Tuesday, 22 February 2011

Remove SharePoint or AD group/user assignments from all sites in a site collection using PowerShell

In my last post, I ran through how to use PowerShell for adding SharePoint groups or Active Directory users/groups with a specific permission level to all sites in a site collection. Here, I am going to use the same process for removing assignments on users and groups from all sites.

The script steps through each site and removes the account specified. I have also included an option to skip the root site, should you wish to remove the account from sub-sites only. Note: Using this script will not delete users and groups from the site collection permanently – even if all their permissions are removed from every site. They will still exist in the site collection for future permission assignment, if required.

As before, you will need to run the function first in a PowerShell console with the SharePoint cmdlets loaded (e.g., the SharePoint 2010 Management Shell) before anything can be modified. I have annotated portions of the script so that you can hopefully follow what it is doing:

function RemoveAccountFromAllSites ($siteURL, $accountName, [switch]$skipRootSite)
{
    #Get Site Collection
    $site = Get-SPSite $siteURL
   
    #Check if the accountName variable contains a slash - if so, it is an AD account
    #If not, it is a SharePoint Group
    $rootWeb = $site.RootWeb
    if ($accountName.Contains("\")) { $account = $rootWeb.EnsureUser($accountName) }
    else { $account = $rootWeb.SiteGroups[$accountName] }
    $rootWeb.Dispose()
   
    #Step through each site in the site collection
    $site | Get-SPWeb -limit all | ForEach-Object {
       
        #Check if the user has chosen to skip the root site - if so, do not change permissions on it
        if (($skipRootSite) -and ($site.Url -eq $_.Url)) { write-host "Root site" $_.Url "will be bypassed" }
        else {
            #Check if the current site is inheriting permissions from its parent
            #If not, remove permissions on current site
            if ($_.HasUniqueRoleAssignments) {
                write-host "Removing account" $accountName "from site" $_.Url
                $_.RoleAssignments.Remove($account)
            }
            else {
                write-host "Site" $_.Url "will not be modified as it inherits permissions from a parent site."
            }
        }
    }
    #Display completion message and dispose of site object
    write-host "Operation Complete."
    $site.Dispose()
}

Then, use the function to remove users and group assignments in the site collection, as shown in the following examples:

  • Remove the Active Directory user “PACDOMAIN\Phil” from all sites except the root site
RemoveAccountFromAllSites –siteURL “http://portal” -accountName "PACDOMAIN\Phil" -skipRootSite
  • Remove the Active Directory user “PACDOMAIN\Phil” from all sites including the root site
RemoveAccountFromAllSites –siteURL “http://portal” -accountName "PACDOMAIN\Phil"
  • Remove the Active Directory group “PACDOMAIN\Portal Users” from all sites including the root site
RemoveAccountFromAllSites –siteURL “http://portal” -accountName "PACDOMAIN\Portal Users"
  • Remove the SharePoint group “Test Group” from all sites except the root site

RemoveAccountFromAllSites –siteURL “http://portal” -accountName "Test Group" –skipRootSite

Below is an example output you receive in the console when running the script:

Root site http://portal will be bypassed
Site http://portal/perminherited will not be modified as it inherits permissions from a parent site.
Site http://portal/perminherited/InheritedSite will not be modified as it inherits permissions from a parent site.
Removing account Test New Group from site http://portal/perminherited/UniqueSite
Removing account Test New Group from site http://portal/permuniquesite
Site http://portal/search will not be modified as it inherits permissions from a parent site.
Operation Complete.

5 comments:

  1. Would this also delete permissions of the user from libraries, lists and listitems in the site, assuming that the permission inheritance is broken in the library, list or listitem?

    ReplyDelete
  2. No, but the functionality could be added in

    ReplyDelete
    Replies
    1. Did you ever add the functionality to delete a user from all lists and libraries?

      Delete
    2. How can I add this functionalty?

      Delete
  3. Thanks Phil!! I was actually looking for this. You saved me a lot of time.

    ReplyDelete