11/08/2014

SharePoint – Use PowerShell to get all Owners, Full Control Users and Site Collection Administrators

Updated 6/12/2015

The following works for both SharePoint 2010 and 2013.

 

So who has control in your SharePoint?

Some users are members of the site's Owners group while others have been directly given Full Control. Some may be Site Collection Administrators or even have "super powers" granted at the Web Application level. How do you find these?

PowerShell to the rescue!

 

Get all users who are members of the "Owners" groups.

Get-SPSite -Limit All | 
  Get-SPWeb -Limit All | 
  where { $_.HasUniquePerm -and $_.AssociatedOwnerGroup -ne $null } | 
  foreach { $TTNweburl = $_.Url; $_ } | 
  Select -ExpandProperty AssociatedOwnerGroup | 
  Select -ExpandProperty Users | 
  Select {$TTNweburl}, UserLogin, DisplayName

 

Get all users directly given Full Control

Get-SPSite -Limit All | 
  Get-SPWeb -Limit All | 
  Where { $_.HasUniquePerm } | 
  foreach { $TTNweb = $_; $_ } | 
  Select -ExpandProperty Users | 
  Where { $TTNweb.DoesUserHavePermissions($_,[Microsoft.SharePoint.SPBasePermissions]::FullMask) } | 
  Select {$TTNweb.Url}, UserLogin, DisplayName

You could also find users with Full Control like roles by testing for "ManageWeb" or "ManagePermissions". For a list of the permission types use:

[System.Enum]::GetNames("Microsoft.SharePoint.SPBasePermissions")

 

Get all users who are Site Collection Administrators:

Get-SPSite -Limit All | 
  Get-SPWeb -Limit All | 
  where { $_.HasUniquePerm } | 
  foreach { $TTNweburl = $_.Url; $_ } | 
  Select -ExpandProperty Users | 
  Where { $_.IsSiteAdmin } | 
  Select {$TTNweburl}, UserLogin, DisplayName

 

Who else can see the content, and might have Full Control?

Some users may have access to site content via Web Application level policies. These are set in Central Administration in the Web Application Management section.

Get-SPWebApplication | 
  foreach { $TTNwebappUrl = $_.Url; $_ } | 
  Select -ExpandProperty Policies |  
  Select {$TTNwebappUrl}, DisplayName, IsSystemUser, PolicyRoleBindings, UserName | FT

 

.

7 comments:

Keith Oswalt said...

Nice post. I like it a lot.

It looks like the "Owners Group" and the "Full Control" scripts are the same. Am I missing something?

Thank you for the post.

Mike Smith said...

Keith,

Good catch! (copy and paste error?)

Something like this would find all full control (FullMask) users:
Get-SPSite -Limit All |
Get-SPWeb -Limit All |
Where { $_.HasUniquePerm } |
foreach { $TTNweb = $_; $_ } |
Select -ExpandProperty Users |
Where { $TTNweb.DoesUserHavePermissions($_,[Microsoft.SharePoint.SPBasePermissions]::FullMask) } |
Select {$TTNweb.Url}, UserLogin, DisplayName

You could also find users with Full Control like roles using "ManageWeb" or "ManagePermissions" for a list of the permission types use:

[System.Enum]::GetNames("Microsoft.SharePoint.SPBasePermissions")

Mike

Unknown said...

Excelent Post.

How do i get Permission type lister here " Select {$TTNweb.Url}, UserLogin, DisplayName" ?

I want the permission type to be displayed like Full control or Site admin etc.

Mike Smith said...

Pinak,

Do you want to just add this to the three examples above, or do you want to do this for each uniquely secured object in the site or site collection?

Mike

Mike Smith said...

Pinak,

There's a long list of related examples here: http://sharepointpromag.com/sharepoint-2013/exploring-sharepoint-users-groups-and-security-using-powershell

Mike

Unknown said...

Hi mike. Thanks for your reply.
My requirement is i need a script that would run in my farm and get all those sites which are not used for last 9 months, will get their users who have full control or site collection administrators and prepare a report of the same.

Something like
Url. User 1 full control
User 2 site admin
Url 2 user 1 fulll control
User 2 site admin
Ussr 3 full control

And these urls should be of site which is not accessed in last 9 months

Mike Smith said...

Pinak,

A different question that what is in the article, but similar... :-)

I think this is what you are asking for:

http://techtrainingnotes.blogspot.com/2015/12/sharepoint-generate-report-of-inactive.html

Mike

Note to spammers!

Spammers, don't waste your time... all posts are moderated. If your comment includes unrelated links, is advertising, or just pure spam, it will never be seen.