Downscale permissions to Owners group across site collection PowerShell script


Table of Contents


Add to Technorati Favorites



Recently Updated

A common mistake is to follow the OOTB permissions for each site and add everyone to the Owners group which gives them Full Control. Often, after the fact you wish to downscale the Owners groups littered throughout your site collection from Full Control to Contribute or even Read (until the Owners have had their SharePoint training). The PowerShell script below does exactly this by recursively going to each Site (SPWeb) and finding teh groups with the name containing "Owner" and replacing that group with "Full Permission" to "Read" (in this example of the method call) :

Unknown macro: {NewCode}

$webappUrl = "http://sitecollectionurl";

Clear-Host
$12HivesDir = "$

Unknown macro: {env}

\Microsoft Shared\web server extensions\12\"
[System.Reflection.Assembly]::LoadFrom("$12HivesDir\ISAPI\Microsoft.SharePoint.dll")

function get-spweb ([String]$webUrl=$(throw 'Parameter -webUrl is missing!'))
{
$site = New-Object -TypeName "Microsoft.SharePoint.SPSite" -ArgumentList "$webUrl";
return $site.OpenWeb();
}
function change-permission($devWeb, $existingRole, $newRole, $groupNameWildcard)
{
Write-Host $web.Title
Write-Host $web.Url

if ($web.HasUniqueRoleAssignments)
{
#Iterate through all SPRoleAssignments on the web
foreach ($roleAssignment in $web.RoleAssignments)
{
#Pull out the principal
$principal = $roleAssignment.Member;

#If it is a group then check for users within the group
if ($principal.GetType() -eq [Microsoft.SharePoint.SPGroup])
{
$roleGroup = [Microsoft.SharePoint.SPGroup]$principal;
#if owner group
if ($roleGroup.Name.Contains($groupNameWildcard))
{
foreach ($roleDef in $roleAssignment.RoleDefinitionBindings)
{
if ($roleDef.Name -eq $existingRole)

Unknown macro: { Write-Host "Role Definitions within principal" $principal.Name; $roleAssignment.RoleDefinitionBindings.Remove($roleDef); $roleAssignment.RoleDefinitionBindings.Add($web.RoleDefinitions[$newRole]); }

}
}
}
$roleAssignment.Update();
$web.Update();
}
}

if ($web.Webs.Count -ne 0)
{
Write-Host "Sub webs of " $web.Title
foreach ($subweb in $web.Webs)

Unknown macro: { get-spwebInfo($subweb); $subweb.Dispose(); }

}
}

function sproledefinition-exists ([Microsoft.SharePoint.SPWeb]$web, [string]$roleName)
{
$exists = $false;
foreach($roleDef in $devWeb.RoleDefinitions)
{
if ($roleDef.Name -eq $roleName)

Unknown macro: { $exists = $true; }

}
return $exists;
}

$devWeb = get-spweb $webappUrl
$existingRoleExist = sproledefinition-exists $devWeb $existingRole;
if ($existingRoleExist -eq $false)
{
Write "ERROR: Existing Role does not exist!";
return;
}
$newRoleExist = sproledefinition-exists $devWeb $newRole;
if ($newRoleExist -eq $false)
{
Write "ERROR: New Role does not exist!";
return;
}

change-permission $devWeb "Full Control" "Read" "Owners"
$devWeb.Dispose();

External References

Labels

security security Delete
permissions permissions Delete
powershell powershell Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.

Creative Commons License
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 Unported License.