Updated 6/12/2015
The following works for both SharePoint 2010 and 2013.
So who has control in your SharePoint?
Some users are members of the site's Owners group while others have been directly given Full Control. Some may be Site Collection Administrators or even have "super powers" granted at the Web Application level. How do you find these?
PowerShell to the rescue!
Get all users who are members of the "Owners" groups.
Get-SPSite -Limit All | Get-SPWeb -Limit All | where { $_.HasUniquePerm -and $_.AssociatedOwnerGroup -ne $null } | foreach { $TTNweburl = $_.Url; $_ } | Select -ExpandProperty AssociatedOwnerGroup | Select -ExpandProperty Users | Select {$TTNweburl}, UserLogin, DisplayName
Get all users directly given Full Control
Get-SPSite -Limit All | Get-SPWeb -Limit All | Where { $_.HasUniquePerm } | foreach { $TTNweb = $_; $_ } | Select -ExpandProperty Users | Where { $TTNweb.DoesUserHavePermissions($_,[Microsoft.SharePoint.SPBasePermissions]::FullMask) } | Select {$TTNweb.Url}, UserLogin, DisplayName
You could also find users with Full Control like roles by testing for "ManageWeb" or "ManagePermissions". For a list of the permission types use:
[System.Enum]::GetNames("Microsoft.SharePoint.SPBasePermissions")
Get all users who are Site Collection Administrators:
Get-SPSite -Limit All | Get-SPWeb -Limit All | where { $_.HasUniquePerm } | foreach { $TTNweburl = $_.Url; $_ } | Select -ExpandProperty Users | Where { $_.IsSiteAdmin } | Select {$TTNweburl}, UserLogin, DisplayName
Who else can see the content, and might have Full Control?
Some users may have access to site content via Web Application level policies. These are set in Central Administration in the Web Application Management section.
Get-SPWebApplication |
foreach { $TTNwebappUrl = $_.Url; $_ } |
Select -ExpandProperty Policies |
Select {$TTNwebappUrl}, DisplayName, IsSystemUser, PolicyRoleBindings, UserName | FT
.
7 comments:
Nice post. I like it a lot.
It looks like the "Owners Group" and the "Full Control" scripts are the same. Am I missing something?
Thank you for the post.
Keith,
Good catch! (copy and paste error?)
Something like this would find all full control (FullMask) users:
Get-SPSite -Limit All |
Get-SPWeb -Limit All |
Where { $_.HasUniquePerm } |
foreach { $TTNweb = $_; $_ } |
Select -ExpandProperty Users |
Where { $TTNweb.DoesUserHavePermissions($_,[Microsoft.SharePoint.SPBasePermissions]::FullMask) } |
Select {$TTNweb.Url}, UserLogin, DisplayName
You could also find users with Full Control like roles using "ManageWeb" or "ManagePermissions" for a list of the permission types use:
[System.Enum]::GetNames("Microsoft.SharePoint.SPBasePermissions")
Mike
Excelent Post.
How do i get Permission type lister here " Select {$TTNweb.Url}, UserLogin, DisplayName" ?
I want the permission type to be displayed like Full control or Site admin etc.
Pinak,
Do you want to just add this to the three examples above, or do you want to do this for each uniquely secured object in the site or site collection?
Mike
Pinak,
There's a long list of related examples here: http://sharepointpromag.com/sharepoint-2013/exploring-sharepoint-users-groups-and-security-using-powershell
Mike
Hi mike. Thanks for your reply.
My requirement is i need a script that would run in my farm and get all those sites which are not used for last 9 months, will get their users who have full control or site collection administrators and prepare a report of the same.
Something like
Url. User 1 full control
User 2 site admin
Url 2 user 1 fulll control
User 2 site admin
Ussr 3 full control
And these urls should be of site which is not accessed in last 9 months
Pinak,
A different question that what is in the article, but similar... :-)
I think this is what you are asking for:
http://techtrainingnotes.blogspot.com/2015/12/sharepoint-generate-report-of-inactive.html
Mike
Post a Comment
Note to spammers...
Spammers, don't waste your time... all posts are moderated. If your comment includes unrelated links, is advertising, or just pure spam, it will never be seen.