This script produces a text file report of which items have been uniquely secured and which Active Directory users and groups have been granted access, based on the user domain specified.  The report details whether the user or group has been granted rights directly, or if the user has been granted rights by membership to a SharePoint group.  This script does not identify whether or not a user has been granted rights based on their membership to an Active Directory Group which has been granted rights explicity or through a SharePoint group.  This script is not a replacement for check effective permissions and does not perform any clean-up.

 

More details regarding this script can be found in my recent blog post:
How to Determine Where a User Has Been Granted Access in SharePoint 2010

Downlaod the script for a fully commented version.

 

 

PowerShell
Edit|Remove
$ver = $host | select version 
if($Ver.version.major -gt 1) {$Host.Runspace.ThreadOptions = "ReuseThread"if(!(Get-PSSnapin Microsoft.SharePoint.PowerShell -ea 0)) 
{ 
Add-PSSnapin Microsoft.SharePoint.PowerShell 
} 
 
## 
#Set Script Variables 
## 
 
$WebApplicationURL = "http://Contoso.com" 
$UnwantedDomainPrefix = "OldContoso" 
$LoggingDirectory = "C:\PermissionReport\" 
 
## 
#Load Functions 
## 
 
Function EnsureLoggingDirectory ($LoggingDirectory) 
{ 
    if(!(Test-Path $LoggingDirectory)) 
    { 
    $LoggingDirectory 
    Set-Variable -name Filename -Value ("$LoggingDirectory\SecurityReport_" +$StartTime +".txt"-Scope Script 
    Write-Host "Path " $LoggingDirectory " does not exist. `r`nCreating Directory" 
    New-Item -Path $LoggingDirectory -ItemType Directory 
    } 
} 
 
Function TrimDirectory ($LoggingDirectory) 
{ 
    if($LoggingDirectory.EndsWith("\")) 
    { 
        Set-Variable -Name LoggingDirectory -Value ($LoggingDirectory.Substring(0, ($LoggingDirectory.Length - 1))) -Scope Script 
    } 
} 
 
## 
#Start Script Execution 
## 
$StartTime = (Get-Date -UFormat "%Y-%m-%d_%I-%M-%S %p").tostring() 
TrimDirectory $LoggingDirectory 
EnsureLoggingDirectory $LoggingDirectory 
$Filename = "$LoggingDirectory\SecurityReport_" +$StartTime +".txt" 
"Security Report: $StartTime `r`n" | Out-File $Filename -Force 
"Finding Users Beginning with "  + $UnwantedDomainPrefix + "\ and NTAuthority" | Out-File $Filename -Append 
 
$AllSites = Get-SPSite -WebApplication $WebApplicationURL -Limit All 
foreach($Site in $AllSites) 
{ 
    $AllWebs = $Site.Allwebs 
    "`r`n`r`nSite: " +$Site.URL | Out-File $Filename -Append 
    foreach($Web in $AllWebs) 
    { 
        if($Web.HasUniqueRoleAssignments) 
        { 
            if($Web.isrootweb) 
            { 
                "`r`nweb '" + $Web.url + "' is Root Web and has unique permissions" | Out-File $Filename -Append 
            } 
            else 
            { 
                "`r`nWeb '" + $Web.url + "' is using unique permissions" | Out-File $Filename -Append 
            } 
            $AllLists = $Web.lists 
            $WebRoleAssignments = $Web.RoleAssignments 
                foreach($WebRoleAssignment in $WebRoleAssignments) 
                { 
                    if($WebRoleAssignment.member.userlogin) 
                    { 
                        if($WebRoleAssignment.Member.userlogin.split("\")[0] -eq $UnwantedDomainPrefix -or $WebRoleAssignment.Member.userlogin.split("\")[0] -eq "NT Authority") 
                        { 
                            "User '" + $WebRoleAssignment.Member + "' has been assigned '" + ($WebRoleAssignment.RoleDefinitionBindings | select name).name + "'" | Out-File $Filename -Append 
                        } 
                    } 
                    else 
                    { 
                        $allWebUsers = $WebRoleassignment.member.users 
                        foreach($WebUser in $AllWebUsers) 
                        { 
                            if($WebUser.userlogin.split("\")[0] -eq $UnwantedDomainPrefix -or $WebUser.userlogin.split("\")[0] -eq "NT Authority") 
                            { 
                                "User '" + $WebUser.Userlogin + "' has been added to the '" + $WebRoleAssignment.member.name + "' group" | Out-File $Filename -Append 
                            } 
                        } 
                    } 
                } 
            foreach($List in $AllLists) 
            { 
                if($List.HasUniqueRoleAssignments) 
                { 
                    "`r`nList '" + $List.title + "' is using unique permissions `r`nURL: " + $WebApplicationURL +$List.DefaultViewURL | Out-File $Filename -Append 
                    $RoleAssignments = $List.RoleAssignments 
                    foreach($RoleAssignment in $RoleAssignments) 
                    { 
                        if($RoleAssignment.member.userlogin) 
                        { 
                            if($RoleAssignment.Member.userlogin.split("\")[0] -eq $UnwantedDomainPrefix -or $RoleAssignment.Member.userlogin.split("\")[0] -eq "NT Authority") 
                            { 
                                "User '" + $RoleAssignment.Member + "' has been assigned '" + ($RoleAssignment.RoleDefinitionBindings | select name).name + "'" | Out-File $Filename -Append 
                            } 
                        } 
                        else 
                        { 
                            $allUsers = $Roleassignment.member.users 
                            foreach($User in $AllUsers) 
                            { 
                                if($user.userlogin.split("\")[0] -eq $UnwantedDomainPrefix -or $user.userlogin.split("\")[0] -eq "NT Authority") 
                                { 
                                    "User '" + $User.Userlogin + "' has been added to the '" + $RoleAssignment.member.name + "' group" | Out-File $Filename -Append 
                                } 
                            } 
                        } 
                    } 
                } 
            } 
        } 
    } 
}