Friday, January 22, 2016

Replace "Edit" Permissions with "Contribute" in SharePoint 2013-2016 using PowerShell

Problem: Prior to SharePoint 2013, Members group of the site has "Contribute" permission. From SharePoint 2013, there was a new permission level "Edit" introduced with more rights. This introduced additional issue like members can delete lists and libraries!

Solution: Remove Edit permissions and add contribute permissions to all users and group of the site! Here is how: Navigate to:

  • Site Settings >> Site permissions
  • Select the person or group with edit permissions, you want to change >> Click on "Edit User Permissions" ribbon button sharepoint powershell change group permissions
  • In Edit Permissions page uncheck "Edit" permission and select "Contribute"
    replace Edit Permission with Contribute in SharePoint
  • Click "OK" to save changes. Now the Members group has contribute permissions instead of Edit.
Editing the "Edit" permission level and removing "Add, Edit and Delete Lists" permission from it - also solves the problem, but its not recommended to change OOTB permission levels in SharePoint!

But wait! who can go to each site of the web application and repeat above steps? Tedious! isn't it? So, lets use PowerShell to re-assign permissions to Contribute from Edit.

PowerShell to replace edit permissions of member group to contribute access rights:
This PowerShell script changes the permission level for all users and groups from Edit to Contribute.
Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

#Web Application URL
$WebAppURL="http://intranet.crescent.com/"

#Get all webs from the web application
$WebsCollection = Get-SPWebApplication $WebAppURL | Get-SPSite -Limit All | Get-SPWeb  -limit All

#Iterate through each web and replace "Edit" to "Contribute"
Foreach ($web in $WebsCollection)
{
    #Get Edit and Contribute permission levels
    $ContributePermission = $web.RoleDefinitions["Contribute"]
    $EditPermission = $web.RoleDefinitions["Edit"]

    Write-host "Processing:" $web.Url

    If (!$web.HasUniquePerm)
    {
        Write-host -f Yellow "Web is inheriting permissions..."
        continue
    }

    #Get all users and groups with Edit permissions
    $RoleAssignmentsColl = $web.RoleAssignments | where {$_.RoleDefinitionBindings -eq $EditPermission}
    
    #Loop through each user/group with Edit permission level
    foreach($RoleAssignment in $RoleAssignmentsColl)
    { 
        #Add Contribute Permissions
        if(!$RoleAssignment.RoleDefinitionBindings.Contains($ContributePermission))
        {
            $RoleAssignment.RoleDefinitionBindings.Add($ContributePermission)
            $RoleAssignment.Update()
            Write-host -f Green "Contribute Permission Added to the User/Group:" $RoleAssignment.Member.Name
        }
 
        #Remove Edit permissions
        if($RoleAssignment.RoleDefinitionBindings.Contains($EditPermission))
        {
            $RoleAssignment.RoleDefinitionBindings.Remove($EditPermission)
            $RoleAssignment.Update()
            Write-host -f Green "Edit Permission removed from the User/Group:" $RoleAssignment.Member.Name
        }
    }
}



You might also like:
SharePoint Usage Reports
Usage reports, collaboration and audit for SharePoint.
Document SharePoint Farm
Automatically generate SharePoint documentation.
*Sponsored


Check out these SharePoint products:

No comments :

Post a Comment

Please Login and comment to get your questions answered!


You might also like:

Related Posts Plugin for WordPress, Blogger...