Audit Specific User Permissions in SharePoint 2007 with PowerShell
In continuation with my earlier post: SharePoint Permission Report: Check Access Rights for a Specific User, got few requests to make the PowerShell script compatible with MOSS 2007. Hence, I'm posting the code here.
It checks the following areas of SharePoint and generates a Log file as in the below screen:
It checks the following areas of SharePoint and generates a Log file as in the below screen:
- Farm Administrator's Group
- Central Administration Web Application Policies
- Site Collection Administrators
- Scans the all Site collections and Sub-sites with Unique Permissions
- Scans all Lists and Libraries with unique permissions
- Scans all Groups which has permissions on sites and Lists
PowerShell Script to Check Access Rights for a Particular user all over SharePoint:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
| [System.Reflection.Assembly]::LoadWithPartialName( "Microsoft.SharePoint" ) #Get All Web Applications Function global:Get -SPWebApplication ( $WebAppURL ) { if( $WebAppURL -eq $null ) #Get All Web Applications { $Farm = [Microsoft.SharePoint.Administration.SPFarm]::Local $websvcs = $farm .Services | where -FilterScript {$_.GetType() -eq [Microsoft.SharePoint.Administration.SPWebService]} $WebApps = @() foreach ( $websvc in $websvcs ) { foreach ( $WebApp in $websvc .WebApplications) { $WebApps = $WebApps + $WebApp } } return $WebApps } else #Get Web Application for given URL { return [Microsoft.SharePoint.Administration.SPWebApplication]::Lookup( $WebAppURL ) } } Function global:Get -SPSite ( $url ) { if( $url -ne $null ) { return New-Object Microsoft.SharePoint.SPSite( $url ) } } Function global:Get -SPWeb ( $url ) { $site = Get -SPSite ( $url ) if( $site -ne $null ) { $web = $site .OpenWeb(); } return $web } Function GetUserAccessReport( $WebAppURL , $SearchUser ) { #Get All Site Collections of the WebApp $SiteCollections = Get -SPWebApplication ( $WebAppURL ) $SiteCollections = $SiteCollections .Sites #Write CSV- TAB Separated File) Header "URL `t Site/List `t Title `t PermissionType `t Permissions" | out-file UserAccessReport.csv #Check Whether the Search Users is a Farm Administrator $ca = [Microsoft.SharePoint.Administration.SPAdministrationWebApplication]::Local.Sites[0].RootWeb #Get Central Admin $AdminSite = Get -SPWeb ( $ca .URL) $AdminGroupName = $AdminSite .AssociatedOwnerGroup.Name $FarmAdminGroup = $AdminSite .SiteGroups[ $AdminGroupName ] foreach ( $user in $FarmAdminGroup .users) { if( $user .LoginName -eq $SearchUser ) { "$($AdminSite.URL) `t Farm `t $($AdminSite.Title)`t Farm Administrator `t Farm Administrator" | Out-File UserAccessReport.csv -Append } } #Check Web Application Policies $WebApp = Get -SPWebApplication $WebAppURL foreach ( $Policy in $WebApp .Policies) { #Check if the search users is member of the group if( $Policy .UserName -eq $SearchUser ) { #Write-Host $Policy.UserName $PolicyRoles =@() foreach ( $Role in $Policy .PolicyRoleBindings) { $PolicyRoles += $Role .Name + ";" } #Write-Host "Permissions: " $PolicyRoles "$($WebAppURL) `t Web Application `t $($AdminSite.Title)`t Web Application Policy `t $($PolicyRoles)" | Out-File UserAccessReport.csv -Append } } #Loop through all site collections foreach ( $Site in $SiteCollections ) { #Check Whether the Search User is a Site Collection Administrator foreach ( $SiteCollAdmin in $Site .RootWeb.SiteAdministrators) { if( $SiteCollAdmin .LoginName -eq $SearchUser ) { "$($Site.RootWeb.Url) `t Site `t $($Site.RootWeb.Title)`t Site Collection Administrator `t Site Collection Administrator" | Out-File UserAccessReport.csv -Append } } #Loop throuh all Sub Sites foreach ( $Web in $Site .AllWebs) { if( $Web .HasUniqueRoleAssignments -eq $True ) { #Get all the users granted permissions to the list foreach ( $WebRoleAssignment in $Web .RoleAssignments ) { #Is it a User Account? if( $WebRoleAssignment .Member.userlogin) { #Is the current user is the user we search for? if( $WebRoleAssignment .Member.LoginName -eq $SearchUser ) { #Write-Host $SearchUser has direct permissions to site $Web.Url #Get the Permissions assigned to user $WebUserPermissions =@() foreach ( $RoleDefinition in $WebRoleAssignment .RoleDefinitionBindings) { $WebUserPermissions += $RoleDefinition .Name + ";" } #write-host "with these permissions: " $WebUserPermissions #Send the Data to Log file "$($Web.Url) `t Site `t $($Web.Title)`t Direct Permission `t $($WebUserPermissions)" | Out-File UserAccessReport.csv -Append } } #Its a SharePoint Group, So search inside the group and check if the user is member of that group else { foreach ( $user in $WebRoleAssignment .member.users) { #Check if the search users is member of the group if( $user .LoginName -eq $SearchUser ) { #Write-Host "$SearchUser is Member of " $WebRoleAssignment.Member.Name "Group" #Get the Group's Permissions on site $WebGroupPermissions =@() foreach ( $RoleDefinition in $WebRoleAssignment .RoleDefinitionBindings) { $WebGroupPermissions += $RoleDefinition .Name + ";" } #write-host "Group has these permissions: " $WebGroupPermissions #Send the Data to Log file "$($Web.Url) `t Site `t $($Web.Title)`t Member of $($WebRoleAssignment.Member.Name) Group `t $($WebGroupPermissions)" | Out-File UserAccessReport.csv -Append } } } } } #******** Check Lists with Unique Permissions ********/ foreach ( $List in $Web .lists) { if( $List .HasUniqueRoleAssignments -eq $True -and ( $List .Hidden -eq $false )) { #Get all the users granted permissions to the list foreach ( $ListRoleAssignment in $List .RoleAssignments ) { #Is it a User Account? if( $ListRoleAssignment .Member.userlogin) { #Is the current user is the user we search for? if( $ListRoleAssignment .Member.LoginName -eq $SearchUser ) { #Write-Host $SearchUser has direct permissions to List ($List.ParentWeb.Url)/($List.RootFolder.Url) #Get the Permissions assigned to user $ListUserPermissions =@() foreach ( $RoleDefinition in $ListRoleAssignment .RoleDefinitionBindings) { $ListUserPermissions += $RoleDefinition .Name + ";" } #write-host "with these permissions: " $ListUserPermissions #Send the Data to Log file "$($List.ParentWeb.Url)/$($List.RootFolder.Url) `t List `t $($List.Title)`t Direct Permissions `t $($ListUserPermissions)" | Out-File UserAccessReport.csv -Append } } #Its a SharePoint Group, So search inside the group and check if the user is member of that group else { foreach ( $user in $ListRoleAssignment .member.users) { if( $user .LoginName -eq $SearchUser ) { #Write-Host "$SearchUser is Member of " $ListRoleAssignment.Member.Name "Group" #Get the Group's Permissions on site $ListGroupPermissions =@() foreach ( $RoleDefinition in $ListRoleAssignment .RoleDefinitionBindings) { $ListGroupPermissions += $RoleDefinition .Name + ";" } #write-host "Group has these permissions: " $ListGroupPermissions #Send the Data to Log file "$($Web.Url) `t Site `t $($List.Title)`t Member of $($ListRoleAssignment.Member.Name) Group `t $($ListGroupPermissions)" | Out-File UserAccessReport.csv -Append } } } } } } } } } #Call the function to Check User Access |
Reference:
http://www.sharepointdiary.com/2013/01/audit-user-permissions-in-sharepoint.html
No comments:
Post a Comment