Posted on:
Categories: SharePoint
Description: A useful powershell tool for getting the unique permission levels of all users down to the item level in SharePoint 2010/2013.
In the Microsoft's Technet Gallery, 2 of the top 10 most popular SharePoint resources are Powershell scripts that help administrators get a permissions report for users in SharePoint 2010/2013 1) Salaudeen Rajack​​ - SharePoint 2013 Permission Report Find Access Rights for Specific User in Farm2) Amin, Adnan - SharePoint User Permissions detail report for a Web Application The first script gets permissions for a single user, while the second script gets it for all users - but only down to the list/library level. They also have a couple of bugs and formatting issues with the output files using their scripts. I had a client that was doing some unique permissions at the folder level. They also have some items that were uniquely secured. Therefore, there was a need to have a script that could drill down to the folder/item level for all users and have all the bugs fixed. My version of the script is below. # Credits to Adnan Amin and Salaudeen Rajack for their original ideas # This script gets permissions for all users in a web application on all objects (web application > site collection > web > list/library > item) # Note that unlike Salaudeen's original script, this script shows Limited Access permissions. # Note that AD groups and users in AD groups are not included Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue Function GetUserAccessReport($WebAppURL, $FileUrl) Write-Host "Generating permission report..." #Get All Site Collections of the WebApp $SiteCollections = Get-SPSite -WebApplication $WebAppURL -Limit All #Write CSV- TAB Separated File) Header "URL`tSite/List/Folder/Item`tTitle/Name`tPermissionType`tPermissions `tLoginName" | out-file $FileUrl #Check Web Application Policies $WebApp= Get-SPWebApplication $WebAppURL foreach ($Policy in $WebApp.Policies) $PolicyRoles=@() foreach($Role in $Policy.PolicyRoleBindings) $PolicyRoles+= $Role.Name +";" "$($AdminWebApp.URL)`tWeb Application`t$($AdminSite.Title)`tWeb Application Policy`t$($PolicyRoles)`t$($Policy.UserName)" | Out-File $FileUrl -Append #Loop through all site collections foreach($Site in $SiteCollections) #Check Whether the Search User is a Site Collection Administrator foreach($SiteCollAdmin in $Site.RootWeb.SiteAdministrators) "$($Site.RootWeb.Url)`tSite`t$($Site.RootWeb.Title)`tSite Collection Administrator`tSite Collection Administrator`t$($SiteCollAdmin.LoginName)" | Out-File $FileUrl -Append #Loop throuh all Sub Sites foreach($Web in $Site.AllWebs) if($Web.HasUniqueRoleAssignments -eq $True) #Get all the users granted permissions to the list foreach($WebRoleAssignment in $Web.RoleAssignments ) #Is it a User Account? if($WebRoleAssignment.Member.userlogin) #Get the Permissions assigned to user $WebUserPermissions=@() foreach ($RoleDefinition in $WebRoleAssignment.RoleDefinitionBindings) $WebUserPermissions += $RoleDefinition.Name +";" #Send the Data to Log file "$($Web.Url)`tSite`t$($Web.Title)`tDirect Permission`t$($WebUserPermissions) `t$($WebRoleAssignment.Member.LoginName)" | Out-File $FileUrl -Append #Its a SharePoint Group, So search inside the group and check if the user is member of that group else foreach($user in $WebRoleAssignment.member.users) #Get the Group's Permissions on site $WebGroupPermissions=@() foreach ($RoleDefinition in $WebRoleAssignment.RoleDefinitionBindings) $WebGroupPermissions += $RoleDefinition.Name +";" #Send the Data to Log file "$($Web.Url)`tSite`t$($Web.Title)`tMember of $($WebRoleAssignment.Member.Name) Group`t$($WebGroupPermissions)`t$($user.LoginName)" | Out-File $FileUrl -Append #******** Check Lists, Folders, and Items with Unique Permissions ********/ foreach($List in $Web.lists) if($List.HasUniqueRoleAssignments -eq $True -and ($List.Hidden -eq $false)) #Get all the users granted permissions to the list foreach($ListRoleAssignment in $List.RoleAssignments ) #Is it a User Account? if($ListRoleAssignment.Member.userlogin) #Get the Permissions assigned to user $ListUserPermissions=@() foreach ($RoleDefinition in $ListRoleAssignment.RoleDefinitionBindings) $ListUserPermissions += $RoleDefinition.Name +";" #Send the Data to Log file "$($List.ParentWeb.Url)/$($List.RootFolder.Url)`tList`t$($List.Title)`tDirect Permission`t$($ListUserPermissions) `t$($ListRoleAssignment.Member)" | Out-File $FileUrl -Append #Its a SharePoint Group, So search inside the group and check if the user is member of that group else foreach($user in $ListRoleAssignment.member.users) #Get the Group's Permissions on site $ListGroupPermissions=@() foreach ($RoleDefinition in $ListRoleAssignment.RoleDefinitionBindings) $ListGroupPermissions += $RoleDefinition.Name +";" #Send the Data to Log file "$($List.ParentWeb.Url)/$($List.RootFolder.Url)`tList`t$($List.Title)`tMember of $($ListRoleAssignment.Member.Name) Group`t$($ListGroupPermissions)`t$($user.LoginName)" | Out-File $FileUrl -Append #Get Folder level permissions foreach($Folder in $List.folders) if($Folder.HasUniqueRoleAssignments -eq $True) #Get all the users granted permissions to the folder foreach($FolderRoleAssignment in $Folder.RoleAssignments ) #Is it a User Account? if($FolderRoleAssignment.Member.userlogin) #Get the Permissions assigned to user $FolderUserPermissions=@() foreach ($RoleDefinition in $FolderRoleAssignment.RoleDefinitionBindings) $FolderUserPermissions += $RoleDefinition.Name +";" #Send the Data to Log file "$($Folder.Web.Url)/$($Folder.Url)`tFolder`t$($Folder.Title)`tDirect Permission`t$($FolderUserPermissions) `t$($FolderRoleAssignment.Member)" | Out-File $FileUrl -Append #Its a SharePoint Group, So search inside the group and check if the user is member of that group else foreach($user in $FolderRoleAssignment.member.users) #Get the Group's Permissions on site $FolderGroupPermissions=@() foreach ($RoleDefinition in $FolderRoleAssignment.RoleDefinitionBindings) $FolderGroupPermissions += $RoleDefinition.Name +";" #Send the Data to Log file "$($Folder.Web.Url)/$($Folder.Url)`tFolder`t$($Folder.Title)`tMember of $($FolderRoleAssignment.Member.Name) Group`t$($FolderGroupPermissions)`t$($user.LoginName)" | Out-File $FileUrl -Append #Get Item level permissions foreach($Item in $List.items) if($Item.HasUniqueRoleAssignments -eq $True) #Get all the users granted permissions to the item foreach($ItemRoleAssignment in $Item.RoleAssignments ) #Is it a User Account? if($ItemRoleAssignment.Member.userlogin) #Get the Permissions assigned to user $ItemUserPermissions=@() foreach ($RoleDefinition in $ItemRoleAssignment.RoleDefinitionBindings) $ItemUserPermissions += $RoleDefinition.Name +";" #Prepare item's absolute Url and Name $ItemDispForm = $Item.ParentList.Forms | where $_.Type -eq "PAGE_DISPLAYFORM" | Select-Object -first 1 if ($ItemDispForm.Url) $ItemUrl = "$($Item.Web.Url)/$($ItemDispForm.Url)?ID=$($Item.ID)" else $ItemUrl = "$($Item.Url)" if ($Item.Name) $ItemTitle = $Item.Name else $ItemTitle = $Item.Title #Send the Data to Log file "$($ItemUrl)`tItem`t$($ItemTitle)`tDirect Permission`t$($ItemUserPermissions) `t$($ItemRoleAssignment.Member)" | Out-File $FileUrl -Append #Its a SharePoint Group, So search inside the group and check if the user is member of that group else foreach($user in $ItemRoleAssignment.member.users) #Get the Group's Permissions on site $ItemGroupPermissions=@() foreach ($RoleDefinition in $ItemRoleAssignment.RoleDefinitionBindings) $ItemGroupPermissions += $RoleDefinition.Name +";" #Prepare item's absolute Url and Name $ItemDispForm = $Item.ParentList.Forms | where $_.Type -eq "PAGE_DISPLAYFORM" | Select-Object -first 1 if ($ItemDispForm.Url) $ItemUrl = "$($Item.Web.Url)/$($ItemDispForm.Url)?ID=$($Item.ID)" else $ItemUrl = "$($Item.Url)" if ($Item.Name) $ItemTitle = $Item.Name else $ItemTitle = $Item.Title #Send the Data to Log file "$($ItemUrl)`tItem`t$($ItemTitle)`tMember of $($ItemRoleAssignment.Member.Name) Group`t$($ItemGroupPermissions)`t$($user.LoginName)" | Out-File $FileUrl -Append #Call the function to Check User Access GetUserAccessReport "http//mysite" "C\SharePoint_Permission_Report.csv" Write-Host "Complete" Here is the output of the script Expand Image Download and rate my script on Technet - https//gallery.technet.microsoft.com/SharePoint-Permissions-f42ea9db ​Note that AD groups and users in AD groups are not included in the report. I might work on it if there is enough demand for this )




Posted on:
Categories: Office 365;PowerShell;SharePoint
Description: How to activate a hidden feature in SharePoint online
Recently I was faced with an error message in our SharePoint online tenant when trying to activate the Community Site feature. The error message looked like this Site The Site scoped feature being activated has a dependency on hidden Site Collection scoped feature 'FeatureDefinition/15/4326e7fc-f35a-4b0f-927c-36264b0a4cf0' (ID '4326e7fc-f35a-4b0f-927c-36264b0a4cf0'). Hidden features cannot be auto-activated across scopes. There may be one or more visible Site Collection scoped features that auto-activate the dependent hidden feature.​ Obviously, a feature was missing, but the error message did not tell what feature exactly was missing. Only the GUID of the feature was displayed. To solve this problem, the ​SharePoint Online Management Shell can be used. If this helpful shell has not been installed, you can download the installer from this site https//www.microsoft.com/en-ca/download/details.aspx?id=35588​ After the shell has been installed, be sure to run it as an Administrator! To activate a feature by it's feature ID, you can use this script $$programFilesDirectory = [environment]getfolderpath("programfiles") add-type -Path $programFilesDirectory'\SharePoint Online Management Shell\Microsoft.Online.SharePoint.PowerShell\Microsoft.SharePoint.Client.dll' Write-Host 'Enter credentials and site URL' $siteurl = Read-Host "Site Url" $featureGUID = Read-Host "GUID of feature" $username = Read-Host "User Name" $password = Read-Host -AsSecureString "Password" [Microsoft.SharePoint.Client.ClientContext]$ClientContext = New-Object Microsoft.SharePoint.Client.ClientContext($siteurl) $ClientContext.Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($username, $password) $site = $ClientContext.Site; $feature = new-object System.Guid $featureGUID $site.Features.Add($feature, $true, [Microsoft.SharePoint.Client.FeatureDefinitionScope]None); $ClientContext.ExecuteQuery(); Write-Host 'Feature enabled​' Simply copy and paste this script​ to the SharePoint Online Management Shell and run it. Be sure to enter the the site URL, the GUID of the feature and proper credentials. Usually it will take a little time (about 10-15 seconds) for SharePoint online to activate the feature. If you do not get an error message (and see 'Feature enabled'), the feature should have been activated. ​​