SharePoint 2010: Get Site Users with Full Control/Owners Permissions with PowerShell Script
The following PowerShell script can be used to get users with Full Control permissions in sites.
<# The below PowerShell script enumerates through all sites with unique permissions and fetches users with Full Control Permission granted directly to the site
or through group membership.
#>
#Load SharePoint PowerShell Snapin
if ((Get-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue) -eq $null) {
Add-PSSnapin "Microsoft.SharePoint.PowerShell"
}
#Collection of user permission objects
$SiteOwners =@();
#Define all the properties for the user permission object
$Properties = @{Title='';SiteID='';WebID='';WebSiteUrl='';AccessRequestEmail='';Scope='';Login='';UserID='';User='';Email='';LastItemModified='';};
#Site Url
$WebUrl ="";
#Web Application URL
$WebApplicationURL = "<WebAppUrl>";
#Enumerate through all Site Collections and Sites
Get-SPWebApplication -Identity $WebApplicationURL | Get-SPSite -limit all |%{
$siteID=$_.ID;
#Enumerate through all sites within the site collection
Get-SPWeb -limit all -Site $_|%{
$web = $_;
#Check if the site has unique permissions
if(($web.HasUniqueRoleAssignments -eq "True" -or $web.IsRootWeb -eq "True")){
$WebUrl = $web.Url;
#Full Control Role Definition
$FullControl = $web.RoleDefinitions["Full Control"];
#Collection of Groups with Full Control permissions
$OwnerGroups=@();
#Get all Owner groups with Full Control permission
$web.Groups|?{$_.Name -match "Owners"}|%{
$IsGroupFullControl = $_.Roles|?{$_.Name -eq $FullControl.Name;}
$OwnerGroups += $_;
}
try{
<#
SPWeb.Users:
This represents the collection of users or user objects who have been explicitly assigned permissions in the Web site . This does not return users who have access through a group.
SPWeb.AllUsers:
This gives us the collection of user objects who are either members of the site collection or who have atleast navigated to the site as authenticated members of a domain group in the site.
#>
#Enumerate through all Users in the Web
$web.AllUsers|?{$_.LoginName -ne "SHAREPOINT\System" -and $_.Email.Length -gt 0}|%{
#Check User Effective Permissions
if($web.DoesUserHavePermissions($_.LoginName,[Microsoft.SharePoint.SPBasePermissions]::FullMask)){
$user=$_;
#Full Control Permission could have been granted directly or through group membership. Scope will represent these details.
$Scopes=@();
try{
$UserRoleAssignments = $web.RoleAssignments.GetAssignmentByPrincipal($user);
}
catch{}
#Check if user has Full Control Permissions
if($UserRoleAssignments.RoleDefinitionBindings.Contains($FullControl)){
$Scopes += "Site";
#Check for group membership of user in Owners group i.e. groups with Full Control permission
$user.Groups|%{
$Group=$_;
$IsOwnerGroup = $OwnerGroups|?{$_.Name -eq $Group.Name};
if($IsOwnerGroup){
$Scopes += $Group.Name;
}
}
#Create an object for the user permission record
$Owner = New-Object PSObject -Property $Properties;
$Owner.Title = $web.Title;
$Owner.WebID = $web.ID;
$Owner.SiteID = $siteID;
$Owner.WebSiteURL = $web.URL;
$Owner.AccessRequestEmail=$web.RequestAccessEmail;
$Owner.Scope = ($Scopes -join ",");
$Owner.UserID=$user.LoginName.Split("\")[1];
$Owner.Login=$user.LoginName;
$Owner.User=$user.Name;
$Owner.Email=$user.Email;
$Owner.LastItemModified=$web.LastItemModifiedDate.ToString("MM/dd/yyyy");
$SiteOwners +=$Owner;
}
}
}
$web.Dispose();
$_.Dispose();
}
catch [System.Exception]{
Write-Host ($WebUrl + ":" + $_.Exception.Message + ":" + $_.Exception.StackTrace);
}
}
}
#Dispose SPSite
$_.Dispose();
}
$SiteOwners|Export-CSV "D:\SharePoint Administration\SiteOwners.csv" -NoTypeInformation;
See Also
Other Languages
This article is also available in the following languages: