SharePoint 2010 Permission Report: Check Access Rights for a Specific User

Update: This script has been updated to scan Folders and List Items with Claims support at: SharePoint User Permission Analysis & Reporting using PowerShell

Requirement: To ensure security, generate permissions report on all locations like (sites, lists, etc.) where a specific user has permissions.

When people moving from one role to another, It’s necessary to audit their permissions on sites and lists where the user has access rights. But unfortunately, there are no out-of-the-box ways to find all sites and lists where a particular user has been granted access in SharePoint without using third-party tools. Luckily, We’ve PowerShell! Let’s find all SharePoint sites and lists where a particular user has access rights.

PowerShell Script to Check and Generate Report on Access Rights for a Specific User:

With this script, you can analyze and track the security effectively check what permissions on an account have been granted in all places in SharePoint. This PowerShell script scans these areas to retrieve a specific user’s access rights:

  • Farm Administrator’s Group
  • Central Administration Web Application Policies
  • Site Collection Administrators 
  • Scans all Site collections and Sub-sites with Unique Permissions
  • Scans all Lists and Libraries with unique permissions
  • Scans all Groups which has permissions on sites and Lists

After executing the script, it generates a CSV file (Tab Separated, In fact!) with details: URL, Site/List, Title, Permission Type, Permissions as in the below screenshot.

SharePoint Permission Report: Check Access Rights for a Specific User

We want to track How many Sites user has permissions, How many Lists or Libraries user has explicitly added and so on based on business needs. PowerShell Script to Retrieve User Access Rights Across web application:

Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue
  
Function GetUserAccessReport($WebAppURL, $SearchUser)
{ 
	#Output Report location
	$OutputReport = "C:\Scripts\UserAccessReport.csv"
	#delete the file, If already exist!
	if (Test-Path $OutputReport)
	{
		Remove-Item $OutputReport
	}
 
	Write-host "Scanning Farm Administrator Group..."

	#Write CSV- TAB Separated File) Header
	"URL `t Site/List `t Title `t PermissionType `t Permissions" | out-file $OutputReport

	####Check Whether the Search Users is a Farm Administrator ###
	#Get the SharePoint Central Administration site
	$AdminWebApp= Get-SPwebapplication -includecentraladministration | where {$_.IsAdministrationWebApplication}
	$AdminSite = Get-SPweb($AdminWebApp.Url)
	$AdminGroupName = $AdminSite.AssociatedOwnerGroup
	$FarmAdminGroup = $AdminSite.SiteGroups[$AdminGroupName]

	#enumerate in farm adminidtrators groups
	foreach ($user in $FarmAdminGroup.users)
	{
		if($user.LoginName -eq $SearchUser)
		{
		   "$($AdminWebApp.URL) `t Farm `t $($AdminSite.Title)`t Farm Administrator `t Farm Administrator" | Out-File $OutputReport -Append
		}     
	}

	Write-host "Scanning Web Application Policies..."

	### Check Web Application Policies ###
	$WebApp= Get-SPWebApplication $WebAppURL

	foreach ($Policy in $WebApp.Policies)
	{
		#Check if the search users is member of the group
		if($Policy.UserName -eq $SearchUser)
		{
			#Write-Host $Policy.UserName
			[email protected]()
			foreach($Role in $Policy.PolicyRoleBindings)
			{
				$PolicyRoles+= $Role.Name +";"
			}
			#Write-Host "Permissions: " $PolicyRoles
			"$($AdminWebApp.URL) `t Web Application `t $($AdminSite.Title)`t  Web Application Policy `t $($PolicyRoles)" | Out-File $OutputReport -Append
		}
	}

	Write-host "Scanning Site Collections..."
	#Get All Site Collections of the WebApp
	$SiteCollections = Get-SPSite -WebApplication $WebAppURL -Limit All
	 
	#Loop through all site collections
	foreach($Site in $SiteCollections)
	{
		Write-host "Scanning Site Collection:" $site.Url
		#Check Whether the Search User is a Site Collection Administrator
		foreach($SiteCollAdmin in $Site.RootWeb.SiteAdministrators)
		{
			if($SiteCollAdmin.LoginName -eq $SearchUser)
			{
				"$($Site.RootWeb.Url) `t Site `t $($Site.RootWeb.Title)`t Site Collection Administrator `t Site Collection Administrator" | Out-File $OutputReport -Append
			}     
	}

		#Loop throuh all Sub Sites
		foreach($Web in $Site.AllWebs)
		{
			if($Web.HasUniqueRoleAssignments -eq $True)
			{
				Write-host "Scanning Site:" $Web.Url

				#Get all the users granted permissions to the list
				foreach($WebRoleAssignment in $Web.RoleAssignments )
				{
					#Is it a User Account?
					if($WebRoleAssignment.Member.userlogin)   
					{
						#Is the current user is the user we search for?
						if($WebRoleAssignment.Member.LoginName -eq $SearchUser)
						{
							#Write-Host  $SearchUser has direct permissions to site $Web.Url
							#Get the Permissions assigned to user
							[email protected]()
							foreach ($RoleDefinition  in $WebRoleAssignment.RoleDefinitionBindings)
							{
								$WebUserPermissions += $RoleDefinition.Name +";"
							}
							#write-host "with these permissions: " $WebUserPermissions

							#Send the Data to Log file
							"$($Web.Url) `t Site `t $($Web.Title)`t Direct Permission `t $($WebUserPermissions)" | Out-File $OutputReport -Append
						}
					}
					#Its a SharePoint Group, So search inside the group and check if the user is member of that group
					else
					{
						foreach($user in $WebRoleAssignment.member.users)
						{
							#Check if the search users is member of the group
							if($user.LoginName -eq $SearchUser)
							{
								#Write-Host  "$SearchUser is Member of " $WebRoleAssignment.Member.Name "Group"
								#Get the Group's Permissions on site
								[email protected]()
								foreach ($RoleDefinition  in $WebRoleAssignment.RoleDefinitionBindings)
								{
									$WebGroupPermissions += $RoleDefinition.Name +";"
								}
								#write-host "Group has these permissions: " $WebGroupPermissions

								#Send the Data to Log file
								"$($Web.Url) `t Site `t $($Web.Title)`t Member of $($WebRoleAssignment.Member.Name) Group `t $($WebGroupPermissions)" | Out-File $OutputReport -Append
							}
						}
					}
				}
			} 
		  
			###*****  Check Lists with Unique Permissions *******###
			foreach($List in $Web.lists)
			{
				if($List.HasUniqueRoleAssignments -eq $True -and ($List.Hidden -eq $false))
				{
					Write-host "Scanning List:" $List.RootFolder.Url
					#Get all the users granted permissions to the list
					foreach($ListRoleAssignment in $List.RoleAssignments )
					{
						#Is it a User Account?
						if($ListRoleAssignment.Member.userlogin)   
						{
							#Is the current user is the user we search for?
							if($ListRoleAssignment.Member.LoginName -eq $SearchUser)
							{
								#Write-Host  $SearchUser has direct permissions to List ($List.ParentWeb.Url)/($List.RootFolder.Url)
								#Get the Permissions assigned to user
								[email protected]()
								foreach ($RoleDefinition  in $ListRoleAssignment.RoleDefinitionBindings)
								{
									$ListUserPermissions += $RoleDefinition.Name +";"
								}
								#write-host "with these permissions: " $ListUserPermissions

								#Send the Data to Log file
								"$($List.ParentWeb.Url)/$($List.RootFolder.Url) `t List `t $($List.Title)`t Direct Permissions `t $($ListUserPermissions)" | Out-File $OutputReport -Append
							}
						}
						#Its a SharePoint Group, So search inside the group and check if the user is member of that group
						else
						{
							foreach($user in $ListRoleAssignment.member.users)
							{
								if($user.LoginName -eq $SearchUser)
								{
									#Write-Host  "$SearchUser is Member of " $ListRoleAssignment.Member.Name "Group"
									#Get the Group's Permissions on site
									[email protected]()
									foreach ($RoleDefinition  in $ListRoleAssignment.RoleDefinitionBindings)
									{
										$ListGroupPermissions += $RoleDefinition.Name +";"
									}
									#write-host "Group has these permissions: " $ListGroupPermissions

									#Send the Data to Log file
									"$($Web.Url) `t Site `t $($List.Title)`t Member of $($ListRoleAssignment.Member.Name) Group `t $($ListGroupPermissions)" | Out-File $OutputReport -Append
								}
							}
						}
					}
				}
			}
		}
	}
	  
	Write-host "`n Access Rights Report Generated!"
}
 
#Call the function to Check User Access
GetUserAccessReport "http://sharepoint.crescent.com" "i:0#.w|Global\Salaudeen"

You can download the complete PowerShell Script from MSDN Code Gallery: SharePoint Permission Report: Check Access Rights for a Specific User

Limitation: Currently, it doesn’t count on active directory groups! Say, for e.g. an active directory security group may include the user you are searching for and that group may be granted access rights. Also, it doesn’t go to til folder, list Item level. It stops at List.

Huh, another nifty script under the SharePoint Admin tool belt!

Salaudeen Rajack

Salaudeen Rajack is a SharePoint Architect with Two decades of SharePoint Experience. He loves sharing his knowledge and experiences with the SharePoint community, through his real-world articles!

30 thoughts on “SharePoint 2010 Permission Report: Check Access Rights for a Specific User

  • March 17, 2021 at 7:17 AM

    do you have same Script for SharePoint Online?

    Reply
  • August 23, 2020 at 7:42 AM

    Hello

    Is there any way to check who provided the permission using powershell? For example I have one admin group with full permission. This admin group having 4 users, who can add/remove/change permission. I want to track the activities which owner provide add/remove/change the user and how many time user add/removed by particular owner.

    I want to do it using PowerShell for SP16 and SPO.

    Regards
    Avian

    Reply
  • October 8, 2019 at 11:16 AM

    Just what I was looking for… except I need the same for Sharepoint Online

    Reply
  • January 11, 2019 at 9:38 AM

    Salaudeen, it seems the scrip rund on AD groups for me?

    Reply
  • January 11, 2019 at 9:38 AM

    Hi kvimod, maybe no match for the search or error in the search syntax – the script runs anyway. e.g “i:0#.w|domainname” vs “i:0#.w|name”, the latter will not work. Just a thougt.

    Reply
  • January 11, 2019 at 9:35 AM

    Hi, I had the same issue due to no match for the search criteria. Look at the syntax you use for the name e.g. “i:0#.w|domainname” vs “i:0#.w|name”

    Reply
  • December 20, 2018 at 8:19 PM

    hi Salaudeen , My script ran wihtout any issues but I am not getting anything in the file its just a 1kb file and empty. Any thoughts

    Reply
  • December 6, 2018 at 7:59 PM

    Thank you Sal
    I tried this and extracted required report.

    Reply
  • March 8, 2017 at 2:53 PM

    Hi Salaudeen,
    Thanks for your wonderful posts on PS script.
    For me “GetUserEffectivePermissionInfo($userid)” method is throwing below error, because I was trying to get the info of trusted domain.
    Exception calling “GetUserEffectivePermissionInfo” with “1” argument(s): “The trust relationship between the primary domain and the trusted domain failed.”
    Is there any way to avoid this? please suggest..
    method is working fine for primary domain.

    Thanks
    Ganesh

    Reply
  • January 5, 2017 at 4:42 PM

    Salaudeen —

    First off, thanks for a great script. I have one problem with it, and it may be my lack of expertise with SharePoint. I’m able to find all of a user’s groups (all local) and permissions, but when I use this to remove them from groups they no longer should have access to, when I rerun the script they still show up in the report. If I check the group’s membership, the user is no longer there. I’ve gone so far as trying an iisreset, nothing seems to clear out the old information. Any ideas?

    Reply
  • October 21, 2016 at 3:12 PM

    Hi Salaudeen,

    I get the below error. Can you please help me.

    Get-SPWebApplication : Cannot find an SPWebApplication object with Name, Id, or
    Url: Reply

    • October 25, 2016 at 9:26 AM

      Try Changing the Web Application URL and User ID in Line#187

      Reply
  • February 25, 2016 at 2:50 PM

    Getting errors :
    You cannot call a method on a null-valued expression. for line 11 char 27

    Export-Csv : A parameter cannot be found that matches parameter name ‘Append’. line 179 char: 78

    These errors are from the start….

    Reply
  • February 12, 2016 at 9:37 AM

    Hi,
    Could you please help me with the script to get all users from all the web application to get the entire SharePoint permission report.

    Thanks

    Reply
  • February 3, 2016 at 3:28 PM

    Hi looks like a great job your script, I need something like that but for all the users in my site and obviously I dont know all the users id or names :(, what can I do ?

    Regards

    Reply
  • December 21, 2015 at 5:18 AM

    Hi I need script for single user which sites accessing that sites his level of acess and primary and secondary admin contact

    Reply
  • December 4, 2015 at 6:10 PM

    Is there a script that does this for Sharepoint 2010?

    Reply
  • December 1, 2015 at 11:13 PM

    Hi,
    As this script is for a particular user. Can i get such report for all users in one report?

    Reply
  • December 15, 2014 at 9:29 PM

    Hello, this works great! but I’m trying to modify it a tiny bit.. to have it add a new user, where it found the $searchuser, and copy the role from the search user. I have the below added in, but I can’t get it to copy the ‘role name’ correctly into the below, for $permlevel:

    [email protected]()
    foreach ($RoleDefinition in $WebRoleAssignment.RoleDefinitionBindings)
    {
    $WebUserPermissions += $RoleDefinition.Name +”;”
    $permlevel = $RoleDefinition.Name
    $assignment = New-Object Microsoft.SharePoint.SPRoleAssignment($account)
    $role = $_.RoleDefinitions.($permlevel)
    $assignment.RoleDefinitionBindings.Add($role)
    $_.RoleAssignments.Add($assignment)

    Reply
  • December 10, 2014 at 10:17 AM

    Hi, But where did this generate the file.
    i have run the script with no error and went to the log file but no luck dint find the file.
    Please let me know where to find the location.

    Thanks and Regards,

    Sabby

    Reply
    • December 10, 2014 at 11:19 AM

      Sabby, It should be generated as “UserAccessReport.csv” on the same location where you saved this PowerShell script.

      Reply
  • August 14, 2014 at 4:26 PM

    I am getting the following error while running this.
    PS C:Scripts> & ‘.User Access Report.ps1’
    The following exception occurred while trying to enumerate the collection:
    “0x80070003”.
    At C:ScriptsUser Access Report.ps1:58 char:24
    + foreach($Web in $Site.AllWebs)
    + ~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [], ExtendedTypeSystemException
    + FullyQualifiedErrorId : ExceptionInGetEnumerator

    Reply
    • August 18, 2014 at 12:06 PM

      The account you are running this script must have access to the site! Also must have DBO permissions on the databases used by SharePoint. Another case: Site may be locked!

      Reply
  • February 7, 2014 at 7:44 PM

    Greg,
    Make sure you do not have any site collection is set to No Access.
    Joseph Pullakudy

    Reply
  • December 3, 2013 at 11:53 PM

    Hi Salaudeen – Thanks for sharing your work. This looks like a great tool, however I receive errors when running it. All I did was change ” GetUserAccessReport “http://sharepoint.crescent.com” “GlobalSalaudeen” ” to the URL of my SharePoint URL and one of my users. The error is:

    GetUserAccessReport : Exception has been thrown by the target of an invocation.
    At D:ScriptsscratchUserAccessReport1.ps1:165 char:20
    + GetUserAccessReport <<<< "https://sharepoint.domain.edu" "domainfwhite" + CategoryInfo : NotSpecified: (:) [GetUserAccessReport], TargetInvocationException + FullyQualifiedErrorId : System.Reflection.TargetInvocationException,GetUserAccessReport Do you have any suggestions on working though this? Thanks - Greg

    Reply
    • December 4, 2013 at 11:56 AM

      Greg,
      Sounds like its a permissions issue! You must have permission on the site collection(s) in question! Try creating new Web Application User Policy in Central Admin on the target web application.

      Reply

Leave a Reply