SharePoint 2013 Permission Report: Find Access Rights for Specific User in Farm

Requirement: To ensure security, generate permissions report on all locations like (sites, lists, etc.) where a specific user has permissions. When people moving from one role to another, Its necessary to audit their permissions on sites and lists where user has access right

 
 
 
 
 
4.2 Star
(29)
19,270 times
Add to favorites
SharePoint
9/14/2015
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question


  • Exceptions and no lines in report
    1 Posts | Last post February 17, 2017
    • I'm logged with the installation account and running Sharepoint 2013 Management Shell as administrator. I get a lot of exceptions
      >
      Exception calling "GetUserEffectivePermissionInfo" with "1" argument(s): "The s
      pecified user or domain group was not found."
      At C:\Users\SP_Install\Downloads\User Access Report.ps1:30 char:2
      +  $UserPermissionInfo = $Object.GetUserEffectivePermissionInfo($UserID)
      +  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
          + FullyQualifiedErrorId : SPException
      
      Export-csv : Illegal characters in path.
      At C:\Users\SP_Install\Downloads\User Access Report.ps1:155 char:25
      +      $WebPermissions |  Export-csv $ReportPath  -notypeinformation -Append
      +                         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : OpenError: (:) [Export-Csv], ArgumentException
          + FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.Ex
      <
      
      The report file is created but contains only the header line even if I know for sure that the specified user exists. If it matters, I've written the user name in the modern form "Joe.Smith@contoso.com".
  • AD Groups only returning top level?
    2 Posts | Last post October 07, 2016
    • Hey Salaudeen,
      
      We are trying to use the script to determine where a specific group has permissions.  When I plug in a user, It works perfectly; scans all the sub-sites and returns all the permissions. When I plug in a group it is returning only the permissions to the top level site when I know that the group has permissions to sites/libraries/lists below that.  Any ideas?
    • Use my script here, then filter out the group you are interested in: 
      
      https://gallery.technet.microsoft.com/SharePoint-Permissions-f42ea9db
  • getting access denied
    1 Posts | Last post September 23, 2016
    • Hi Salaudeen: Thanks for the script. I am running this to find what permissions a specific user has on sharepoint 2013. When i run it, I am getting access denied. I am logged on to the server with my domain admin credentials and have access to CAS as well. Can you please suggest?
      
  • Errors when running script
    6 Posts | Last post June 30, 2016
    • SharePoint 2010
      Powershell 2
      
      I am running the script with admin account which has access to everything.
      
      The first error I get is:
      
      Exception calling "GetUserEffectivePermissionInfo" with "1" argument(s): "The user does not exist or is not unique."
      At C:\scripts\User Access Report.ps1:30 char:62
      +  $UserPermissionInfo = $Object.GetUserEffectivePermissionInfo <<<< ($UserID)
          + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
          + FullyQualifiedErrorId : DotNetMethodException
      
      If I manually replace the $UserID with the domain\login name then the next error in line is:
      Export-Csv : A parameter cannot be found that matches parameter name 'Append'.
      At C:\scripts\User Access Report.ps1:155 char:75
      +      $WebPermissions |  Export-csv $ReportPath  -notypeinformation -Append <<<<
          + CategoryInfo          : InvalidArgument: (:) [Export-Csv], ParameterBindingException
          + FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.PowerShell.Commands.ExportCsvCommand
      
      I've read that the -Append is a powershell 3 and up command.  Is powershell 3 needed to run this script?  I've also seen that SP2010 doesn't support powershell 3?
      
      Thanks!
      
    • I am having the same issue on Win2k8 R2 server with Sharepoint 2010 :(
    • Try this code for SharePoint 2010 version: http://www.sharepointdiary.com/2013/01/permission-report-for-specific-user.html
    • That other powershell worked perfectly on my farm.
      Thanks Salaudeen! 
    • Issue with permission levels, am I suppose give Full Control Access.
    • Found an error in the script, line 120
      *********************
       #Convert UserID Into Claims format - If WebApp is claims based! Domain\User to i:0#.w|Domain\User
          if($WebApp.UseClaimsAuthentication)
          {
              $ClaimsUserID = (New-SPClaimsPrincipal -identity $UserID -identitytype 1).ToEncodedString()
      *****************************
      If not Claims, then $ClaimsUserID is empty, but it is used later in the function.
      I added  $ClaimsUserID = $Userid before the condition and everything works fine now
      
      
          }
        
      
  • what if we want to do the same but for sharepointOnline
    1 Posts | Last post April 27, 2016
    • hello Salaudeen,
      thank you for ou code.u did i great job.i was wondrening if you know how to do the same but with sharepoint Online .i will wait for your answer thanks alot,
      have a nice day.
      
  • All Users
    1 Posts | Last post April 06, 2016
    • I need to get the permissions for all FBA users.  Is there anyway I can get this to run for all users? 
  • Will this work for an AD group?
    2 Posts | Last post September 14, 2015
    • We use AD groups, we create them in AD, populate them and then assign them to a permission level in SharePoint - is it possible to use this script to check the permissions (across the web app) for a given AD group?
    • Yes! This script works when you search for an AD Group Permissions. However it doesn't scan & expand inside AD groups for given user account!!
  • received error
    1 Posts | Last post May 10, 2015
    • The local farm is not accessible. Cmdlets with FeatureDependencyId are not registered.
      I got no results when I ran the ps1 script in powershell. Please advise. thanks.
  • Error
    2 Posts | Last post March 18, 2015
    • Thanks for this very useful script. 
      I get an error when trying to run with a domain admin or SP farm admin account:
      
      Scanning Farm Administrators...
      Scanning Web Application Policies...
      Scanning Site Collection: https://myurl.com
      The following exception occurred while trying to enumerate the collection: "Acces is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))".
      
      It does not have a problem writing to the file.
      Any help would be appreciated, thanks!
    • @sidtyson: try running the script with the Installation account. It seem to me the account you used may not have proper access to that site collection.
  • Permission Levels
    1 Posts | Last post March 11, 2015
    • Which permission to mention.
1 - 10 of 16 Items