Permission PowerShell SharePoint 2010 SharePoint 2013 SharePoint 2016 Subsite 

How to Make a Subsite Read-Only in SharePoint using PowerShell?

Salaudeen Rajack 2 Comments ,

Requirement: Make a SharePoint Subsite read-only.

This method replaces all other permissions applied on the subsite with “Read” and can’t be reverted! Make sure you are proceeding only in scenarios where you don’t need to revert the read-only (E.g. Post migration)! You can take backup of the existing permissions though. If you want to set the site collection read only, refer: How to set a SharePoint Online site collection in Read-Only Mode?

How to make a Subsite Read-only by Resetting Permissions?

At times, You may need to make a SharePoint subsite read-only, so that users cannot modify its contents. I’ll show you how to make a subsite Read-Only in SharePoint in this article.

We can make a SharePoint subsite read-only by replacing all user and group permissions with the “Read” permission level.

  1. Navigate to the subsite >> Click on Site Settings >> Site Permissions.
  2. In the site permissions page, Leave all users and groups with “Read”, “View Only” or “Limited Access” rights and select the rest.
  3. Click on the “Edit User Permissions” button from the ribbon to bulk edit permission levels of the selected users and groups.make a sharepoint subsite read-only
  4. Select the “Read” permission level and  Click on “OK” to save! how to make sharepoint subsite read only

This sets the subsite read only.

These methods don’t control Farm Administrators, Site Collection Administrators!

PowerShell to Reset Subsite Permissions to Read-Only:

Here is the SharePoint PowerShell to make subsite read only:

Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

#Parameters
$SubsiteURL = "https://intranet.crescent.com/legal"

#Get the Subsite
$Web = Get-SPWeb $SubsiteURL

#Break Permission Inheritance, if not already
If(!$Web.HasUniqueRoleAssignments)
{
    $Web.BreakRoleInheritance($true)
}

#Get Required Permission Levels
$ReadPermission = $web.RoleDefinitions["Read"]
$ViewOnlyPermission = $web.RoleDefinitions["View Only"]
$LimitedAccessPermission = $web.RoleDefinitions["Limited Access"]

#Add Read Permission to Role Assignment, if not added already
ForEach ($RoleAssignment in $Web.RoleAssignments) 
{
    $RoleDefinitionBindings = $RoleAssignment.RoleDefinitionBindings
    If(!($RoleDefinitionBindings.Contains($ReadPermission) -or $RoleDefinitionBindings.Contains($ViewOnlyPermission) -or $RoleDefinitionBindings.Contains($LimitedAccessPermission)))
    {
        $RoleAssignment.RoleDefinitionBindings.Add($ReadPermission)
        $RoleAssignment.Update()
        Write-host "Added Read Permissions to '$($RoleAssignment.Member.Name)'" -ForegroundColor Green
    }
}

#Remove All permissions other than Read or Similar
ForEach ($RoleAssignment in $Web.RoleAssignments) 
{ 
    $RoleDefinitionBindings = $RoleAssignment.RoleDefinitionBindings
    For($i=$RoleAssignment.RoleDefinitionBindings.Count-1; $i -ge 0; $i--)
    {
        $RoleDefBinding = $RoleAssignment.RoleDefinitionBindings[$i] 
        If( ($RoleDefBinding.Name -eq "Read") -or ($RoleDefBinding.Name -eq "View Only") -or ($RoleDefBinding.Name -eq "Limited Access") )
        {
            Continue;
        }
        Else
        {
            $RoleAssignment.RoleDefinitionBindings.Remove($RoleAssignment.RoleDefinitionBindings[$i])
            $RoleAssignment.Update()
            Write-host "Removed '$($RoleDefBinding.Name)' Permissions from '$($RoleAssignment.Member.Name)'" -ForegroundColor Yellow
        }
    }
}

Wait, What if the lists, libraries, folders, or files in the subsite have unique permission (broken inheritance!)? Let’s extend the script to reset permissions on all underlying objects.

Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

#Function to replace all permission levels granted with "Read"
Function Reset-Permissions([Microsoft.SharePoint.SPSecurableObject]$Object)
{
    #Add Read Permission to Role Assignment, if not added already
    ForEach ($RoleAssignment in $Object.RoleAssignments) 
    {
        $RoleDefinitionBindings = $RoleAssignment.RoleDefinitionBindings
        If(!($RoleDefinitionBindings.Contains($ReadPermission) -or $RoleDefinitionBindings.Contains($ViewOnlyPermission) -or $RoleDefinitionBindings.Contains($LimitedAccessPermission)))
        {
            $RoleAssignment.RoleDefinitionBindings.Add($ReadPermission)
            $RoleAssignment.Update()
            Write-host "`tAdded Read Permission to '$($RoleAssignment.Member.Name)'" -ForegroundColor Green
        }
    }

    #Remove All permissions other than Read or Similar
    ForEach ($RoleAssignment in $Object.RoleAssignments) 
    { 
        $RoleDefinitionBindings = $RoleAssignment.RoleDefinitionBindings
        For($i=$RoleAssignment.RoleDefinitionBindings.Count-1; $i -ge 0; $i--)
        {
            $RoleDefBinding = $RoleAssignment.RoleDefinitionBindings[$i] 
            If( ($RoleDefBinding.Name -eq "Read") -or ($RoleDefBinding.Name -eq "View Only") -or ($RoleDefBinding.Name -eq "Limited Access") )
            {
                Continue;
            }
            Else
            {
                $RoleAssignment.RoleDefinitionBindings.Remove($RoleAssignment.RoleDefinitionBindings[$i])
                $RoleAssignment.Update()
                Write-host "`tRemoved '$($RoleDefBinding.Name)' Permission from '$($RoleAssignment.Member.Name)'" -ForegroundColor Yellow
            }
        }
    }
}

#Parameters
$SubsiteURL = "https://intranet.sharepoint.com/2010"

#Get the Subsite
$Web = Get-SPWeb $SubsiteURL

#Break Permission Inheritance of the subsite, if not already
If(!$Web.HasUniqueRoleAssignments)
{
    $Web.BreakRoleInheritance($true)
}

#Get Required Permission Levels
$ReadPermission = $web.RoleDefinitions["Read"]
$ViewOnlyPermission = $web.RoleDefinitions["View Only"]
$LimitedAccessPermission = $web.RoleDefinitions["Limited Access"]

#Call the function to Reset Web permissions
Write-host "Resetting Permissions on Web..."-NoNewline
Reset-Permissions $Web
Write-host "Done!" -f Green

#Array to Skip System Lists and Libraries
$SystemLists =@("Converted Forms", "Master Page Gallery", "Customized Reports", "Form Templates", "List Template Gallery", "Theme Gallery", 
           "Reporting Templates", "Solution Gallery", "Style Library", "Web Part Gallery","Site Assets", "wfpub")
  
#Loop through each list in the web
Foreach ($List in $Web.Lists)
{
    #Get only lists with unique permissions & Exclude Hidden System libraries
    If (($List.Hidden -eq $false) -and ($SystemLists -notcontains $List.Title) -and ($List.HasUniqueRoleAssignments) )
    {
        #Call the function to Reset List permissions
        Write-host -NoNewline "Resetting Permissions on List '$($List.title)'..."
        Reset-Permissions $List
        Write-host "Done!" -f Green
    }
}

#Check List items with unique permissions
Foreach ($List in $Web.Lists)
{
    #Get only lists with unique permissions & Exclude Hidden System libraries
    If (($List.Hidden -eq $false) -and ($SystemLists -notcontains $List.Title))
    {
        #Get All list items with unique permissions
        $UniqueItems = $List.GetItemsWithUniquePermissions()
        If($UniqueItems.count -gt 0)
        {
            #Call the function to Reset List Item permissions
            Write-host "Resetting Permissions on List Items of '$($List.title)'"
            $UniqueItems | ForEach-Object {
                Reset-Permissions $List.GetItemById($_.ID)
            }            
        }
    }
}

Here is another post on setting the SharePoint list to read-only: How to Make a SharePoint List or Library to Read Only Mode using PowerShell?

Salaudeen Rajack

Salaudeen Rajack - SharePoint Expert with Two decades of SharePoint Experience. Love to Share my knowledge and experience with the SharePoint community, through real-time articles!

2 thoughts on “How to Make a Subsite Read-Only in SharePoint using PowerShell?

  • Can we do it for all subsite with in sub site? If yes, so please guide me.

    Reply

  • Thanks. This is very useful

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *