Eritrea Finance

Jan 31 2018

SharePoint 2013 User Permission Analysis & Reporting using PowerShell

#sharepoint # #backup #powershell


#

SharePoint 2013 User Permission Analysis & Reporting using PowerShell

Analysing SharePoint permissions for a particular user is often a common task in SharePoint administration. Generally, How do we check what permissions a user has on SharePoint content? By getting into site or list settings page and check permissions for the particular user, isn’t it? Well, You may want to analyze the particular user’s permissions for your entire SharePoint environment. How about that? Each and every SharePoint site, list, library, folder and list items may have unique permissions. It can even go more challenging when you have multiple SharePoint farms.

Well, PowerShell is the life saver! Here is my permission reporting solution to scan and provide a report to view a user’s permission on the SharePoint web application. With this script, you can analyze and track the security effectively! Check what permissions on an account has been granted in all places in SharePoint. This PowerShell script scans below areas to retrieve a specific user’s access rights:

  • Farm administrator’s group
  • Central administration web application policies
  • Site collection administrators
  • Scans all site collections and sub-sites with unique permissions in which user has access.
  • Scans all lists and libraries with unique permissions in which user has access.
  • Scans all folders and list Items which has permissions in the site in which user has access.

Just change the Input variables section and provide parameters for User Id, Web Application and Report path variables and run the script in PowerShell.

After generating a SharePoint permissions report, this script generates a CSV file, which can be export as excel file to allows the further research and analyze outside of a SharePoint environment. It gets data such as: Object, Title, URL, Permission Type, Permissions as in the below screenshot.

PowerShell Script to Generate User Permission Report in SharePoint 2010/2013

This script is broken into two functions. So that you can use the first function: Get-PermissionInfo to get permissions data scoped to a site collection permission report/site. Above script scoped at a particular web application. You can call the same function on all your web application to get the entire SharePoint permissions reports.

You might also like:

SharePoint Usage Reports
Usage reports, collaboration and audit for SharePoint.

Document SharePoint Farm
Automatically generate SharePoint documentation.

You have written a great script for SharePoint admins. I have exactly same requirements but it s for all users including folder permissions if it s unique folder permissions.

I have seen comments that other user are looking for the same i.e. for all users.
Function Get-PermissionInfo([String]$UserID, [Microsoft.SharePoint.SPSecurableObject]$Object)

requires userID and I tried to use this function that accepts only the $Object but not able to managed all users using your script.

Any pointer would be greatly appreciated.

I am unable to get this script to work on my 2010 SP farm. I am running Classic/NTLM authentication. I am not using claims.

Can you please help me?

All I do is change the parameters at the very bottom, the URL and the User ID, and the location of the CSV file.

I get the following errors, (It states the user does not exist, but I know 10000% my own ID does exist)..

GetUserEffectivePermissionInfo. Exception calling GetUserEffectivePermissionI
nfo with 1 argument(s): The user does not exist or is not unique.
At line:24 char:62
+ $UserPermissionInfo = $Object.GetUserEffectivePermissionInfo ($UserID)
+ CategoryInfo. NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId. DotNetMethodException

Export-csv. A parameter cannot be found that matches parameter name Append .
At line:73 char:75
+ $WebPermissions | Export-csv $ReportPath -notypeinformation -Append

+ CategoryInfo. InvalidArgument: (:) [Export-Csv], ParameterBind
ingException
+ FullyQualifiedErrorId. NamedParameterNotFound,Microsoft.PowerShell.Comm
ands.ExportCsvCommand

Scanning Lists on http://portal10a:31437.
GetUserEffectivePermissionInfo. Exception calling GetUserEffectivePermissionI
nfo with 1 argument(s): The user does not exist or is not unique.
At line:24 char:62
+ $UserPermissionInfo = $Object.GetUserEffectivePermissionInfo ($UserID)
+ CategoryInfo. NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId. DotNetMethodException

Export-csv. A parameter cannot be found that matches parameter name Append .
At line:84 char:76
+ $ListPermissions | Export-csv $ReportPath -notypeinformation -Append

+ CategoryInfo. InvalidArgument: (:) [Export-Csv], ParameterBind
ingException
+ FullyQualifiedErrorId. NamedParameterNotFound,Microsoft.PowerShell.Comm
ands.ExportCsvCommand

GetType. You cannot call a method on a null-valued expression.
At line:6 char:27
+ switch($Object.GetType ().FullName)
+ CategoryInfo. InvalidOperation: (GetType:String) [], RuntimeEx
ception
+ FullyQualifiedErrorId. InvokeMethodOnNull

GetUserEffectivePermissionInfo. You cannot call a method on a null-valued expr
ession.
At line:24 char:62
+ $UserPermissionInfo = $Object.GetUserEffectivePermissionInfo ($UserID)
+ CategoryInfo. InvalidOperation: (GetUserEffectivePermissionInf
o:String) [], RuntimeException
+ FullyQualifiedErrorId. InvokeMethodOnNull

Is there a way to determine if an Active Directory user account was used versus an Active Directory group? Is there an attribute to check to see if its one or the other. I m trying to create a report that shows me where individual user accounts are set instead of using their AD role group.


Written by admin


Leave a Reply

Your email address will not be published. Required fields are marked *