Identifying All Artefacts that Uses Active Directory Groups in SharePoint using PowerShell

Posted on by Nik Charlebois

Background Information:

We wish to identify all webs and lists in a given SharePoint Web Application, where Active Directory (AD) groups are used to grant permissions. We want to develop a script in PowerShell that will loop through all site collections in a given Web Application and then through all webs​ in each of these site collection. The script will look at the permissions of each web and determine if permissions are granted to a an AD group. If they are, the script will add them to a string variable, list the URL of the site and the AD group being used to grant permissions. The script will also take a look at every list in those SharePoint webs. If a list has its permission inheritance broken (not inheriting from the web), then the script will look at all of its permission and determine if any AD groups are used to grant permissions. If the script finds any, it will add the URL of the web on which the list exists, the name of the list, as well as the name of the AD group that is being used to grant permissions.

Once all sites, webs and lists have been analyzed, the script will output its result in a text file. The script will also be prompting the user to input the URL of the Web Application to scan.

Script:

function Dig($url)
{
try{
$rootWeb = Get-SPWeb $url
Write-Host $url -backgroundcolor “green”
foreach($web in $rootWeb.Webs)
{
foreach($list in $web.Lists)
{
if($list.HasUniqueRoleAssignments)
{
$assignments = $list.RoleAssignments
foreach($assign in $assignments)
{
if($assign.Member.IsDomainGroup)
{
$script:report += $web.Url + “`t” + $list.Title + “`t” + $assign.Member.DisplayName + “`r`n”
}
}
}
}


$assignments = $web.RoleAssignments
foreach($assign in $assignments)
{
if($assign.Member.IsDomainGroup)
{
$script:report += $web.Url + “`t`t” + $assign.Member.DisplayName + “`r`n”
}
}

         Dig($web.Url)
$web.Dispose()

      }
}
catch{Write-Host $web -Backgroundcolor “Yellow”}
}
$script:report
$url = Read-Host “Web Application URL”
$WebApp = Get-SPWebApplication $url

foreach($site in $webApp.Sites)
{
Dig($site.RootWeb.Url)
$site.Dispose()
}

$script:report | Out-File “C:\temp\ADGroupsReport.txt”

One thought on “Identifying All Artefacts that Uses Active Directory Groups in SharePoint using PowerShell

  1. The script ran beautifully and output a list of all the list/libraries/sites with unique active directory permissions; however it is including a lot of extra results that don’t match up with what I see when I check the permissions directly.
    Is there a reason for this? Are there some kind of hidden permissions or perhaps ‘limited permissions’ that the script is picking up? How hard would it be to add a column in the text file to track the type of permission given?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Published by Nik Charlebois

Microsoft Senior Premier Field Engineer - SharePoint