SharePoint 2013–Generating Unique Permissions Report

 

There will be several instances when you will like to generate reports of all the unique permissions that are present through out the site collection.

I have written a script which will generate a CSV report with all the users and groups added on the Web, List, Item or Folder level

Refer to the screenshot CSV report.

image

This report

will contain 7 columns

  1. WebURL – Url of the Site
  2. List Default View URL – Default view of the List. If this is blank that means permission are broken at Web Level and the User-Group reported has been added at the web level. If this contains information then it means permissions have been broken at the list level and the user-group along with permission reported has been added at the List level.
  3. List Title – Title of the list. If this is blank that means permission are broken at Web Level and the User-Group reported has been added at the web level.If this contains information then it means permissions have been broken at the list level and the user-group along with permission reported has been added at the List level.
  4. Item URL – URL of the Item.If this is blank that means permission are broken at Web/list Level and the User-Group reported has been added at the web/list level. If this contains information then it means permissions have been broken at the Item level and the user-group along with permission reported has been added at the Item level.
  5. Name – Name of User or Group
  6. Type – If it’s a Domain Group, Domain User or SharePoint Group
  7. Permission – Permissions granted to the user or group. Note if the OOB permissions levels have been modified then this information might mislead. It’s not a good practice to modify OOB permission levels.

 


Add-PSSnapin Microsoft.SharePoint.Powershell
$Url = "https://contoso.com"  #Replace URL with your site collection
$RootURL = $url.Split("/") # Split function is required for Host based site collection
$RootURL = $RootURL[0] + "/" + $RootURL[1] + "/" + $RootURL[2]

$logTime = Get-Date -Format "Mm-dd-yyyy_hh-mm-ss"
$Columns = "WebURL" + ";" + "List Default View URL" + ";" + "List Title" + ";" + "Item URL" + ";" + "Name" + ";" + "Type" +";"+"Permission"
$logFile = "C:\UniquePermissions" + $logtime + ".csv" # Log Location
$columns | out-file -filepath $logfile -append

$site=Get-SPSite $url

$Webs = $site.AllWebs
foreach($web in $webs)
{

    if($web.HasUniqueRoleAssignments)

      {
        $WebRoles = $Web.RoleAssignments
        foreach($WebRole in $WebRoles)
            {

            $WebRoleBindings = $WebRole.RoleDefinitionBindings
            foreach($WebRoleBinding in $WebRoleBindings)
               {

                if($webrole.Member.IsDomainGroup -eq $null)
                    {
                    $output = $web.url + ";" + ";" + ";" +  ";" + $WebRole.member.Name + ";" + "SharePoint Group" + ";" + $WebRoleBinding.Name
                    $output | out-file -filepath $logfile -append
                    }
                    else
                    {
                        if($webrole.Member.IsDomainGroup)
                        {
                        $output = $web.url + ";" + ";" + ";" +  ";" + $WebRole.member.Name + ";" + "Domain Group" + ";" + $WebRoleBinding.Name
                        $output | out-file -filepath $logfile -append
                        }
                        else
                       
                        {
                        $output = $web.url + ";" + ";" + ";" +  ";" + $WebRole.member.UserLogin + ";" + "Domain User" + ";" + $WebRoleBinding.Name
                        $output | out-file -filepath $logfile -append
                        }
                    }
                }

            }
       
      }
   
    $lists = $web.Lists
    foreach($list in $lists)
    {
        if($list.HasUniqueRoleAssignments)
        {

            $ListRoles = $list.RoleAssignments
            foreach($listRole in $ListRoles)
                {
           
                    $ListRoleBindings = $listrole.RoleDefinitionBindings
                    foreach($ListRoleBinding in $ListRoleBindings)
                    {
               

                if($listrole.Member.IsDomainGroup -eq $null)
                    {
                    $output = $web.url + ";" + $rooturl + $list.DefaultViewUrl + ";" + $list.Title +  ";" + ";" + $ListRole.Member.Name + ";" + "SharePoint Group" + ";" + $ListRoleBinding.Name
                        $output | out-file -filepath $logfile -append       
                    }
                    else
                    {
                        if($listrole.Member.IsDomainGroup)
                        {
                        $output = $web.url + ";" + $rooturl + $list.DefaultViewUrl + ";" + $list.Title +  ";" + ";" + $ListRole.Member.Name + ";" + "Domain Group" + ";" + $ListRoleBinding.Name
                        $output | out-file -filepath $logfile -append       
                        }
                        else
                       
                        {
                       
                        $output = $web.url + ";" + $rooturl + $list.DefaultViewUrl + ";" + $list.Title +  ";" + ";" + $ListRole.Member.UserLogin + ";" + "Domain User" + ";" + $ListRoleBinding.Name
                        $output | out-file -filepath $logfile -append       

                        }
                    }

  
                    }
           
                }

        }

      

        $Uniqueitems = $list.GetItemsWithUniquePermissions()
            foreach($Uniqueitem in $Uniqueitems)
            {

                $item = $list.GetItemById($Uniqueitem.id)
                $itemRoles = $item.RoleAssignments
                foreach($itemRole in $itemroles)
                    {
                    $itemRoleBindings = $itemrole.RoleDefinitionBindings
                    foreach($itemrolebinding in $itemRoleBindings)
                        {
                       

                        if($itemrole.Member.IsDomainGroup -eq $null)
                    {
                   
                    $output = $web.url + ";" + $rooturl + $list.DefaultViewUrl + ";" + $list.Title +  ";" + $rooturl+ "/" +$item.Url + ";" + $itemRole.Member.Name + ";" + "SharePoint Group" + ";" + $itemRoleBinding.Name
                        $output | out-file -filepath $logfile -append
                   
                   
                    }
                    else
                    {
                        if($itemrole.Member.IsDomainGroup)
                        {
                       
                    $output = $web.url + ";" + $rooturl + $list.DefaultViewUrl + ";" + $list.Title +  ";" + $rooturl+ "/" +$item.Url + ";" + $itemRole.Member.Name + ";" + "Domain Group" + ";" + $itemRoleBinding.Name
                        $output | out-file -filepath $logfile -append

                        }
                        else
                       
                        {
                        $output = $web.url + ";" + $rooturl + $list.DefaultViewUrl + ";" + $list.Title +  ";" + $rooturl+ "/" +$item.Url + ";" + $itemRole.Member.UserLogin + ";" + "Domain User" + ";" + $itemRoleBinding.Name
                        $output | out-file -filepath $logfile -append
                        }
                    }

     }
                    }

            }

    }

    $web.Dispose()

}

$site.Dispose()


This will not work for SharePoint 2007, I have written one for SharePoint 2007 too, if someone needs it then leave a comment and I will share it out.

Comments

  • Anonymous
    May 21, 2015
    Good one Harmeet, very useful when site has number of unique permissions??
  • Anonymous
    January 12, 2016
    Harmeet, can you post the SharePoint 2007 version of this script? It would be very helpful to me. Thanks!
  • Anonymous
    February 06, 2016
    Nice Thanks...
  • Anonymous
    March 09, 2016
    So you have this nice script hear to do what I need to do; however, for the ones of us that are less informed how and where do you use it? is it a stand alone script? added to a webpage, placed on a SharePoint page in your collection???? thank you for this answer.
  • Anonymous
    March 09, 2016
    Disregard Comment figured it out :)