How to Make a Subsite Read-Only using PowerShell?
Requirement: Make a SharePoint Subsite read-only.
How to make a Subsite Read-only by Resetting Permissions?
At times, You may need to make a SharePoint subsite read-only, so that users cannot modify its contents. I’ll show you how to make a subsite Read-Only in SharePoint in this article.
We can make a SharePoint subsite read-only by replacing all user and group permissions to the “Read” permission level.
- Navigate to the subsite >> Click on Site Settings >> Site Permissions
- In the site permissions page, Leave all users and groups with “Read”, “View Only” or “Limited Access” rights and select the rest.
- Click on the “Edit User Permissions” button from the ribbon to bulk edit permission levels of the selected users and groups.
- Select “Read” permission level and Click on “OK” to save!
This sets the subsite read only.
PowerShell to Reset Subsite Permissions to Read-Only:
Here is the SharePoint PowerShell to make subsite read only:
Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue
#Parameters
$SubsiteURL = "https://intranet.crescent.com/legal"
#Get the Subsite
$Web = Get-SPWeb $SubsiteURL
#Break Permission Inheritance, if not already
If(!$Web.HasUniqueRoleAssignments)
{
$Web.BreakRoleInheritance($true)
}
#Get Required Permission Levels
$ReadPermission = $web.RoleDefinitions["Read"]
$ViewOnlyPermission = $web.RoleDefinitions["View Only"]
$LimitedAccessPermission = $web.RoleDefinitions["Limited Access"]
#Add Read Permission to Role Assignment, if not added already
ForEach ($RoleAssignment in $Web.RoleAssignments)
{
$RoleDefinitionBindings = $RoleAssignment.RoleDefinitionBindings
If(!($RoleDefinitionBindings.Contains($ReadPermission) -or $RoleDefinitionBindings.Contains($ViewOnlyPermission) -or $RoleDefinitionBindings.Contains($LimitedAccessPermission)))
{
$RoleAssignment.RoleDefinitionBindings.Add($ReadPermission)
$RoleAssignment.Update()
Write-host "Added Read Permissions to '$($RoleAssignment.Member.Name)'" -ForegroundColor Green
}
}
#Remove All permissions other than Read or Similar
ForEach ($RoleAssignment in $Web.RoleAssignments)
{
$RoleDefinitionBindings = $RoleAssignment.RoleDefinitionBindings
For($i=$RoleAssignment.RoleDefinitionBindings.Count-1; $i -ge 0; $i--)
{
$RoleDefBinding = $RoleAssignment.RoleDefinitionBindings[$i]
If( ($RoleDefBinding.Name -eq "Read") -or ($RoleDefBinding.Name -eq "View Only") -or ($RoleDefBinding.Name -eq "Limited Access") )
{
Continue;
}
Else
{
$RoleAssignment.RoleDefinitionBindings.Remove($RoleAssignment.RoleDefinitionBindings[$i])
$RoleAssignment.Update()
Write-host "Removed '$($RoleDefBinding.Name)' Permissions from '$($RoleAssignment.Member.Name)'" -ForegroundColor Yellow
}
}
}
Wait, What if the lists, libraries, folders, or files in the subsite have unique permission (broken inheritance!)? Let’s extend the script to reset permissions on all underlying objects.
Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue
#Function to replace all permission levels granted with "Read"
Function Reset-Permissions([Microsoft.SharePoint.SPSecurableObject]$Object)
{
#Add Read Permission to Role Assignment, if not added already
ForEach ($RoleAssignment in $Object.RoleAssignments)
{
$RoleDefinitionBindings = $RoleAssignment.RoleDefinitionBindings
If(!($RoleDefinitionBindings.Contains($ReadPermission) -or $RoleDefinitionBindings.Contains($ViewOnlyPermission) -or $RoleDefinitionBindings.Contains($LimitedAccessPermission)))
{
$RoleAssignment.RoleDefinitionBindings.Add($ReadPermission)
$RoleAssignment.Update()
Write-host "`tAdded Read Permission to '$($RoleAssignment.Member.Name)'" -ForegroundColor Green
}
}
#Remove All permissions other than Read or Similar
ForEach ($RoleAssignment in $Object.RoleAssignments)
{
$RoleDefinitionBindings = $RoleAssignment.RoleDefinitionBindings
For($i=$RoleAssignment.RoleDefinitionBindings.Count-1; $i -ge 0; $i--)
{
$RoleDefBinding = $RoleAssignment.RoleDefinitionBindings[$i]
If( ($RoleDefBinding.Name -eq "Read") -or ($RoleDefBinding.Name -eq "View Only") -or ($RoleDefBinding.Name -eq "Limited Access") )
{
Continue;
}
Else
{
$RoleAssignment.RoleDefinitionBindings.Remove($RoleAssignment.RoleDefinitionBindings[$i])
$RoleAssignment.Update()
Write-host "`tRemoved '$($RoleDefBinding.Name)' Permission from '$($RoleAssignment.Member.Name)'" -ForegroundColor Yellow
}
}
}
}
#Parameters
$SubsiteURL = "https://intranet.sharepoint.com/2010"
#Get the Subsite
$Web = Get-SPWeb $SubsiteURL
#Break Permission Inheritance of the subsite, if not already
If(!$Web.HasUniqueRoleAssignments)
{
$Web.BreakRoleInheritance($true)
}
#Get Required Permission Levels
$ReadPermission = $web.RoleDefinitions["Read"]
$ViewOnlyPermission = $web.RoleDefinitions["View Only"]
$LimitedAccessPermission = $web.RoleDefinitions["Limited Access"]
#Call the function to Reset Web permissions
Write-host "Resetting Permissions on Web..."-NoNewline
Reset-Permissions $Web
Write-host "Done!" -f Green
#Array to Skip System Lists and Libraries
$SystemLists [email protected]("Converted Forms", "Master Page Gallery", "Customized Reports", "Form Templates", "List Template Gallery", "Theme Gallery",
"Reporting Templates", "Solution Gallery", "Style Library", "Web Part Gallery","Site Assets", "wfpub")
#Loop through each list in the web
Foreach ($List in $Web.Lists)
{
#Get only lists with unique permissions & Exclude Hidden System libraries
If (($List.Hidden -eq $false) -and ($SystemLists -notcontains $List.Title) -and ($List.HasUniqueRoleAssignments) )
{
#Call the function to Reset List permissions
Write-host -NoNewline "Resetting Permissions on List '$($List.title)'..."
Reset-Permissions $List
Write-host "Done!" -f Green
}
}
#Check List items with unique permissions
Foreach ($List in $Web.Lists)
{
#Get only lists with unique permissions & Exclude Hidden System libraries
If (($List.Hidden -eq $false) -and ($SystemLists -notcontains $List.Title))
{
#Get All list items with unique permissions
$UniqueItems = $List.GetItemsWithUniquePermissions()
If($UniqueItems.count -gt 0)
{
#Call the function to Reset List Item permissions
Write-host "Resetting Permissions on List Items of '$($List.title)'"
$UniqueItems | ForEach-Object {
Reset-Permissions $List.GetItemById($_.ID)
}
}
}
}
Here is another post on setting the SharePoint list to read-only: How to Make a SharePoint List or Library to Read Only Mode using PowerShell?
Thanks. This is very useful