Monday, 12 July 2010

Adding SharePoint groups with permission levels to sites using PowerShell

For this PowerShell script I have created a function called AddGroupToSite, allowing you to assign a SharePoint group (must already be created in the site collection) to a site along with a permission level by specifying one line of script. This first section sets up the SPWeb object and the function:

$web = Get-SPWeb "http://portal"

function AddGroupToSite ($web, $groupName, $permLevel)
    $account = $web.SiteGroups[$groupName]
    $assignment = New-Object Microsoft.SharePoint.SPRoleAssignment($account)
    $role = $web.RoleDefinitions[$permLevel]

Functions are very useful in PowerShell because they allow you to reduce the number of lines in your script by calling the same routine multiple times, passing in various parameters of your choosing to vary the properties of the function – in the example above, I am passing in the SPWeb object, group name and permission level. You can find more information on using functions by typing get-help about_Functions from PowerShell itself or there are plenty of tutorials on the subject around the Web or in books. Once we have our function set up, we can call it and pass the relevant parameters as follows:

AddGroupToSite -web $web -groupName "Site Admins" -permLevel "Full Control"
AddGroupToSite -web $web -groupName "Site Readers" -permLevel "Read"

These lines add two SharePoint groups – Site Admins and Site Readers – to the site http://portal and assign them Full Control and Read permissions respectively. You could also feed values from a CSV or XML file into your function to automate this for a number of sites as a bulk operation. If you need to break permission inheritance on the site before adding the groups, add one of the following lines just after the $web = Get-SPWeb http://portal line at the top of the script:

#Break permissions inheritance and copy the groups from parent site into this site

#Break permissions inheritance and assign the current user as the only member of this site

UPDATE - 17th February 2011: I have written an article expanding on the subject of this post describing how to use PowerShell to assign SharePoint and AD group/user permissions for all sites in a site collection. Please click here for details.


  1. Is there a way to assign the permission of the group throughout the site collection? I would like a specific group read access throughout the site collection for all content. note: some sites have unique permission settings. Thanks for your feedback on this.

  2. This can be done and I hope to get something together for a new blog post soon.

  3. Wonderful, I look forward to seeing it. I have limitted programing skills, but do plan to study up on PowerShell. As a Sharepoint admin I can see this would be a very usefull skill to have.

  4. Is there a way to change the default member group to another sharepoint group using Powershell?

  5. Hi, you could try this:

    $web = Get-SPWeb http://portal

    #Find ID for the group you wish to assign as member
    $web.Groups["GROUP NAME"].ID

    #Set it to be the new member group for the site
    $web.Properties["vti_associatemembergroup"] = "INSERT ID HERE"

  6. Hi Phil,
    Discovered this blog today, very useful stuff!
    I'm trying to add a AD group to SP group (without iterating over the users inside, just the whole group in one go).
    Do you think this is possible? Any pointers?

  7. This is one of the best articles so far I have read online. No crap, just useful information. Very well presented. Its really helpful for beginner as well developer. This link also helpful, check out it..

    Its also help me lot in complete my task.


  8. If you're going to use BreakRoleInheritance, check out this article

  9. Is it possible at all to modify this so that you can remove a specified permission level from a group? I stuck it in a script with a foreach to add a group with permissions to a bunch of subsites. What I really need is something that can look for groups with "contribute" permission then remove that and add "Read" permissions. Possible?

  10. Hi...thanks sharing us the code...but it did not work for me...i got error "new object : constructor not found"...Please help me on this...

  11. This just saved me a couple of hours ;) Much thanks!

  12. Any way to modify this to add a user and copy the $role from another user? I have the below, but not working.. getting an error on line: $role = $web.RoleDefinitions.[$newRoleDef]

    foreach($Web in $Site.AllWebs)

    if($Web.HasUniqueRoleAssignments -eq $True)
    foreach($WebRoleAssignment in $Web.RoleAssignments )
    if($WebRoleAssignment.Member.LoginName -eq $SearchUser)

    foreach ($RoleDefinition in $WebRoleAssignment.RoleDefinitionBindings)

    $newRoleDef = $RoleDefinition.Name
    $assignment = New-Object Microsoft.SharePoint.SPRoleAssignment($account)
    $role = $web.RoleDefinitions.[$newRoleDef]

  13. can you please help on this phil
    I need to Add one user with Read permission to the all site colllection in the webapplication.

    i saw your Article using this Article i adding user only one site collection but i need to add allsite collection in the webapplication .

    Please help on this Phil.

    Thanks ,