PowerShell Script to Check and Generate Report on Access Rights for a Specific User:

Requirement: To ensure security, generate permissions report on all locations like (sites, lists, etc.) where a specific user has permissions.

When people moving from one role to another, Its necessary to audit their permissions on sites and lists where user has access rights. But unfortunately, There is no out of the box ways to find all sites and lists where a particular user has been granted access in SharePoint with out using third party tools. Luckily, We've PowerShell! Lets find all SharePoint sites and lists where a particular user has access rights.



PowerShell Script to Check and Generate Report on Access Rights for a Specific User:

With this script, you can analyze and track the security effectively check what permissions on an account has been granted on each all places in SharePoint. This PowerShell script scans these areas to to retrieve a specific user's access rights:



•Farm Administrator's Group

•Central Administration Web Application Policies

•Site Collection Administrators

•Scans the all Site collections and Sub-sites with Unique Permissions

•Scans all Lists and Libraries with unique permissions

•Scans all Groups which has permissions on sites and Lists

After executing the script, it generates a CSV file (Tab Separated, In fact!) with details: URL, Site/List, Title, Permission Type.





Limitation: Currently, it doesn't count on Active Directory groups! Say, for e.g. An Active Directory security group may include the user you are searching for, and that group may be granted with access rights. Also, it doesn't go til List Item Level, it stops at List.

Source : http://gallery.technet.microsoft.com/sharepoint/SharePoint-Permission-2840f327


Function GetUserAccessReport($WebAppURL, $SearchUser)

{

#Get All Site Collections of the WebApp

$SiteCollections = Get-SPSite -WebApplication $WebAppURL -Limit All



#Write CSV- TAB Separated File) Header

"URL `t Site/List `t Title `t PermissionType `t Permissions"
out-file UserAccessReport.csv



#Check Whether the Search Users is a Farm Administrator

$AdminWebApp= Get-SPwebapplication -includecentraladministration
where {$_.IsAdministrationWebApplication}

$AdminSite = Get-SPweb($AdminWebApp.Url)

$AdminGroupName = $AdminSite.AssociatedOwnerGroup

$FarmAdminGroup = $AdminSite.SiteGroups[$AdminGroupName]



foreach ($user in $FarmAdminGroup.users)

{

if($user.LoginName -eq $SearchUser)

{

"$($AdminWebApp.URL) `t Farm `t $($AdminSite.Title)`t Farm Administrator `t Farm Administrator"
Out-File UserAccessReport.csv -Append

}

}



#Check Web Application Policies

$WebApp= Get-SPWebApplication $WebAppURL



foreach ($Policy in $WebApp.Policies)

{

#Check if the search users is member of the group

if($Policy.UserName -eq $SearchUser)

{

#Write-Host $Policy.UserName

$PolicyRoles=@()

foreach($Role in $Policy.PolicyRoleBindings)

{

$PolicyRoles+= $Role.Name +";"

}

#Write-Host "Permissions: " $PolicyRoles



"$($AdminWebApp.URL) `t Web Application `t $($AdminSite.Title)`t Web Application Policy `t $($PolicyRoles)"
Out-File UserAccessReport.csv -Append

}

}



#Loop through all site collections

foreach($Site in $SiteCollections)

{

#Check Whether the Search User is a Site Collection Administrator

foreach($SiteCollAdmin in $Site.RootWeb.SiteAdministrators)

{

if($SiteCollAdmin.LoginName -eq $SearchUser)

{

"$($Site.RootWeb.Url) `t Site `t $($Site.RootWeb.Title)`t Site Collection Administrator `t Site Collection Administrator"
Out-File UserAccessReport.csv -Append

}

}



}