Tuesday, 22 February 2011

Remove SharePoint or AD group/user assignments from all sites in a site collection using PowerShell

In my last post, I ran through how to use PowerShell for adding SharePoint groups or Active Directory users/groups with a specific permission level to all sites in a site collection. Here, I am going to use the same process for removing assignments on users and groups from all sites.

The script steps through each site and removes the account specified. I have also included an option to skip the root site, should you wish to remove the account from sub-sites only. Note: Using this script will not delete users and groups from the site collection permanently – even if all their permissions are removed from every site. They will still exist in the site collection for future permission assignment, if required.

As before, you will need to run the function first in a PowerShell console with the SharePoint cmdlets loaded (e.g., the SharePoint 2010 Management Shell) before anything can be modified. I have annotated portions of the script so that you can hopefully follow what it is doing:

function RemoveAccountFromAllSites ($siteURL, $accountName, [switch]$skipRootSite)
    #Get Site Collection
    $site = Get-SPSite $siteURL
    #Check if the accountName variable contains a slash - if so, it is an AD account
    #If not, it is a SharePoint Group
    $rootWeb = $site.RootWeb
    if ($accountName.Contains("\")) { $account = $rootWeb.EnsureUser($accountName) }
    else { $account = $rootWeb.SiteGroups[$accountName] }
    #Step through each site in the site collection
    $site | Get-SPWeb -limit all | ForEach-Object {
        #Check if the user has chosen to skip the root site - if so, do not change permissions on it
        if (($skipRootSite) -and ($site.Url -eq $_.Url)) { write-host "Root site" $_.Url "will be bypassed" }
        else {
            #Check if the current site is inheriting permissions from its parent
            #If not, remove permissions on current site
            if ($_.HasUniqueRoleAssignments) {
                write-host "Removing account" $accountName "from site" $_.Url
            else {
                write-host "Site" $_.Url "will not be modified as it inherits permissions from a parent site."
    #Display completion message and dispose of site object
    write-host "Operation Complete."

Then, use the function to remove users and group assignments in the site collection, as shown in the following examples:

  • Remove the Active Directory user “PACDOMAIN\Phil” from all sites except the root site
RemoveAccountFromAllSites –siteURL “http://portal” -accountName "PACDOMAIN\Phil" -skipRootSite
  • Remove the Active Directory user “PACDOMAIN\Phil” from all sites including the root site
RemoveAccountFromAllSites –siteURL “http://portal” -accountName "PACDOMAIN\Phil"
  • Remove the Active Directory group “PACDOMAIN\Portal Users” from all sites including the root site
RemoveAccountFromAllSites –siteURL “http://portal” -accountName "PACDOMAIN\Portal Users"
  • Remove the SharePoint group “Test Group” from all sites except the root site

RemoveAccountFromAllSites –siteURL “http://portal” -accountName "Test Group" –skipRootSite

Below is an example output you receive in the console when running the script:

Root site http://portal will be bypassed
Site http://portal/perminherited will not be modified as it inherits permissions from a parent site.
Site http://portal/perminherited/InheritedSite will not be modified as it inherits permissions from a parent site.
Removing account Test New Group from site http://portal/perminherited/UniqueSite
Removing account Test New Group from site http://portal/permuniquesite
Site http://portal/search will not be modified as it inherits permissions from a parent site.
Operation Complete.


  1. Would this also delete permissions of the user from libraries, lists and listitems in the site, assuming that the permission inheritance is broken in the library, list or listitem?

  2. No, but the functionality could be added in

    1. Did you ever add the functionality to delete a user from all lists and libraries?

    2. How can I add this functionalty?

  3. Thanks Phil!! I was actually looking for this. You saved me a lot of time.

  4. I like what you guys are up too.Such intelligent work and reporting!Keep up the excellent works guys I have incorporated.
    SharePoint Online Training

  5. Hey Thanks for your script, it helped me to get part of my requirement. But I also looking for a functionality where I am able to delete a group only for particular sub-site.
    If there are 3 sub-sites and I am deleting a group(which is present in all 3 sub-site) from one sub-site,I should be able to delete it using powershell.

  6. Basically uploading the offer, You are investing buy this kind of article from owner if you're the obtaining victory in prospective buyer. You read and sign the worldwide supply support fine print breaks in the right windows nicely bill. Importance fees once estimated become short sale change even ought to growth you top say amount of money..

    Times distributing your own offer, You are Camisetas De Futbol Baratas investing buy which solution from the owner if you are the profiting prospective resultados de futbol buyer. You read and agree equipement foot with the worldwide supply system fine print frees in a unique window case or a bill. Signific allegations already offered tend to be be maillot foot 2018 more responsive to change if you amazon müller trikot decide to accelerate you optimal put money on cash..

    In my amount of money usually comes maillot de foot pas cher with pertinent traditions tasks, dfb trikot müller Income income tax, Brokerage Maglie Poco Prezzo house and various Maglie Da Calcio a Poco Prezzo service expenses. Doing this important quantity is short sale change before you make payment amount. The local surf forecast in an european union male call express in any case uk, leeds, Transfer cask on our choose manuel neuer trikot rot certainly not recoverable.

  7. So what's a check getting the money for framework? Fundamentally, it is a sort of exchange in which clients can approach the administrations offered by the bank as a check issued and approved by the bank itself. Check Cashing chicago