Getting Current List of Users Who Have Permissions to a Site/Web
I ventured out on the task this week of trying to generate a list of users who currently have some level of permissions to a SharePoint site collection or sub site. This turned out to be a more challenging task than one would think. At the site collection level, there is the User Info table. You can find this by browsing to www.YourSiteCollectionUrl/_catalogs/users/simple.aspx. You are able to traverse this list in PowerShell as well. The problem is that this list contains any user who browsed to the site or was given direct permissions to the site at some point in the past. If all permissions are removed for that user, he will still remain in this list.
At the web level, there are 3 properties that exist that should be able to provide some assistance: Users, AllUsers, and SiteUsers
- Users
- MSDN Description: Gets the collection of user objects that are explicitly assigned permissions in the website.
- Issue: Take an example where you break inheritance on a list, and permission a user directly to that list. That list is the only thing the user has permissions to on the site. The user will show up under this property. The problem is when that list is deleted, the user still shows up here. The reason is because that user still shows up under site actions - site settings - site permissions as 'Limited Access' even though they have no current permissions to anything. Manually deleting them from here will get them to stop showing up under this property
- AllUsers
- MSDN Description: Gets the collection of user objects that represents all users who are either members of the site or who have browsed to the site as authenticated members of a domain group in the site.
- Issue: The MSDN description is accurate. It shows you users who have browsed to the site through a domain group that has access. Once that group is removed and the user no longer has permissions, he continues to show up here.
- SiteUsers
- MSDN Description: Gets the collection of all users that belong to the site collection.
- Issue: From what I can tell, this property just mimics what is found in the User Info table, which is not what we want.
Conclusion: All methods of finding users have some flaw when only looking for users who currently have permissions to something on the site. If you know of a way to do this, please share in the comments section!