Thursday, September 26, 2013

How To Generate SharePoint Security Report for All Users using Powershell and Export that to Excel

Step 1: Create The Function

==========================================
function Get-SPUserEffectivePermissions(
    [object[]]$users,
    [Microsoft.SharePoint.SPSecurableObject]$InputObject) {
   
    begin { }
    process {
        $so = $InputObject
        if ($so -eq $null) { $so = $_ }
       
        if ($so -isnot [Microsoft.SharePoint.SPSecurableObject]) {
            throw "A valid SPWeb, SPList, or SPListItem must be provided."
        }
       
        foreach ($user in $users) {
            # Set the users login name
            $loginName = $user
            if ($user -is [Microsoft.SharePoint.SPUser] -or $user -is [PSCustomObject]) {
                $loginName = $user.LoginName
            }
            if ($loginName -eq $null) {
                throw "The provided user is null or empty. Specify a valid SPUser object or login name."
            }
           
            # Get the users permission details.
            $permInfo = $so.GetUserEffectivePermissionInfo($loginName)
           
            # Determine the URL to the securable object being evaluated
            $resource = $null
            if ($so -is [Microsoft.SharePoint.SPWeb]) {
                $resource = $so.Url
            } elseif ($so -is [Microsoft.SharePoint.SPList]) {
                $resource = $so.ParentWeb.Site.MakeFullUrl($so.RootFolder.ServerRelativeUrl)
            } elseif ($so -is [Microsoft.SharePoint.SPListItem]) {
                $resource = $so.ParentList.ParentWeb.Site.MakeFullUrl($so.Url)
            }

            # Get the role assignments and iterate through them
            $roleAssignments = $permInfo.RoleAssignments
            if ($roleAssignments.Count -gt 0) {
                foreach ($roleAssignment in $roleAssignments) {
                    $member = $roleAssignment.Member
                   
                    # Build a string array of all the permission level names
                    $permName = @()
                    foreach ($definition in $roleAssignment.RoleDefinitionBindings) {
                        $permName += $definition.Name
                    }
                   
                    # Determine how the users permissions were assigned
                    $assignment = "Direct Assignment"
                    if ($member -is [Microsoft.SharePoint.SPGroup]) {
                        $assignment = $member.Name
                    } else {
                        if ($member.IsDomainGroup -and ($member.LoginName -ne $loginName)) {
                            $assignment = $member.LoginName
                        }
                    }
                   
                    # Create a hash table with all the data
                    $hash = @{
                        Resource = $resource
                        "Resource Type" = $so.GetType().Name
                        User = $loginName
                        Permission = $permName -join ", "
                        "Granted By" = $assignment
                    }
                   
                    # Convert the hash to an object and output to the pipeline
                    New-Object PSObject -Property $hash
                }
            }
        }
    }
    end {}
}

==========================================

Step 2: Call the Function to generate the Report

To Get site collection  Permission

$gc = Start-SPAssignment
$site = $gc | Get-SPSite http://mysite/sites/demant
$webPermissions = $site | Get-SPWeb –Limit All | Get-SPUserEffectivePermissions ($site.RootWeb.SiteUsers | select LoginName)
#$listPermissions = $site | Get-SPWeb –Limit All | %{$_.Lists |? {$_.GetType().Name -ne "SPDocumentLibrary" -and -not $_.hidden} | Get-SPUserEffectivePermissions ($site.RootWeb.SiteUsers | select LoginName)}
$webPermissions | Export-Csv -NoTypeInformation -Path c:\perms_Site.csv
$gc | Stop-SPAssignment

To Get List Permission

$gc = Start-SPAssignment
$site = $gc | Get-SPSite http://mysite/sites/demant
#$webPermissions = $site | Get-SPWeb –Limit All | Get-SPUserEffectivePermissions ($site.RootWeb.SiteUsers | select LoginName)
$listPermissions = $site | Get-SPWeb –Limit All | %{$_.Lists |? {$_.GetType().Name -ne "SPDocumentLibrary" -and -not $_.hidden} | Get-SPUserEffectivePermissions ($site.RootWeb.SiteUsers | select LoginName)}
$listPermissions | Export-Csv -NoTypeInformation -Path c:\perms_List.csv
$gc | Stop-SPAssignment


To Get Doc Lib Permission

$gc = Start-SPAssignment
$site = $gc | Get-SPSite http://mysite/sites/demant
#$webPermissions = $site | Get-SPWeb –Limit All | Get-SPUserEffectivePermissions ($site.RootWeb.SiteUsers | select LoginName)
$listPermissions = $site | Get-SPWeb –Limit All | %{$_.Lists |? {$_.GetType().Name -eq "SPDocumentLibrary" -and -not $_.Hidden -and $SystemLists =@("Pages", "Converted Forms", "Master Page Gallery", "Customized Reports", "Documents", "Form Templates", "Images", "List Template Gallery", "Theme Gallery", "Reporting Templates", "Site Collection Documents", "Site Collection Images", "Site Pages", "Solution Gallery", "Style Library", "Web Part Gallery","Site Assets", "wfpub")} | Get-SPUserEffectivePermissions ($site.RootWeb.SiteUsers | select LoginName)}
$listPermissions | Export-Csv -NoTypeInformation -Path c:\perms_List.csv
$gc | Stop-SPAssignment


To Get allSites, List & Document Library  Permission (Without Hidden Doc Lib & Lists)

$gc = Start-SPAssignment
$site = $gc | Get-SPSite http://mysite/sites/demant
$webPermissions = $site | Get-SPWeb –Limit All | Get-SPUserEffectivePermissions ($site.RootWeb.SiteUsers | select LoginName)
$listDocLibPermissions = $site | Get-SPWeb –Limit All | %{$_.Lists |? {$_.GetType().Name -eq "SPDocumentLibrary" -and -not $_.hidden} | Get-SPUserEffectivePermissions ($site.RootWeb.SiteUsers | select LoginName)}
$listPermissions = $site | Get-SPWeb –Limit All | %{$_.Lists |? {$_.GetType().Name -ne "SPDocumentLibrary" -and -not $_.hidden} | Get-SPUserEffectivePermissions ($site.RootWeb.SiteUsers | select LoginName)}
#$ItemPermissions = $site | Get-SPWeb –Limit All | %{$_.Lists | %{$_.Items | Get-SPUserEffectivePermissions ($site.RootWeb.SiteUsers | select LoginName)}}
#$folderPermissions = $site | Get-SPWeb –Limit All | %{$_.Lists | %{$_.Folders | Get-SPUserEffectivePermissions ($site.RootWeb.SiteUsers | select LoginName)}}
$webPermissions + $listDocLibPermissions + $listPermissions | Export-Csv -NoTypeInformation -Path c:\perms_ab_Final.csv
$gc | Stop-SPAssignment



No comments:

Post a Comment