Downscale permissions to Owners group across site collection PowerShell script


Table of Contents


Add to Technorati Favorites



Recently Updated

A common mistake is to follow the OOTB permissions for each site and add everyone to the Owners group which gives them Full Control. Often, after the fact you wish to downscale the Owners groups littered throughout your site collection from Full Control to Contribute or even Read (until the Owners have had their SharePoint training). The PowerShell script below does exactly this by recursively going to each Site (SPWeb) and finding teh groups with the name containing "Owner" and replacing that group with "Full Permission" to "Read" (in this example of the method call) :

$webappUrl = "http://sitecollectionurl";

Clear-Host
$12HivesDir = "${env:CommonProgramFiles}\Microsoft Shared\web server extensions\12\"
[System.Reflection.Assembly]::LoadFrom("$12HivesDir\ISAPI\Microsoft.SharePoint.dll")

function get-spweb ([String]$webUrl=$(throw 'Parameter -webUrl is missing!'))
{
   $site =  New-Object -TypeName "Microsoft.SharePoint.SPSite" -ArgumentList "$webUrl";
   return $site.OpenWeb();
}
function change-permission($devWeb, $existingRole, $newRole, $groupNameWildcard)
{
   Write-Host $web.Title
   Write-Host $web.Url
	
   if ($web.HasUniqueRoleAssignments)
   {	   	   
       #Iterate through all SPRoleAssignments on the web
       foreach ($roleAssignment in  $web.RoleAssignments)
       {
           #Pull out the principal
           $principal = $roleAssignment.Member;

           #If it is a group then check for users within the group
           if ($principal.GetType() -eq [Microsoft.SharePoint.SPGroup])
           {
               $roleGroup = [Microsoft.SharePoint.SPGroup]$principal;
			   #if owner group
			   if ($roleGroup.Name.Contains($groupNameWildcard))
			   {
					foreach ($roleDef in $roleAssignment.RoleDefinitionBindings)
					{
						if ($roleDef.Name -eq $existingRole)
						{
							Write-Host "Role Definitions within principal" $principal.Name;
							$roleAssignment.RoleDefinitionBindings.Remove($roleDef);
							$roleAssignment.RoleDefinitionBindings.Add($web.RoleDefinitions[$newRole]);
						}
					}
				}			   
           }
		   $roleAssignment.Update();
		   $web.Update();
       }
   }
   
   if ($web.Webs.Count -ne 0)
   {
	Write-Host "Sub webs of " $web.Title
	foreach ($subweb in $web.Webs)
	{
		get-spwebInfo($subweb);
		$subweb.Dispose();
	}
   }
}

function sproledefinition-exists ([Microsoft.SharePoint.SPWeb]$web, [string]$roleName)
{
	$exists = $false;
	foreach($roleDef in $devWeb.RoleDefinitions)
	{
		if ($roleDef.Name -eq $roleName)
		{
			$exists = $true;
		}
	}	
	return $exists;
}

$devWeb = get-spweb $webappUrl
$existingRoleExist = sproledefinition-exists $devWeb $existingRole;
if ($existingRoleExist -eq $false)
{
	Write "ERROR: Existing Role does not exist!";
	return;
}
$newRoleExist = sproledefinition-exists $devWeb $newRole;
if ($newRoleExist -eq $false)
{
	Write "ERROR: New Role does not exist!";
	return;
}

change-permission $devWeb "Full Control" "Read" "Owners"
$devWeb.Dispose();

External References

Labels

security security Delete
permissions permissions Delete
powershell powershell Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.

Creative Commons License
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 Unported License. Hosted generously by CustomWare