition  in $FolderRoleAssignment.RoleDefinitionBindings) 
                                 { 
                                     $FolderUserPermissions += $RoleDefinition.Name +";" 
                                 } 
                                     
                                 #Send the Data to Log file 
                                 "$($Folder.Web.Url)/$($Folder.Url)`tFolder`t$($Folder.Title)`tDirect Permission`t$($FolderUserPermissions) `t$($FolderRoleAssignment.Member)" | Out-File $FileUrl -Append 
                             } 
                             #Its a SharePoint Group, So search inside the group and check if the user is member of that group 
                             else   
                             { 
                                 foreach($user in $FolderRoleAssignment.member.users) 
                                 { 
                                     #Get the Group's Permissions on site 
                                     $FolderGroupPermissions=@() 
                                     foreach ($RoleDefinition  in $FolderRoleAssignment.RoleDefinitionBindings) 
                                     { 
                                         $FolderGroupPermissions += $RoleDefinition.Name +";" 
                                     } 
                                         
                                     #Send the Data to Log file 
                                     "$($Folder.Web.Url)/$($Folder.Url)`tFolder`t$($Folder.Title)`tMember of $($FolderRoleAssignment.Member.Name) Group`t$($FolderGroupPermissions)`t$($user.LoginName)" | Out-File $FileUrl -Append 
     
                                 } 
                             }     
                         } 
                     } 
                 } 
                     
                 #Get Item level permissions 
                 foreach($Item in $List.items) 
                 { 
                     if($Item.HasUniqueRoleAssignments -eq $True) 
                     { 
                         #Get all the users granted permissions to the item 
                         foreach($ItemRoleAssignment in $Item.RoleAssignments )  
                         {  
                             #Is it a User Account? 
                             if($ItemRoleAssignment.Member.userlogin)     
                             { 
                                 #Get the Permissions assigned to user 
                                 $ItemUserPermissions=@() 
                                 foreach ($RoleDefinition  in $ItemRoleAssignment.RoleDefinitionBindings) 
                                 { 
                                     $ItemUserPermissions += $RoleDefinition.Name +";" 
                                 } 
     
                                 #Prepare item's absolute Url and Name 
                                 $ItemDispForm = $Item.ParentList.Forms | where { $_.Type -eq "PAGE_DISPLAYFORM" } | Select-Object -first 1 
                                 if ($ItemDispForm.Url) 
                                 { 
                                     $ItemUrl = "$($Item.Web.Url)/$($ItemDispForm.Url)?ID=$($Item.ID)"  
                                 } 
                                 else 
                                 { 
                                     $ItemUrl = "$($Item.Url)" 
                                 } 
     
                                 if ($Item.Name) 
                                 { 
                                     $ItemTitle = $Item.Name 
                                 } 
                                 else 
                                 { 
                                     $ItemTitle = $Item.Title 
                                 } 
                                     
                                 #Send the Data to Log file 
                                 "$($ItemUrl)`tItem`t$($ItemTitle)`tDirect Permission`t$($ItemUserPermissions) `t$($ItemRoleAssignment.Member)" | Out-File $FileUrl -Append 
                             } 
                             #Its a SharePoint Group, So search inside the group and check if the user is member of that group 
                             else   
                             { 
                                 foreach($user in $ItemRoleAssignment.member.users) 
                                 { 
                                     #Get the Group's Permissions on site 
                                     $ItemGroupPermissions=@() 
                                     foreach ($RoleDefinition  in $ItemRoleAssignment.RoleDefinitionBindings) 
                                     { 
                                         $ItemGroupPermissions += $RoleDefinition.Name +";" 
                                     } 
                                         
                                     #Prepare item's absolute Url and Name 
                                     $ItemDispForm = $Item.ParentList.Forms | where { $_.Type -eq "PAGE_DISPLAYFORM" } | Select-Object -first 1 
                                     if ($ItemDispForm.Url) 
                                     { 
                                         $ItemUrl = "$($Item.Web.Url)/$($ItemDispForm.Url)?ID=$($Item.ID)"  
                                     } 
                                     else 
                                     { 
                                         $ItemUrl = "$($Item.Url)" 
                                     } 
     
                                     if ($Item.Name) 
                                     { 
                                         $ItemTitle = $Item.Name 
                                     } 
                                     else 
                                     { 
                                         $ItemTitle = $Item.Title 
                                     } 
     
                                     #Send the Data to Log file 
                                     "$($ItemUrl)`tItem`t$($ItemTitle)`tMember of $($ItemRoleAssignment.Member.Name) Group`t$($ItemGroupPermissions)`t$($user.LoginName)" | Out-File $FileUrl -Append 
     
                                 } 
                             }     
                         } 
                     } 
                 } 
             } 
         }     
     } 
 } 
     
 #Call the function to Check User Access 
 GetUserAccessReport "http://mysite" "C:\SharePoint_Permission_Report.csv" 
 Write-Host "Complete" 

Then in the csv file you could use fileter function to delete other accounts you do not want.


If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@YiLu-MSFT , the script did not return any security group at all. It just returned regular user accounts only. Is there something missing?

Thanks

0 Votes 0 ·
YiLu-MSFT avatar image
0 Votes"
YiLu-MSFT answered YiLu-MSFT commented

Hi @NguyenTee-6512
Sorry for the misunderstanding. If you want to export a security group to a csv file, you could try the code:

 #Variables
 $ADGroup = "domain\Domain Admins"
 $MemberCollection= @()
 $ReportPath ="C:\ADGroups.csv"
     
 #Extract AD Group Name
 $ADGroupName = $ADGroup.Substring($ADGroup.IndexOf("\") + 1)
     
 #Get All Members of the AD Group
 $GroupMembers = Get-ADGroupMember -Identity $ADGroupName -Recursive
     
 Write-host "Total Members Found:"$GroupMembers.Count
  ForEach($GroupMember in $GroupMembers)
     { 
 #Send Data to an object array
             $ADGroup = new-object psobject
  $ADGroup | add-member noteproperty -name "Display Name" -value $GroupMember.Name
  $ADGroup | add-member noteproperty -name "Type" -value $GroupMember.objectClass
 $ADGroup | add-member noteproperty -name "Account" -value $GroupMember.SamAccountName
 $MemberCollection+=$ADGroup  
 }
 #Export Data to CSV
 $MemberCollection | export-csv $ReportPath -notypeinformation
 Write-host "SharePoint Security Groups data exported to a CSV file at:"$ReportPath -ForegroundColor Cyan 

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @NguyenTee-6512
Is this answer helpful for you? If you have some doubts on it, you could contact me in time.

0 Votes 0 ·