Hi All,
Looking for expert opinions on this script I have written. The intention is to deny access to sites identified as not being used, in preparation for a migration from SharePoint 2010 to SharePoint Online. Have I missed anything?
#Custom script to remove all user access to a SharePoint site
#Create Data table
$SPSitePermissions = New-Object System.Data.DataTable “SPSitePermissions”
$SPSitePermissions.Columns.Add("Row_ID",[String]) | Out-Null
$SPSitePermissions.PrimaryKey = $SPSitePermissions.Columns["Row_ID"]
$SPSitePermissions.Columns.Add("Site_ID",[String]) | Out-Null
$SPSitePermissions.Columns.Add("Web_ServerRelativeURL",[String]) | Out-Null
$SPSitePermissions.Columns.Add("Web_GroupName",[String]) | Out-Null
$SPSitePermissions.Columns.Add("Web_BoundDefinition",[String]) | Out-Null
#Create output file
$filename = (get-date -format "dd_MMM_yyyy_HH_mm_ss") + "_SPWebPermissions"
$columns = "Row ID", "Site ID", "Server Relative URL","Group Name","Bound Definition"
$columns -join ";" >> c:\SPAudit\$filename.csv
$rowCount = 0
$siteList = Import-csv -Path C:\SPAudit\SiteList.csv
$ErrorActionPreference = 'SilentlyContinue'
Add-PSSnapin Microsoft.SharePoint.PowerShell >$null
$ErrorActionPreference = 'Continue'
#New SharePoint assignment store
Start-SPAssignment –Global
foreach($address in $siteList){
$target = "http://mysite" + $address.Address
$spsite = get-spsite $target
$spweb = get-spweb $target
#Create the No Access role definition
$spRoleDefinition = New-Object Microsoft.SharePoint.SPRoleDefinition;
$spRoleDefinition.Name = "No Access";
$spRoleDefinition.Description = "No Access";
$spRoleDefinition.BasePermissions = "EmptyMask";
$spweb.RoleDefinitions.Add($spRoleDefinition);
$spweb.update()
#Find the No Access role definition and store for later use
foreach($roleDefinition in $spweb.RoleDefinitions){
if($roleDefinition.Name -eq "No Access"){
$noAccessRole = $roleDefinition
$noAccessRole.Name
}
}
$spweb.dispose()
foreach($spweb in $spsite.allwebs){
#Check if the subweb has unique permissions, if it does, remove all permissions and replace with an empty mask.
if($spweb.hasuniqueroleassignments -eq "True"){
#Process each SharePoint permission group
foreach($roleAssignment in $spweb.RoleAssignments){
#Skip the system account group if present
if($roleAssignment.Member.Name -eq "System Account"){
}else{
#Add the No Access role to the groups defined permissions and commit
write-host -foregroundcolor green "Adding No Access permission to Group Name: "$roleAssignment.Member.Name "..."
$roleAssignment.RoleDefinitionBindings.Add($noAccessRole);
$roleAssignment.Update();
}
}
#Process each SharePoint permission group again
foreach($roleAssignment in $spweb.RoleAssignments){
#Skip the system account group if present
if($roleAssignment.Member.Name -eq "System Account"){
}else{
#Process each role assigned to this group and remove it if it is not either 'Limited Access' or 'No Access'
foreach($roleDefinition in $roleAssignment.RoleDefinitionBindings){
if($roleDefinition.Name -eq "Limited Access"){
write-host -foregroundcolor blue "Skipping Limited access permission assignment"
}elseif($roleDefinition.Name -eq "No Access"){
}else{
write-host -foregroundcolor red "Removing Permission Name: "$roleDefinition.Name "From Group: "$roleAssignment.Member.Name
$rowCount++
#Log current permission settings
$Row = $SPSitePermissions.NewRow()
$Row.Row_ID = $rowCount
$Row.Site_ID = $spsite.ID.ToString()
$Row.Web_ServerRelativeURL = $spweb.serverrelativeurl
$Row.Web_GroupName = $roleAssignment.Member.Name
$Row.Web_BoundDefinition = $roleDefinition.Name
$SPSitePermissions.Rows.Add($Row)
$RowNo = $SPSitePermissions.Rows.Find($rowCount)
$output = $RowNo.Row_ID, $RowNo.Site_ID, $RowNo.Web_ServerRelativeURL, $RowNo.Web_GroupName, $RowNo.Web_BoundDefinition
#output
$output -join ";" >> c:\SPAudit\$filename.csv
#Remove the role definition
$roleAssignment.RoleDefinitionBindings.Remove($roleDefinition);
$roleAssignment.Update();
}
}
}
}
}
$spweb.Dispose();
}
$spsite.Dispose();
}
Stop-SPAssignment –Global
