fuente: http://mstechtalk.com/sharepoint-user-permissions-detail-report-for-a-web-application/
Overview:
A site administrator can easily verify and check user permissions from site settings page, steps are quite simple:
Go to Site Settings –> Site Permissions –> Click on Check Permissions Button and enter user name, this will list the user rights for a single user. But what if it is required to list access permission details for all the users in a SharePoint site, this is not possible Out of the Box.
The below listed script methods are helpful is this scenario, it will list all users with their permissions and security group detail. The script will generate a detail drill down report for a Web Application which include all sites, sub sites, lists/libraries and items (if inheritance is break).
PowerShell
#Script written and modified by Adnan Amin #Blog: http://mstechtalk.com #twitter: @adnan_amin #facebook: https://www.facebook.com/groups/SharePoint.Pakistan/ #facebook: https://www.facebook.com/MSTechTalk #The initial idea was taken from another technet gallery script by Salaudeen Rajack at https://gallery.technet.microsoft.com/office/SharePoint-Permission-2840f327 #Script written by Salaudeen only genrate report for a single person, where as below script generates acceess permissions details for all users. Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue Function GetUserAccessReport($WebAppURL, $FileUrl) { #Get All Site Collections of the WebApp $SiteCollections = Get-SPSite -WebApplication $WebAppURL -Limit All #Write CSV- TAB Separated File) Header "URL `t Site/List `t Title `t PermissionType `t Permissions `t LoginName" | out-file $FileUrl #Check Web Application Policies $WebApp= Get-SPWebApplication $WebAppURL foreach ($Policy in $WebApp.Policies) { #Check if the search users is member of the group #if($Policy.UserName -eq $SearchUser) # { #Write-Host $Policy.UserName $PolicyRoles=@() foreach($Role in $Policy.PolicyRoleBindings) { $PolicyRoles+= $Role.Name +";" } #Write-Host "Permissions: " $PolicyRoles "$($AdminWebApp.URL) `t Web Application `t $($AdminSite.Title)`t Web Application Policy `t $($PolicyRoles) `t $($Policy.UserName)" | Out-File $FileUrl -Append #} } #Loop through all site collections foreach($Site in $SiteCollections) { #Check Whether the Search User is a Site Collection Administrator foreach($SiteCollAdmin in $Site.RootWeb.SiteAdministrators) { "$($Site.RootWeb.Url) `t Site `t $($Site.RootWeb.Title)`t Site Collection Administrator `t Site Collection Administrator `t $($SiteCollAdmin.LoginName)" | Out-File $FileUrl -Append } #Loop throuh all Sub Sites foreach($Web in $Site.AllWebs) { if($Web.HasUniqueRoleAssignments -eq $True) { #Get all the users granted permissions to the list foreach($WebRoleAssignment in $Web.RoleAssignments ) { #Is it a User Account? if($WebRoleAssignment.Member.userlogin) { #Get the Permissions assigned to user $WebUserPermissions=@() foreach ($RoleDefinition in $WebRoleAssignment.RoleDefinitionBindings) { $WebUserPermissions += $RoleDefinition.Name +";" } #write-host "with these permissions: " $WebUserPermissions #Send the Data to Log file "$($Web.Url) `t Site `t $($Web.Title)`t Direct Permission `t $($WebUserPermissions) `t $($WebRoleAssignment.Member.LoginName)" | Out-File $FileUrl -Append } #Its a SharePoint Group, So search inside the group and check if the user is member of that group else { foreach($user in $WebRoleAssignment.member.users) { #Get the Group's Permissions on site $WebGroupPermissions=@() foreach ($RoleDefinition in $WebRoleAssignment.RoleDefinitionBindings) { $WebGroupPermissions += $RoleDefinition.Name +";" } #write-host "Group has these permissions: " $WebGroupPermissions #Send the Data to Log file "$($Web.Url) `t Site `t $($Web.Title)`t Member of $($WebRoleAssignment.Member.Name) Group `t $($WebGroupPermissions) `t $($user.LoginName)" | Out-File $FileUrl -Append } } } } #******** Check Lists with Unique Permissions ********/ foreach($List in $Web.lists) { if($List.HasUniqueRoleAssignments -eq $True -and ($List.Hidden -eq $false)) { #Get all the users granted permissions to the list foreach($ListRoleAssignment in $List.RoleAssignments ) { #Is it a User Account? if($ListRoleAssignment.Member.userlogin) { #Get the Permissions assigned to user $ListUserPermissions=@() foreach ($RoleDefinition in $ListRoleAssignment.RoleDefinitionBindings) { $ListUserPermissions += $RoleDefinition.Name +";" } #write-host "with these permissions: " $ListUserPermissions #Send the Data to Log file "$($List.ParentWeb.Url)/$($List.RootFolder.Url) `t List `t $($List.Title)`t Direct Permission1 `t $($ListUserPermissions) `t $($ListRoleAssignment.Member)" | Out-File $FileUrl -Append } #Its a SharePoint Group, So search inside the group and check if the user is member of that group else { foreach($user in $ListRoleAssignment.member.users) { #Get the Group's Permissions on site $ListGroupPermissions=@() foreach ($RoleDefinition in $ListRoleAssignment.RoleDefinitionBindings) { $ListGroupPermissions += $RoleDefinition.Name +";" } #write-host "Group has these permissions: " $ListGroupPermissions #Send the Data to Log file "$($Web.Url) `t List `t $($List.Title)`t Member of $($ListRoleAssignment.Member.Name) Group `t $($user.LoginName) `t $($user.LoginName)" | Out-File $FileUrl -Append } } } } } } } } #Call the function to Check User Access #GetUserAccessReport "http://sp2013" "c:\users_PermisionReport.csv"
Comentarios