Share via

SharePoint 2007: How to Check Effective Permissions of a User in Each Site in a Site Collection

  • Article

We've observed that one of a tedious task for a SharePoint site administrator to check permissions of a user in each site in a site collection. Microsoft Admin Toolkit has provided a functionality that can be used to check effective permissions. This can be downloaded at http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=14227 for MOSS 2007 but it provides the way to check permissions only at a site, list and list item level. There is no way to use this at a single run for all sites in a site collection.

Hence, to do this, we have prepared the following PowerShell script. It works with both MOSS 2007 and SPS 2010. This takes two input values. The first is the URL of the site collection and the second one is the user login. The user login should be in the form of Domain\Username

param([switch]$help)
  
[void][System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint")
[void][System.Reflection.Assembly]::LoadWithPartialName("Microsoft.Office.Server")
[void][System.Reflection.Assembly]::LoadWithPartialName("Microsoft.Office.Server.UserProfiles")
[void][System.Reflection.Assembly]::LoadWithPartialName("System.Web")
function GetHelp() {
  
  
$HelpText = @"
  
DESCRIPTION:
This script will enumerate the permissions of the user in all webs under a site collection. This takes two input the user of the site collection and the username.The
  
username should be given in Domain\username format.
"@
$HelpText
  
}
  
function RahulCheckEffectivePermissionsInAllWebs() {
  
write-host "This script will chcek the effective permissions of a user"
write-host "Please enter the url of the site collection"
$url = read-host
write-host "Please enter the username of the user"
$userName = read-host
$site = New-Object Microsoft.SharePoint.SPSite($url)
$serverContext = [Microsoft.Office.Server.ServerContext]::GetContext($site)
$userProfileManager = New-Object Microsoft.Office.Server.UserProfiles.UserProfileManager($serverContext)
$userProfile = $userProfileManager.GetUserProfile($userName)
$userLogin = $userProfile[[Microsoft.Office.Server.UserProfiles.PropertyConstants]::AccountName].Value.ToString()
$webs = $site.AllWebs
foreach ($web in $webs)
{
$permissionInfo = $web.GetUserEffectivePermissionInfo($userLogin)
$roles = $permissionInfo.RoleAssignments
write-host "Now checking the permissions of the user "  $userLogin  " " "in the site " $web.Url
for ($i = 0; $i -lt $roles.Count; $i++)
{
$bRoles = $roles[$i].RoleDefinitionBindings
foreach ($roleDefinition in $bRoles)
{
 if ($roles[$i].Member.ToString().Contains('\'))
{
write-host "The User "  $userLogin  " has direct permissions "  $roleDefinition.Name
}
else
{
write-host "The User "  $userLogin  " has permissions "  $roleDefinition.Name  " given via "  $roles[$i].Member.ToString()
                                }
}
}
}
$site.Dispose()
}
  
if($help) { GetHelp; Continue }
else { RahulCheckEffectivePermissionsInAllWebs }