Tuesday, October 30, 2012

Enumerating SharePoint 2007 user permissions

As part of another project, I recently needed to enumerate through all the sites, subwebs, lists and items to determine which users had been assigned what rights.

Originally I came across this post by Roger Cormier, which provided a great base, but had a few issues:
  1. It was SP2010 based (SP2007 doesn't have Get-SPWeb)
  2. It didn't handle Items
  3. It didn't handle sub-site/web/list/items of parent site/web/lists that didn't have unique permissions.
  4. It didn't handle membershipproviders
So after some mangling, I submitted this back to Roger.

I then distilled it down to the following script, which is cruder, but outputs a CSV that I can then use for various automated tasks.

Feel free to do what you like with it.

[void][System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint")
function stripProvider([string]$userName)
{
    if($userName.split("\").count -gt 1)
    {
        $userName.split("\")[1]
    }
    elseif ($userName.split(":").count -gt 1)
    {
        $userName.split(":")[1]
    }
    else
    {
        $userName
    }
}

#This function determines the source of the user AD/Local NT vs Membership provider
Function UserSource([string]$userName)
{
    if($userName.split("\").count -gt 1)
    {
        $userName.split("\")[0]
    }
    elseif ($userName.split(":").count -gt 1)
    {
        $userName.split(":")[0]
    }
    else
    {
        ""
    }
}


$farm = [Microsoft.SharePoint.Administration.SPFarm]::Local
$farmWebServices = $farm.Services | where -FilterScript {$_.GetType() -eq [Microsoft.SharePoint.Administration.SPWebService]}
foreach ($farmWebService in $farmWebServices) {
  foreach ($webApplication in $farmWebService.WebApplications) {
    foreach ($site in $webApplication.Sites)
    {
        foreach ($web in $site.AllWebs)
        {
          # Write-Host "Site Collection: ID:" $site.ID " - URL: " $site.Url
          if ($web.HasUniqueRoleAssignments)
          {
            foreach ($RoleAssignment in $aList.RoleAssignments)
            {
                if(UserSource($RoleAssignment.Member.LoginName) -ne "")
                {
                    "web,direct," + (stripProvider($RoleAssignment.Member.LoginName)) + "," + (UserSource($RoleAssignment.Member.LoginName)) + "," + $web.Url + "," + ($RoleAssignment.RoleDefinitionBindings | select name).name
                }
                else
                {
                    $allUsers = $Roleassignment.member.users
                               
                    #Perform some action against all members returned.
                    foreach($User in $AllUsers)
                    {
                        "web,role," + (stripProvider($User.LoginName)) + "," + (UserSource($user.LoginName)) + "," + $web.Url + "," + $RoleAssignment.member.name
                    }
                }
            }
          }
         
          foreach ($aList in $Web.lists)
          {
              if ($aList.HasUniqueRoleAssignments)
              {
                  foreach ($RoleAssignment in $aList.RoleAssignments)
                  {
                      if(UserSource($RoleAssignment.Member.LoginName) -ne "")
                      {
                          "list,direct," + (stripProvider($RoleAssignment.Member.LoginName)) + "," + (UserSource($RoleAssignment.Member.LoginName)) + "," + $web.Url + $aList.DefaultViewUrl + "," + ($RoleAssignment.RoleDefinitionBindings | select name).name
                      }
                      else
                      {
                          $allUsers = $Roleassignment.member.users
                         
                          #Perform some action against all members returned.
                          foreach($User in $AllUsers)
                          {
                              "list,role," + (stripProvider($User.LoginName)) + "," + (UserSource($user.LoginName)) + "," + $web.Url + $aList.DefaultViewUrl + "," + $RoleAssignment.member.name
                          }
                      }
                  }
              }
              foreach ($anItem in $aList.Items)
              {
                  if ($anItem.HasUniqueRoleAssignments)
                  {
                      foreach ($RoleAssignment in $anItem.RoleAssignments)
                      {
                          if(UserSource($RoleAssignment.Member.LoginName) -ne "")
                          {
                              "item,direct," + (stripProvider($RoleAssignment.Member.LoginName)) + "," + (UserSource($RoleAssignment.Member.LoginName)) + "," + $Web.Url + "/" + $anItem.URL + "," + ($RoleAssignment.RoleDefinitionBindings | select name).name
                          }
                          else
                          {
                              $allUsers = $Roleassignment.member.users
                         
                              #Perform some action against all members returned.
                              foreach($User in $AllUsers)
                              {
                                  "item,role," + (stripProvider($User.LoginName)) + "," + (UserSource($user.LoginName)) + "," + $Web.Url + "/" + $anItem.URL + "," + $RoleAssignment.member.name
                              }
                          }
                      }
                  }
              }
          }
       }
       $site.Dispose()
    }
  }
}

1 comment:

Andrew Adamich said...

Thanks a lot for script. Yuu saved lots of outr time.

Andrew