Recently our user domains got changed from xyz\test to abc\test, which got resulted in various issues of which one of the issue is , user lost all permissions on the sites after the domain change.
To overcome from that issue, I had written a powershell script to get the list of site/list/library and what permission level. It also identifies the group from which the user is having access to site . Is the permission given via group or given directly and finally adds the new domain account to all the above list which resolved the issue.
Script:
Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue
Function GetUserAccessReport($WebAppURL, $SearchUser,$ReplaceUser)
{
New-Item 'c:\UserAccessReport.csv' -ItemType "file" -Force
#Loop throuh all Sub Sites
$site = new-object Microsoft.SharePoint.SPSite $WebAppURL
foreach($web in $site.AllWebs)
{
$bool = "false"
if($Web.HasUniqueRoleAssignments -eq $True)
{
#Get all the users granted permissions to the list
foreach($WebRoleAssignment in $Web.RoleAssignments )
{
#Is it a User Account?
if($WebRoleAssignment.Member.userlogin)
{
#Is the current user is the user we search for?
if($WebRoleAssignment.Member.LoginName -eq $SearchUser)
{
#Write-Host $SearchUser has direct permissions to site $Web.Url
#Get the Permissions assigned to user
$WebUserPermissions=@()
foreach ($RoleDefinition in $WebRoleAssignment.RoleDefinitionBindings)
{
$WebUserPermissions += $RoleDefinition.Name +";"
$bool="true"
}
#write-host "with these permissions: " $WebUserPermissions
#Send the Data to Log file
"$($Web.Url) `t Site `t $($Web.Title)`t Direct Permission `t $($WebUserPermissions)" | Out-File "c:\UserAccessReport.csv" -Append
}
}
#Its a SharePoint Group, So search inside the group and check if the user is member of that group
else
{
foreach($user in $WebRoleAssignment.member.users)
{
#Check if the search users is member of the group
if($user.LoginName -eq $SearchUser)
{
$weburll = $Web.Url
$groupN = $WebRoleAssignment.Member.Name
try
{
Set-SPUser -Identity $ReplaceUser -Web $weburll -Group $groupN
}
catch [Exception]
{
write-host $_.Exception.Message;
}
#Write-Host "$SearchUser is Member of " $WebRoleAssignment.Member.Name "Group"
#Get the Group's Permissions on site
$WebGroupPermissions=@()
foreach ($RoleDefinition in $WebRoleAssignment.RoleDefinitionBindings)
{
$WebGroupPermissions += $RoleDefinition.Name +";"
}
#write-host "Group has these permissions: " $WebGroupPermissions
#Send the Data to Log file
"$($Web.Url) `t Site `t $($Web.Title)`t $($WebRoleAssignment.Member.Name) Group `t $($WebGroupPermissions)" | Out-File "c:\UserAccessReport.csv" -Append
}
}
}
}
}
#code added for adding direct permission to site
if($bool -eq "true")
{
$userobj=$Web.EnsureUser($ReplaceUser)
#write-host "$($userobj.email) $($userobj.name)"
$assignment = New-Object Microsoft.SharePoint.SPRoleAssignment($userobj)
$permissionLevels = "$WebUserPermissions".Split(";",[StringSplitOptions]'RemoveEmptyEntries')
foreach($permissionlevel in $permissionLevels)
{
#write-host "$permissionlevel"
if("$permissionlevel".trim() -eq "Limited Access")
{
$role = $Web.RoleDefinitions["Read"]
}
else
{
$role = $Web.RoleDefinitions[$permissionlevel]
}
$assignment.RoleDefinitionBindings.Add($role)
}
$Web.RoleAssignments.Add($assignment)
}
#end of code added for giving direct permissions to site
#******** Check Lists with Unique Permissions ********/
foreach($List in $Web.lists)
{
$boolList = "false";
if($List.HasUniqueRoleAssignments -eq $True -and ($List.Hidden -eq $false))
{
#Get all the users granted permissions to the list
foreach($ListRoleAssignment in $List.RoleAssignments )
{
#Is it a User Account?
if($ListRoleAssignment.Member.userlogin)
{
#Is the current user is the user we search for?
if($ListRoleAssignment.Member.LoginName -eq $SearchUser)
{
#Write-Host $SearchUser has direct permissions to List ($List.ParentWeb.Url)/($List.RootFolder.Url)
#Get the Permissions assigned to user
$ListUserPermissions=@()
foreach ($RoleDefinition in $ListRoleAssignment.RoleDefinitionBindings)
{
$ListUserPermissions += $RoleDefinition.Name +";"
$boolList = "true";
}
#write-host "with these permissions: " $ListUserPermissions
#Send the Data to Log file
"$($List.ParentWeb.Url)/$($List.RootFolder.Url) `t List `t $($List.Title)`t Direct Permissions `t $($ListUserPermissions)" | Out-File "c:\UserAccessReport.csv" -Append
}
}
#Its a SharePoint Group, So search inside the group and check if the user is member of that group
else
{
foreach($user in $ListRoleAssignment.member.users)
{
if($user.LoginName -eq $SearchUser)
{
$weburll = $Web.Url
$groupN = $ListRoleAssignment.Member.Name
try
{
#Adding user new account to sharepoint group
Set-SPUser -Identity $ReplaceUser -Web $weburll -Group $groupN
}
catch [Exception]
{
write-host $_.Exception.Message;
}
#Write-Host "$SearchUser is Member of " $ListRoleAssignment.Member.Name "Group"
#Get the Group's Permissions on site
$ListGroupPermissions=@()
foreach ($RoleDefinition in $ListRoleAssignment.RoleDefinitionBindings)
{
$ListGroupPermissions += $RoleDefinition.Name +";"
}
#write-host "Group has these permissions: " $ListGroupPermissions
#Send the Data to Log file
"$($Web.Url) `t Site `t $($List.Title)`t $($ListRoleAssignment.Member.Name) Group `t $($ListGroupPermissions)" | Out-File "c:\UserAccessReport.csv" -Append
}
}
}
}
}
#code added by gayatri for adding direct permission to site
if($boolList -eq "true")
{
$userobj=$Web.EnsureUser($ReplaceUser)
#write-host "$($userobj.email) $($userobj.name)"
$Listassignment = New-Object Microsoft.SharePoint.SPRoleAssignment($userobj)
$ListpermissionLevels = "$ListUserPermissions".Split(";",[StringSplitOptions]'RemoveEmptyEntries')
foreach($Listpermissionlevel in $ListpermissionLevels)
{
write-host "$Listpermissionlevel"
if("$Listpermissionlevel".trim() -eq "Limited Access")
{
$Listrole = $Web.RoleDefinitions["Read"]
}
else
{
$Listrole = $Web.RoleDefinitions[$Listpermissionlevel]
}
$Listassignment.RoleDefinitionBindings.Add($Listrole)
}
$List.RoleAssignments.Add($Listassignment)
}
#end of code added for giving direct permissions to site
}
}
}
$SiteCollURL = read-host "Enter Site Collection URL to get User Access Report"
$AccountName = read-host "Enter Existing User Account for ex:xyz\test"
$NewAccountName = read-host "Enter New User Account to update sharepoint groups"
GetUserAccessReport $SiteCollURL $("i:0#.w|"+$AccountName) $("i:0#.w|"+$NewAccountName)
To overcome from that issue, I had written a powershell script to get the list of site/list/library and what permission level. It also identifies the group from which the user is having access to site . Is the permission given via group or given directly and finally adds the new domain account to all the above list which resolved the issue.
Script:
Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue
Function GetUserAccessReport($WebAppURL, $SearchUser,$ReplaceUser)
{
New-Item 'c:\UserAccessReport.csv' -ItemType "file" -Force
#Loop throuh all Sub Sites
$site = new-object Microsoft.SharePoint.SPSite $WebAppURL
foreach($web in $site.AllWebs)
{
$bool = "false"
if($Web.HasUniqueRoleAssignments -eq $True)
{
#Get all the users granted permissions to the list
foreach($WebRoleAssignment in $Web.RoleAssignments )
{
#Is it a User Account?
if($WebRoleAssignment.Member.userlogin)
{
#Is the current user is the user we search for?
if($WebRoleAssignment.Member.LoginName -eq $SearchUser)
{
#Write-Host $SearchUser has direct permissions to site $Web.Url
#Get the Permissions assigned to user
$WebUserPermissions=@()
foreach ($RoleDefinition in $WebRoleAssignment.RoleDefinitionBindings)
{
$WebUserPermissions += $RoleDefinition.Name +";"
$bool="true"
}
#write-host "with these permissions: " $WebUserPermissions
#Send the Data to Log file
"$($Web.Url) `t Site `t $($Web.Title)`t Direct Permission `t $($WebUserPermissions)" | Out-File "c:\UserAccessReport.csv" -Append
}
}
#Its a SharePoint Group, So search inside the group and check if the user is member of that group
else
{
foreach($user in $WebRoleAssignment.member.users)
{
#Check if the search users is member of the group
if($user.LoginName -eq $SearchUser)
{
$weburll = $Web.Url
$groupN = $WebRoleAssignment.Member.Name
try
{
Set-SPUser -Identity $ReplaceUser -Web $weburll -Group $groupN
}
catch [Exception]
{
write-host $_.Exception.Message;
}
#Write-Host "$SearchUser is Member of " $WebRoleAssignment.Member.Name "Group"
#Get the Group's Permissions on site
$WebGroupPermissions=@()
foreach ($RoleDefinition in $WebRoleAssignment.RoleDefinitionBindings)
{
$WebGroupPermissions += $RoleDefinition.Name +";"
}
#write-host "Group has these permissions: " $WebGroupPermissions
#Send the Data to Log file
"$($Web.Url) `t Site `t $($Web.Title)`t $($WebRoleAssignment.Member.Name) Group `t $($WebGroupPermissions)" | Out-File "c:\UserAccessReport.csv" -Append
}
}
}
}
}
#code added for adding direct permission to site
if($bool -eq "true")
{
$userobj=$Web.EnsureUser($ReplaceUser)
#write-host "$($userobj.email) $($userobj.name)"
$assignment = New-Object Microsoft.SharePoint.SPRoleAssignment($userobj)
$permissionLevels = "$WebUserPermissions".Split(";",[StringSplitOptions]'RemoveEmptyEntries')
foreach($permissionlevel in $permissionLevels)
{
#write-host "$permissionlevel"
if("$permissionlevel".trim() -eq "Limited Access")
{
$role = $Web.RoleDefinitions["Read"]
}
else
{
$role = $Web.RoleDefinitions[$permissionlevel]
}
$assignment.RoleDefinitionBindings.Add($role)
}
$Web.RoleAssignments.Add($assignment)
}
#end of code added for giving direct permissions to site
#******** Check Lists with Unique Permissions ********/
foreach($List in $Web.lists)
{
$boolList = "false";
if($List.HasUniqueRoleAssignments -eq $True -and ($List.Hidden -eq $false))
{
#Get all the users granted permissions to the list
foreach($ListRoleAssignment in $List.RoleAssignments )
{
#Is it a User Account?
if($ListRoleAssignment.Member.userlogin)
{
#Is the current user is the user we search for?
if($ListRoleAssignment.Member.LoginName -eq $SearchUser)
{
#Write-Host $SearchUser has direct permissions to List ($List.ParentWeb.Url)/($List.RootFolder.Url)
#Get the Permissions assigned to user
$ListUserPermissions=@()
foreach ($RoleDefinition in $ListRoleAssignment.RoleDefinitionBindings)
{
$ListUserPermissions += $RoleDefinition.Name +";"
$boolList = "true";
}
#write-host "with these permissions: " $ListUserPermissions
#Send the Data to Log file
"$($List.ParentWeb.Url)/$($List.RootFolder.Url) `t List `t $($List.Title)`t Direct Permissions `t $($ListUserPermissions)" | Out-File "c:\UserAccessReport.csv" -Append
}
}
#Its a SharePoint Group, So search inside the group and check if the user is member of that group
else
{
foreach($user in $ListRoleAssignment.member.users)
{
if($user.LoginName -eq $SearchUser)
{
$weburll = $Web.Url
$groupN = $ListRoleAssignment.Member.Name
try
{
#Adding user new account to sharepoint group
Set-SPUser -Identity $ReplaceUser -Web $weburll -Group $groupN
}
catch [Exception]
{
write-host $_.Exception.Message;
}
#Write-Host "$SearchUser is Member of " $ListRoleAssignment.Member.Name "Group"
#Get the Group's Permissions on site
$ListGroupPermissions=@()
foreach ($RoleDefinition in $ListRoleAssignment.RoleDefinitionBindings)
{
$ListGroupPermissions += $RoleDefinition.Name +";"
}
#write-host "Group has these permissions: " $ListGroupPermissions
#Send the Data to Log file
"$($Web.Url) `t Site `t $($List.Title)`t $($ListRoleAssignment.Member.Name) Group `t $($ListGroupPermissions)" | Out-File "c:\UserAccessReport.csv" -Append
}
}
}
}
}
#code added by gayatri for adding direct permission to site
if($boolList -eq "true")
{
$userobj=$Web.EnsureUser($ReplaceUser)
#write-host "$($userobj.email) $($userobj.name)"
$Listassignment = New-Object Microsoft.SharePoint.SPRoleAssignment($userobj)
$ListpermissionLevels = "$ListUserPermissions".Split(";",[StringSplitOptions]'RemoveEmptyEntries')
foreach($Listpermissionlevel in $ListpermissionLevels)
{
write-host "$Listpermissionlevel"
if("$Listpermissionlevel".trim() -eq "Limited Access")
{
$Listrole = $Web.RoleDefinitions["Read"]
}
else
{
$Listrole = $Web.RoleDefinitions[$Listpermissionlevel]
}
$Listassignment.RoleDefinitionBindings.Add($Listrole)
}
$List.RoleAssignments.Add($Listassignment)
}
#end of code added for giving direct permissions to site
}
}
}
$SiteCollURL = read-host "Enter Site Collection URL to get User Access Report"
$AccountName = read-host "Enter Existing User Account for ex:xyz\test"
$NewAccountName = read-host "Enter New User Account to update sharepoint groups"
GetUserAccessReport $SiteCollURL $("i:0#.w|"+$AccountName) $("i:0#.w|"+$NewAccountName)
