Project DescriptionWith this Powershell Script you could retrieve all Permissions for a Specific User for a SiteCollection on all Webs and Subwebs, Lists and Items.
You get all Roles and Groups from the User and the URL
function Get-SPUserEffectivePermissions(
object[]$users,
Microsoft.SharePoint.SPSecurableObject$InputObject) {
begin { }
process {
$so = $InputObject
if ($so -eq $null) { $so = $_ }
if ($so -isnot
Microsoft.SharePoint.SPSecurableObject) {
throw "A valid SPWeb, SPList, or SPListItem must be provided."
}
foreach ($user in $users) {
# Set the users login name
$loginName = $user
if ($user -is [Microsoft.SharePoint.SPUser] -or $user -is [PSCustomObject]) {
$loginName = $user.LoginName
}
if ($loginName -eq $null) {
throw "The provided user is null or empty. Specify a valid SPUser object or login name."
}
# Get the users permission details.
$permInfo = $so.GetUserEffectivePermissionInfo($loginName)
# Determine the URL to the securable object being evaluated
$resource = $null
if ($so -is
Microsoft.SharePoint.SPWeb) {
$resource = $so.Url
} elseif ($so -is
Microsoft.SharePoint.SPList) {
$resource = $so.ParentWeb.Site.MakeFullUrl($so.RootFolder.ServerRelativeUrl)
} elseif ($so -is
Microsoft.SharePoint.SPListItem) {
$resource = $so.ParentList.ParentWeb.Site.MakeFullUrl($so.Url)
}
# Get the role assignments and iterate through them
$roleAssignments = $permInfo.RoleAssignments
if ($roleAssignments.Count -gt 0) {
foreach ($roleAssignment in $roleAssignments) {
$member = $roleAssignment.Member
# Build a string array of all the permission level names
$permName = @()
foreach ($definition in $roleAssignment.RoleDefinitionBindings) {
$permName += $definition.Name
}
# Determine how the users permissions were assigned
$assignment = "Direct Assignment"
if ($member -is
Microsoft.SharePoint.SPGroup) {
$assignment = $member.Name
} else {
if ($member.IsDomainGroup -and ($member.LoginName -ne $loginName)) {
$assignment = $member.LoginName
}
}
# Create a hash table with all the data
$hash = @{
Resource = $resource
"Resource Type" = $so.GetType().Name
User = $loginName
Permission = $permName -join ", "
"Granted By" = $assignment
}
# Convert the hash to an object and output to the pipeline
New-Object PSObject -Property $hash
}
}
}
}
end {}
}
INFORMATION: The Commands below you can Use to use the Function above
retrieve a permission report for a single user on a single site
$user = "YOUR DOMAIN\YOUR USER"
Get-SPWeb YOURURL | Get-SPUserEffectivePermissions $user | Out-GridView -Title "Web Permissions for $user"
save the report to a csv (excel file)
$user = "YOUR DOMAIN\YOUR USER"
Get-SPWeb YOURURL | Get-SPUserEffectivePermissions $user | Export-Csv -NoTypeInformation -Path c:\perms.csv
retrieve a permission report for a single user in all webs on a specific site collection
$user = "YOUR DOMAIN\YOUR USER"
$site = $gc | Get-SPSite YOURSITECOLLECTIONURL
$site | Get-SPWeb -Limit All | Get-SPUserEffectivePermissions $user | Out-GridView -Title "Web Permissions for $user"
retrieve a permission report for a single user on all lists in specific site collection
$user = "YOUR DOMAIN\YOUR USER"
$site = $gc | Get-SPSite YOURSITECOLLECTIONURL
$site | Get-SPWeb -Limit All | %{$_.Lists | Get-SPUserEffectivePermissions $user} | Out-GridView -Title "List Permissions for $user"
retrieve a permission report for a single user on all list items in specific site collection
$user = "YOUR DOMAIN\YOUR USER"
$site = $gc | Get-SPSite YOURSITECOLLECTIONURL
$site | Get-SPWeb -Limit All | %{$_.Lists | %{$_.Items | Get-SPUserEffectivePermissions $user}} | Out-GridView -Title "List Item Permissions for $user"
retrieve a permission report for a single user on all webs/subwebs and lists/librarys in a sitecollection
$user = "YOUR DOMAIN\YOUR USER"
$site = $gc | Get-SPSite YOURSITECOLLECTIONURL
$webPermissions = $site | Get-SPWeb –Limit All | Get-SPUserEffectivePermissions $user
$listPermissions = $site | Get-SPWeb –Limit All | %{$_.Lists | Get-SPUserEffectivePermissions $user}
$webPermissions + $listPermissions | Out-GridView -Title "Web, List, and Item Permissions for $user in $($site.Url)"
$gc | Stop-SPAssignment