
[SPS] Dump all permissions for a specific user
Script for discovering SharePoint permissions for given user. It can get the permissions in all levels that are granted to the user directly or inherited […]
Script for discovering SharePoint permissions for given user. It can get the permissions in all levels that are granted to the user directly or inherited […]
Here goes:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 |
#load assemblies and powershell snapin [System.Reflection.Assembly]::LoadWithPartialName("System.Drawing") [System.Reflection.Assembly]::LoadWithPartialName("System.windows.forms") Add-PSSnapin Microsoft.SharePoint.PowerShell # end of loading assemblies $form = new-object System.Windows.Forms.form $form.Text = "Installed Apps in Host web" #Textbox to enter Host web URL $txtULSlogslevel = new-object System.Windows.Forms.TextBox $txtULSlogslevel.Location = new-object System.Drawing.Size(20,19) $txtULSlogslevel.Size = new-object System.Drawing.Size(150,23) $form.Controls.Add($txtULSlogslevel) #End of Textbox to enter Host web URL #Button to execute the command to Get app details $GetApps = new-object System.Windows.Forms.Button $GetApps.Location = new-object System.Drawing.Size(170,19) $GetApps.Size = new-object System.Drawing.Size(75,23) $GetApps.Text = "Get Apps" $GetApps.Add_Click({Populatetable}) $form.Controls.Add($GetApps) # end of Button to execute the command to Get app details #Data table to store App details $GetAppsTable = New-Object System.Data.DataTable $GetAppsTable.TableName = "GetApps" $GetAppsTable.Columns.Add("Title"); $GetAppsTable.Columns.Add("Appwebfullurl"); #ENd of app details data table #Datagrid control $dgDataGrid_Apps = new-object System.windows.forms.DataGrid $dgDataGrid_Apps.AllowSorting = $True $dgDataGrid_Apps.Location = new-object System.Drawing.Size(50,50) $dgDataGrid_Apps.size = new-object System.Drawing.Size(500,350) $form.Controls.Add($dgDataGrid_Apps) #end of datagrid control # function to display the details in Grid function Populatetable { $SiteUrl = $txtULSlogslevel.Text.ToString(); $Appdetails = Invoke-Expression "Get-SPAppInstance -Web $SiteUrl | select Title,Appwebfullurl" foreach ($item in $Appdetails) { $GetAppsTable.Rows.Add($item.Title,$item.Appwebfullurl) } $dgDataGrid_Apps.DataSource = $GetAppsTable } #End of function $form.topmost = $true $form.Add_Shown({$form.Activate()}) $form.ShowDialog() |
Original code from: https://gist.github.com/devendrasv/6bfb2416864c7cacc937#file-installed-apps-in-host-web-ps1
So… here goes:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 |
Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue Function GetUserAccessReport($WebAppURL, $SearchUser) { #Output Report location $OutputReport = "C:\Scripts\UserAccessReport.csv" #delete the file, If already exist! if (Test-Path $OutputReport) { Remove-Item $OutputReport } Write-host "Scanning Farm Administrator Group..." #Write CSV- TAB Separated File) Header "URL `t Site/List `t Title `t PermissionType `t Permissions" | out-file $OutputReport ####Check Whether the Search Users is a Farm Administrator ### #Get the SharePoint Central Administration site $AdminWebApp= Get-SPwebapplication -includecentraladministration | where {$_.IsAdministrationWebApplication} $AdminSite = Get-SPweb($AdminWebApp.Url) $AdminGroupName = $AdminSite.AssociatedOwnerGroup $FarmAdminGroup = $AdminSite.SiteGroups[$AdminGroupName] #enumerate in farm adminidtrators groups foreach ($user in $FarmAdminGroup.users) { if($user.LoginName -eq $SearchUser) { "$($AdminWebApp.URL) `t Farm `t $($AdminSite.Title)`t Farm Administrator `t Farm Administrator" | Out-File $OutputReport -Append } } Write-host "Scanning Web Application Policies..." ### Check Web Application Policies ### $WebApp= Get-SPWebApplication $WebAppURL foreach ($Policy in $WebApp.Policies) { #Check if the search users is member of the group if($Policy.UserName -eq $SearchUser) { #Write-Host $Policy.UserName $PolicyRoles=@() foreach($Role in $Policy.PolicyRoleBindings) { $PolicyRoles+= $Role.Name +";" } #Write-Host "Permissions: " $PolicyRoles "$($AdminWebApp.URL) `t Web Application `t $($AdminSite.Title)`t Web Application Policy `t $($PolicyRoles)" | Out-File $OutputReport -Append } } Write-host "Scanning Site Collections..." #Get All Site Collections of the WebApp $SiteCollections = Get-SPSite -WebApplication $WebAppURL -Limit All #Loop through all site collections foreach($Site in $SiteCollections) { Write-host "Scanning Site Collection:" $site.Url #Check Whether the Search User is a Site Collection Administrator foreach($SiteCollAdmin in $Site.RootWeb.SiteAdministrators) { if($SiteCollAdmin.LoginName -eq $SearchUser) { "$($Site.RootWeb.Url) `t Site `t $($Site.RootWeb.Title)`t Site Collection Administrator `t Site Collection Administrator" | Out-File $OutputReport -Append } } #Loop throuh all Sub Sites foreach($Web in $Site.AllWebs) { if($Web.HasUniqueRoleAssignments -eq $True) { Write-host "Scanning Site:" $Web.Url #Get all the users granted permissions to the list foreach($WebRoleAssignment in $Web.RoleAssignments ) { #Is it a User Account? if($WebRoleAssignment.Member.userlogin) { #Is the current user is the user we search for? if($WebRoleAssignment.Member.LoginName -eq $SearchUser) { #Write-Host $SearchUser has direct permissions to site $Web.Url #Get the Permissions assigned to user $WebUserPermissions=@() foreach ($RoleDefinition in $WebRoleAssignment.RoleDefinitionBindings) { $WebUserPermissions += $RoleDefinition.Name +";" } #write-host "with these permissions: " $WebUserPermissions #Send the Data to Log file "$($Web.Url) `t Site `t $($Web.Title)`t Direct Permission `t $($WebUserPermissions)" | Out-File $OutputReport -Append } } #Its a SharePoint Group, So search inside the group and check if the user is member of that group else { foreach($user in $WebRoleAssignment.member.users) { #Check if the search users is member of the group if($user.LoginName -eq $SearchUser) { #Write-Host "$SearchUser is Member of " $WebRoleAssignment.Member.Name "Group" #Get the Group's Permissions on site $WebGroupPermissions=@() foreach ($RoleDefinition in $WebRoleAssignment.RoleDefinitionBindings) { $WebGroupPermissions += $RoleDefinition.Name +";" } #write-host "Group has these permissions: " $WebGroupPermissions #Send the Data to Log file "$($Web.Url) `t Site `t $($Web.Title)`t Member of $($WebRoleAssignment.Member.Name) Group `t $($WebGroupPermissions)" | Out-File $OutputReport -Append } } } } } ###***** Check Lists with Unique Permissions *******### foreach($List in $Web.lists) { if($List.HasUniqueRoleAssignments -eq $True -and ($List.Hidden -eq $false)) { Write-host "Scanning List:" $List.RootFolder.Url #Get all the users granted permissions to the list foreach($ListRoleAssignment in $List.RoleAssignments ) { #Is it a User Account? if($ListRoleAssignment.Member.userlogin) { #Is the current user is the user we search for? if($ListRoleAssignment.Member.LoginName -eq $SearchUser) { #Write-Host $SearchUser has direct permissions to List ($List.ParentWeb.Url)/($List.RootFolder.Url) #Get the Permissions assigned to user $ListUserPermissions=@() foreach ($RoleDefinition in $ListRoleAssignment.RoleDefinitionBindings) { $ListUserPermissions += $RoleDefinition.Name +";" } #write-host "with these permissions: " $ListUserPermissions #Send the Data to Log file "$($List.ParentWeb.Url)/$($List.RootFolder.Url) `t List `t $($List.Title)`t Direct Permissions `t $($ListUserPermissions)" | Out-File $OutputReport -Append } } #Its a SharePoint Group, So search inside the group and check if the user is member of that group else { foreach($user in $ListRoleAssignment.member.users) { if($user.LoginName -eq $SearchUser) { #Write-Host "$SearchUser is Member of " $ListRoleAssignment.Member.Name "Group" #Get the Group's Permissions on site $ListGroupPermissions=@() foreach ($RoleDefinition in $ListRoleAssignment.RoleDefinitionBindings) { $ListGroupPermissions += $RoleDefinition.Name +";" } #write-host "Group has these permissions: " $ListGroupPermissions #Send the Data to Log file "$($Web.Url) `t Site `t $($List.Title)`t Member of $($ListRoleAssignment.Member.Name) Group `t $($ListGroupPermissions)" | Out-File $OutputReport -Append } } } } } } } } Write-host "`n Access Rights Report Generated!" } #Call the function to Check User Access #GetUserAccessReport "http://2013.pbnet.pbnet.local" "i:0#.w|pbnet\user1" |
OK, so we need to verify when a site was created in SharePoint Online using CSOM and modern authentication. Please see my previous post for […]
OK, so we need to disable the SharePoint Designer functionality for a given list of SPOSites. We will be using CSOM and modern authentication. […]
Copyright © 2025 | PhoeNIXBird Networks