Share via


SharePoint 2013–Generating Unique Permissions Report

 

There will be several instances when you will like to generate reports of all the unique permissions that are present through out the site collection.

I have written a script which will generate a CSV report with all the users and groups added on the Web, List, Item or Folder level

Refer to the screenshot CSV report.

image

This report

will contain 7 columns

  1. WebURL – Url of the Site
  2. List Default View URL – Default view of the List. If this is blank that means permission are broken at Web Level and the User-Group reported has been added at the web level. If this contains information then it means permissions have been broken at the list level and the user-group along with permission reported has been added at the List level.
  3. List Title – Title of the list. If this is blank that means permission are broken at Web Level and the User-Group reported has been added at the web level.If this contains information then it means permissions have been broken at the list level and the user-group along with permission reported has been added at the List level.
  4. Item URL – URL of the Item.If this is blank that means permission are broken at Web/list Level and the User-Group reported has been added at the web/list level. If this contains information then it means permissions have been broken at the Item level and the user-group along with permission reported has been added at the Item level.
  5. Name – Name of User or Group
  6. Type – If it’s a Domain Group, Domain User or SharePoint Group
  7. Permission – Permissions granted to the user or group. Note if the OOB permissions levels have been modified then this information might mislead. It’s not a good practice to modify OOB permission levels.

 


Add-PSSnapin Microsoft.SharePoint.Powershell
$Url = "https://contoso.com"  #Replace URL with your site collection
$RootURL = $url.Split("/") # Split function is required for Host based site collection
$RootURL = $RootURL[0] + "/" + $RootURL[1] + "/" + $RootURL[2]

$logTime = Get-Date -Format "Mm-dd-yyyy_hh-mm-ss"
$Columns = "WebURL" + ";" + "List Default View URL" + ";" + "List Title" + ";" + "Item URL" + ";" + "Name" + ";" + "Type" +";"+"Permission"
$logFile = "C:\UniquePermissions" + $logtime + ".csv" # Log Location
$columns | out-file -filepath $logfile -append

$site=Get-SPSite $url

$Webs = $site.AllWebs
foreach($web in $webs)
{

    if($web.HasUniqueRoleAssignments)

      {
        $WebRoles = $Web.RoleAssignments
        foreach($WebRole in $WebRoles)
            {

            $WebRoleBindings = $WebRole.RoleDefinitionBindings
            foreach($WebRoleBinding in $WebRoleBindings)
               {

                if($webrole.Member.IsDomainGroup -eq $null)
                    {
                    $output = $web.url + ";" + ";" + ";" +  ";" + $WebRole.member.Name + ";" + "SharePoint Group" + ";" + $WebRoleBinding.Name
                    $output | out-file -filepath $logfile -append
                    }
                    else
                    {
                        if($webrole.Member.IsDomainGroup)
                        {
                        $output = $web.url + ";" + ";" + ";" +  ";" + $WebRole.member.Name + ";" + "Domain Group" + ";" + $WebRoleBinding.Name
                        $output | out-file -filepath $logfile -append
                        }
                        else
                       
                        {
                        $output = $web.url + ";" + ";" + ";" +  ";" + $WebRole.member.UserLogin + ";" + "Domain User" + ";" + $WebRoleBinding.Name
                        $output | out-file -filepath $logfile -append
                        }
                    }
                }

            }
       
      }
   
    $lists = $web.Lists
    foreach($list in $lists)
    {
        if($list.HasUniqueRoleAssignments)
        {

            $ListRoles = $list.RoleAssignments
            foreach($listRole in $ListRoles)
                {
           
                    $ListRoleBindings = $listrole.RoleDefinitionBindings
                    foreach($ListRoleBinding in $ListRoleBindings)
                    {
               

                if($listrole.Member.IsDomainGroup -eq $null)
                    {
                    $output = $web.url + ";" + $rooturl + $list.DefaultViewUrl + ";" + $list.Title +  ";" + ";" + $ListRole.Member.Name + ";" + "SharePoint Group" + ";" + $ListRoleBinding.Name
                        $output | out-file -filepath $logfile -append       
                    }
                    else
                    {
                        if($listrole.Member.IsDomainGroup)
                        {
                        $output = $web.url + ";" + $rooturl + $list.DefaultViewUrl + ";" + $list.Title +  ";" + ";" + $ListRole.Member.Name + ";" + "Domain Group" + ";" + $ListRoleBinding.Name
                        $output | out-file -filepath $logfile -append       
                        }
                        else
                       
                        {
                       
                        $output = $web.url + ";" + $rooturl + $list.DefaultViewUrl + ";" + $list.Title +  ";" + ";" + $ListRole.Member.UserLogin + ";" + "Domain User" + ";" + $ListRoleBinding.Name
                        $output | out-file -filepath $logfile -append       

                        }
                    }

  
                    }
           
                }

        }

      

        $Uniqueitems = $list.GetItemsWithUniquePermissions()
            foreach($Uniqueitem in $Uniqueitems)
            {

                $item = $list.GetItemById($Uniqueitem.id)
                $itemRoles = $item.RoleAssignments
                foreach($itemRole in $itemroles)
                    {
                    $itemRoleBindings = $itemrole.RoleDefinitionBindings
                    foreach($itemrolebinding in $itemRoleBindings)
                        {
                       

                        if($itemrole.Member.IsDomainGroup -eq $null)
                    {
                   
                    $output = $web.url + ";" + $rooturl + $list.DefaultViewUrl + ";" + $list.Title +  ";" + $rooturl+ "/" +$item.Url + ";" + $itemRole.Member.Name + ";" + "SharePoint Group" + ";" + $itemRoleBinding.Name
                        $output | out-file -filepath $logfile -append
                   
                   
                    }
                    else
                    {
                        if($itemrole.Member.IsDomainGroup)
                        {
                       
                    $output = $web.url + ";" + $rooturl + $list.DefaultViewUrl + ";" + $list.Title +  ";" + $rooturl+ "/" +$item.Url + ";" + $itemRole.Member.Name + ";" + "Domain Group" + ";" + $itemRoleBinding.Name
                        $output | out-file -filepath $logfile -append

                        }
                        else
                       
                        {
                        $output = $web.url + ";" + $rooturl + $list.DefaultViewUrl + ";" + $list.Title +  ";" + $rooturl+ "/" +$item.Url + ";" + $itemRole.Member.UserLogin + ";" + "Domain User" + ";" + $itemRoleBinding.Name
                        $output | out-file -filepath $logfile -append
                        }
                    }

     }
                    }

            }

    }

    $web.Dispose()

}

$site.Dispose()


This will not work for SharePoint 2007, I have written one for SharePoint 2007 too, if someone needs it then leave a comment and I will share it out.

Comments

  • Anonymous
    May 21, 2015
    Good one Harmeet, very useful when site has number of unique permissions??
  • Anonymous
    January 12, 2016
    Harmeet, can you post the SharePoint 2007 version of this script? It would be very helpful to me. Thanks!
  • Anonymous
    February 06, 2016
    Nice Thanks...
  • Anonymous
    March 09, 2016
    So you have this nice script hear to do what I need to do; however, for the ones of us that are less informed how and where do you use it? is it a stand alone script? added to a webpage, placed on a SharePoint page in your collection???? thank you for this answer.
  • Anonymous
    March 09, 2016
    Disregard Comment figured it out :)