SharePoint: User Permissions detail report for a Web Application

Overview:

A site administrator can easily verify and check user permissions from site settings page, steps are quite simple:

Go to Site Settings –> Site Permissions –> Click on Check Permissions Button and enter user name, this will list the user rights for a single user. But what if it is required to list access permission details for all the users in a SharePoint site, this is not possible Out of the Box.

The below listed script methods are helpful is this scenario, it will list  all users with their permissions and security group detail. The script will generate a detail drill down report for a Web Application which include all sites, sub sites, lists/libraries and items (if inheritance is break).

Script Methods:

I have listed the details of methods below if you feel difficulty to run this then you can download the script from Technet Gallery (Direct Download) and execute the the file.

Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

Function GetUserAccessReport($WebAppURL, $FileUrl)
{
#Get All Site Collections of the WebApp
$SiteCollections = Get-SPSite -WebApplication $WebAppURL -Limit All

#Write CSV- TAB Separated File) Header
“URL `t Site/List `t Title `t PermissionType `t Permissions  `t LoginName” | out-file $FileUrl

#Check Web Application Policies
$WebApp= Get-SPWebApplication $WebAppURL

foreach ($Policy in $WebApp.Policies)
{
#Check if the search users is member of the group
#if($Policy.UserName -eq $SearchUser)
#    {
#Write-Host $Policy.UserName
$PolicyRoles=@()
foreach($Role in $Policy.PolicyRoleBindings)
{
$PolicyRoles+= $Role.Name +”;”
}
#Write-Host “Permissions: ” $PolicyRoles

“$($AdminWebApp.URL) `t Web Application `t $($AdminSite.Title)`t  Web Application Policy `t $($PolicyRoles) `t $($Policy.UserName)” | Out-File $FileUrl -Append
#}
}

#Loop through all site collections
foreach($Site in $SiteCollections)
{
#Check Whether the Search User is a Site Collection Administrator
foreach($SiteCollAdmin in $Site.RootWeb.SiteAdministrators)
{
“$($Site.RootWeb.Url) `t Site `t $($Site.RootWeb.Title)`t Site Collection Administrator `t Site Collection Administrator `t $($SiteCollAdmin.LoginName)” | Out-File $FileUrl -Append

}

#Loop throuh all Sub Sites
foreach($Web in $Site.AllWebs)
{
if($Web.HasUniqueRoleAssignments -eq $True)
{
#Get all the users granted permissions to the list
foreach($WebRoleAssignment in $Web.RoleAssignments )
{
#Is it a User Account?
if($WebRoleAssignment.Member.userlogin)
{
#Get the Permissions assigned to user
$WebUserPermissions=@()
foreach ($RoleDefinition  in $WebRoleAssignment.RoleDefinitionBindings)
{
$WebUserPermissions += $RoleDefinition.Name +”;”
}
#write-host “with these permissions: ” $WebUserPermissions
#Send the Data to Log file
“$($Web.Url) `t Site `t $($Web.Title)`t Direct Permission `t $($WebUserPermissions)  `t $($WebRoleAssignment.Member.LoginName)” | Out-File $FileUrl -Append
}
#Its a SharePoint Group, So search inside the group and check if the user is member of that group
else
{
foreach($user in $WebRoleAssignment.member.users)
{
#Get the Group’s Permissions on site
$WebGroupPermissions=@()
foreach ($RoleDefinition  in $WebRoleAssignment.RoleDefinitionBindings)
{
$WebGroupPermissions += $RoleDefinition.Name +”;”
}
#write-host “Group has these permissions: ” $WebGroupPermissions

#Send the Data to Log file
“$($Web.Url) `t Site `t $($Web.Title)`t Member of $($WebRoleAssignment.Member.Name) Group `t $($WebGroupPermissions) `t $($user.LoginName)” | Out-File $FileUrl -Append
}
}
}
}

#********  Check Lists with Unique Permissions ********/
foreach($List in $Web.lists)
{
if($List.HasUniqueRoleAssignments -eq $True -and ($List.Hidden -eq $false))
{
#Get all the users granted permissions to the list
foreach($ListRoleAssignment in $List.RoleAssignments )
{
#Is it a User Account?
if($ListRoleAssignment.Member.userlogin)
{

#Get the Permissions assigned to user
$ListUserPermissions=@()
foreach ($RoleDefinition  in $ListRoleAssignment.RoleDefinitionBindings)
{
$ListUserPermissions += $RoleDefinition.Name +”;”
}
#write-host “with these permissions: ” $ListUserPermissions

#Send the Data to Log file
“$($List.ParentWeb.Url)/$($List.RootFolder.Url) `t List `t $($List.Title)`t Direct Permission1 `t $($ListUserPermissions)  `t $($ListRoleAssignment.Member)” | Out-File $FileUrl -Append
}
#Its a SharePoint Group, So search inside the group and check if the user is member of that group
else
{
foreach($user in $ListRoleAssignment.member.users)
{
#Get the Group’s Permissions on site
$ListGroupPermissions=@()
foreach ($RoleDefinition  in $ListRoleAssignment.RoleDefinitionBindings)
{
$ListGroupPermissions += $RoleDefinition.Name +”;”
}
#write-host “Group has these permissions: ” $ListGroupPermissions

#Send the Data to Log file
“$($Web.Url) `t List `t $($List.Title)`t Member of $($ListRoleAssignment.Member.Name) Group `t $($user.LoginName) `t $($user.LoginName)” | Out-File $FileUrl -Append

}
}
}
}
}
}
}

}

Method Call:

There is a method in above script which takes two parameters, the WebApplication URL and Output file path, which will create a report in CSV format.

GetUserAccessReport "http://sp2013" "c:\users_PermisionReport.csv"

The output is generated in CSV format, below images shows the output format:

User Access Report

I have tested this script on both SharePoint 2013 and SharePoint 2010.

Adnan Amin

Adnan is two time SharePoint MVP (Most Valuable Professional) with over 12 years of extensive experience with major expertise on SharePoint Server, Office 365, .Net Platform and Microsoft BI. He is currently working SharePoint Architect at FMT Consultants. He is MCT Regional Lead for Pakistan Chapter since 2012. He is working on SharePoint for past nine years and worked on different intranet/intranet solutions for private & govt. sector majorly in Gulf region, which include OOB and customized solutions. He is a trainer, technology evangelist and also speaks in community forums.

This Post Has 2 Comments

Leave a Reply