This is a real life scenario that happened to me this week at work. We are in the business of hosting several big departments within my organization. For each of these department, we create a unique site collection and give them full access to it. They are responsible for managing permissions to this site collection, and to create lists and libraries. However, as administrators, we want to make sure we prevent them from creating subsites within their site collection. I knew off-hand that this was going to be doable and that it also was going to be a simple operation, given the fact that this is how Office 365 Public sites had been working for the past year and a half now, and that it must mean that this setting was built into the product somehow.
Since as far as I can remember, SharePoint has always had a feature called Self Site Creation, which once enabled, allows users to create site collection themselves, without requiring them to go through or to have access to the Central Administration. However this is not what I was after here. My scenario is that users are given a site collection with a Root Web, and that I don’t want them to create a subsite (SPWeb) under that Root Web. So I had to go dig somewhere else. My first guts feeling was to go and browse the list of Web Applications in Central Administration. This is exactly where I managed to find the setting I was looking for, under Manage Web Applications > Select Web App > User Permission. As shown in the following screenshot, there is a setting called “Create Subsite” which determines if a user should be given the option to go and create subsites for webs to which they have access to.
So easy enough, all I had to do was to uncheck this setting and off I go….but what if I wanted to do it using PowerShell? Well, this requires some digging around. Basically, what you new to do in this case is to modify the RightsMask property on the SPWebApplication instance. In my case, my WebApplication is located on port 80, so the following lines of PowerShell code will do just the trick:
$webApp = Get-SPWebApplication http://localhost
$newPermissions=[Microsoft.SharePoint.SPBasePermissions]($webApp.RightsMask -band [System.Int64](-bnot ([Microsoft.SharePoint.SPBasePermissions]::EmptyMask -bor [Microsoft.SharePoint.SPBasePermissions]::ManageSubWebs)))
$webApp.RightsMask = $newPermissions
Executing these lines will automatically remove the “Create Subsite” permission from your web application, thus prevent any users from ever creating subsite.
Available options with Subsite creation enabled:
Available options without Subsite Creation enabled: