The following PowerShell script can be used to get users with Full Control permissions in sites.

<# The below PowerShell script enumerates through all sites with unique permissions and fetches users with Full Control Permission granted directly to the site
or through group membership.
#Load SharePoint PowerShell Snapin
if ((Get-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue) -eq $null) {
    Add-PSSnapin "Microsoft.SharePoint.PowerShell"
#Collection of user permission objects
$SiteOwners =@();
#Define all the properties for the user permission object
$Properties = @{Title='';SiteID='';WebID='';WebSiteUrl='';AccessRequestEmail='';Scope='';Login='';UserID='';User='';Email='';LastItemModified='';};
#Site Url
$WebUrl ="";
#Web Application URL
$WebApplicationURL = "<WebAppUrl>";
#Enumerate through all Site Collections and Sites
Get-SPWebApplication -Identity $WebApplicationURL | Get-SPSite -limit all |%{
#Enumerate through all sites within the site collection
Get-SPWeb -limit all -Site $_|%{
$web = $_;
#Check if the site has unique permissions
if(($web.HasUniqueRoleAssignments -eq "True" -or $web.IsRootWeb -eq "True")){
$WebUrl = $web.Url;
#Full Control Role Definition
$FullControl = $web.RoleDefinitions["Full Control"];
#Collection of Groups with Full Control permissions
#Get all Owner groups with Full Control permission
$web.Groups|?{$_.Name -match "Owners"}|%{
$IsGroupFullControl = $_.Roles|?{$_.Name -eq $FullControl.Name;}
$OwnerGroups += $_;
This represents the collection of users or user objects who have been explicitly assigned permissions in the Web site . This does not return users who have access through a group.
This gives us the collection of user objects who are either members of the site collection or who have atleast navigated to the site as authenticated members of a domain group in the site.
#Enumerate through all Users in the Web
$web.AllUsers|?{$_.LoginName -ne "SHAREPOINT\System" -and $_.Email.Length -gt 0}|%{
#Check User Effective Permissions
#Full Control Permission could have been granted directly or through group membership. Scope will represent these details.
$UserRoleAssignments = $web.RoleAssignments.GetAssignmentByPrincipal($user);
#Check if user has Full Control Permissions
$Scopes += "Site";
#Check for group membership of user in Owners group i.e. groups with Full Control permission
$IsOwnerGroup = $OwnerGroups|?{$_.Name -eq $Group.Name};
$Scopes += $Group.Name;
#Create an object for the user permission record
$Owner = New-Object PSObject -Property $Properties;
$Owner.Title = $web.Title;
$Owner.WebID = $web.ID;
$Owner.SiteID = $siteID;
$Owner.WebSiteURL = $web.URL;
$Owner.Scope = ($Scopes -join ",");
$SiteOwners +=$Owner;
catch [System.Exception]{
Write-Host ($WebUrl + ":" + $_.Exception.Message + ":" + $_.Exception.StackTrace);
#Dispose SPSite
$SiteOwners|Export-CSV "D:\SharePoint Administration\SiteOwners.csv" -NoTypeInformation;

See Also

Other Languages

This article is also available in the following languages: