Overview:
A site administrator can easily verify and check user permissions from site settings page, steps are quite simple:
Go to Site Settings –> Site Permissions –> Click on Check Permissions Button and enter user name, this will list the user rights for a single user. But what if it is required to list access permission details for all the users in a SharePoint site, this is not possible Out of the Box.
The below listed script methods are helpful is this scenario, it will list all users with their permissions and security group detail. The script will generate a detail drill down report for a Web Application which include all sites, sub sites, lists/libraries and items (if inheritance is break).
Script Methods:
I have listed the details of methods below if you feel difficulty to run this then you can download the script from Technet Gallery (Direct Download) and execute the the file.
Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue
Function GetUserAccessReport($WebAppURL, $FileUrl)
{
#Get All Site Collections of the WebApp
$SiteCollections = Get-SPSite -WebApplication $WebAppURL -Limit All#Write CSV- TAB Separated File) Header
“URL `t Site/List `t Title `t PermissionType `t Permissions `t LoginName” | out-file $FileUrl#Check Web Application Policies
$WebApp= Get-SPWebApplication $WebAppURLforeach ($Policy in $WebApp.Policies)
{
#Check if the search users is member of the group
#if($Policy.UserName -eq $SearchUser)
# {
#Write-Host $Policy.UserName
$PolicyRoles=@()
foreach($Role in $Policy.PolicyRoleBindings)
{
$PolicyRoles+= $Role.Name +”;”
}
#Write-Host “Permissions: ” $PolicyRoles“$($AdminWebApp.URL) `t Web Application `t $($AdminSite.Title)`t Web Application Policy `t $($PolicyRoles) `t $($Policy.UserName)” | Out-File $FileUrl -Append
#}
}#Loop through all site collections
foreach($Site in $SiteCollections)
{
#Check Whether the Search User is a Site Collection Administrator
foreach($SiteCollAdmin in $Site.RootWeb.SiteAdministrators)
{
“$($Site.RootWeb.Url) `t Site `t $($Site.RootWeb.Title)`t Site Collection Administrator `t Site Collection Administrator `t $($SiteCollAdmin.LoginName)” | Out-File $FileUrl -Append}
#Loop throuh all Sub Sites
foreach($Web in $Site.AllWebs)
{
if($Web.HasUniqueRoleAssignments -eq $True)
{
#Get all the users granted permissions to the list
foreach($WebRoleAssignment in $Web.RoleAssignments )
{
#Is it a User Account?
if($WebRoleAssignment.Member.userlogin)
{
#Get the Permissions assigned to user
$WebUserPermissions=@()
foreach ($RoleDefinition in $WebRoleAssignment.RoleDefinitionBindings)
{
$WebUserPermissions += $RoleDefinition.Name +”;”
}
#write-host “with these permissions: ” $WebUserPermissions
#Send the Data to Log file
“$($Web.Url) `t Site `t $($Web.Title)`t Direct Permission `t $($WebUserPermissions) `t $($WebRoleAssignment.Member.LoginName)” | Out-File $FileUrl -Append
}
#Its a SharePoint Group, So search inside the group and check if the user is member of that group
else
{
foreach($user in $WebRoleAssignment.member.users)
{
#Get the Group’s Permissions on site
$WebGroupPermissions=@()
foreach ($RoleDefinition in $WebRoleAssignment.RoleDefinitionBindings)
{
$WebGroupPermissions += $RoleDefinition.Name +”;”
}
#write-host “Group has these permissions: ” $WebGroupPermissions#Send the Data to Log file
“$($Web.Url) `t Site `t $($Web.Title)`t Member of $($WebRoleAssignment.Member.Name) Group `t $($WebGroupPermissions) `t $($user.LoginName)” | Out-File $FileUrl -Append
}
}
}
}#******** Check Lists with Unique Permissions ********/
foreach($List in $Web.lists)
{
if($List.HasUniqueRoleAssignments -eq $True -and ($List.Hidden -eq $false))
{
#Get all the users granted permissions to the list
foreach($ListRoleAssignment in $List.RoleAssignments )
{
#Is it a User Account?
if($ListRoleAssignment.Member.userlogin)
{#Get the Permissions assigned to user
$ListUserPermissions=@()
foreach ($RoleDefinition in $ListRoleAssignment.RoleDefinitionBindings)
{
$ListUserPermissions += $RoleDefinition.Name +”;”
}
#write-host “with these permissions: ” $ListUserPermissions#Send the Data to Log file
“$($List.ParentWeb.Url)/$($List.RootFolder.Url) `t List `t $($List.Title)`t Direct Permission1 `t $($ListUserPermissions) `t $($ListRoleAssignment.Member)” | Out-File $FileUrl -Append
}
#Its a SharePoint Group, So search inside the group and check if the user is member of that group
else
{
foreach($user in $ListRoleAssignment.member.users)
{
#Get the Group’s Permissions on site
$ListGroupPermissions=@()
foreach ($RoleDefinition in $ListRoleAssignment.RoleDefinitionBindings)
{
$ListGroupPermissions += $RoleDefinition.Name +”;”
}
#write-host “Group has these permissions: ” $ListGroupPermissions#Send the Data to Log file
“$($Web.Url) `t List `t $($List.Title)`t Member of $($ListRoleAssignment.Member.Name) Group `t $($user.LoginName) `t $($user.LoginName)” | Out-File $FileUrl -Append}
}
}
}
}
}
}}
Method Call:
There is a method in above script which takes two parameters, the WebApplication URL and Output file path, which will create a report in CSV format.
GetUserAccessReport "http://sp2013" "c:\users_PermisionReport.csv"
The output is generated in CSV format, below images shows the output format:
I have tested this script on both SharePoint 2013 and SharePoint 2010.
Adnan, a distinguished professional, boasts an impressive track record as a Microsoft MVP, having achieved this prestigious recognition for the eighth consecutive year since 2015. With an extensive career spanning over 18 years, Adnan has honed his expertise in various domains, notably excelling in SharePoint, Microsoft 365, Microsoft Teams, the .Net Platform, and Microsoft BI. Presently, he holds the esteemed position of Senior Microsoft Consultant at Olive + Goose. Notably, Adnan served as the MCT Regional Lead for the Pakistan Chapter from 2012 to 2017, showcasing his leadership and commitment to fostering growth within the tech community. His journey in the realm of SharePoint spans 14 years, during which he has undertaken diverse projects involving both intranet and internet solutions for both private and government sectors. His impact has transcended geographical boundaries, leaving a mark on projects in the United States and the Gulf region, often collaborating with Fortune 500 companies. Beyond his roles, Adnan is a dedicated educator, sharing his insights and knowledge as a trainer. He also passionately advocates for technology, frequently engaging with the community through speaking engagements in various forums. His multifaceted contributions exemplify his dedication to the tech field and his role in driving its evolution.
Leave a Reply
You must be logged in to post a comment.
2 replies on “SharePoint: User Permissions detail report for a Web Application”
Thanks Adnan for sharing this information with us. You define the script method very clearly.
how to get ACL for a file using API