none
How to get the list of users from a sharepoint group with specfic permissions(permission level) using powershell.

    Question

  • Hi ,

    We have a requirement where we need to get the list of users part of "Content Admin"  group in each sub-site. This group has a custom permission level mapped to it ("Content-Edit"). All these subsites has the unique permissions (Broke inheritance). I tried using CSOM and Powershell to generate the report. but I am unable to get the groups from specific web. Couldn't find any option like $web.Groups to get the groups specific to the web and only could see $web.SiteGroups which pulls all the groups in the site collection. 

    Can you please guide / help me with achieving the above functionality?

    Thanks,

    Venugopal

    Wednesday, May 11, 2016 6:46 AM

Answers

  • Hi All,

    Able to get the results and below is the script for the same.

    #User input
    $tenantName = "MyDev" # for example: MyDev, MyQA, or MyProd (Provide Appropriate Tenant Name)
    $username = "FirstName.LastName@abc.xyz.com" #Enter appropriate User Name
    $password = Read-Host -Prompt "Enter Password for $username" -AsSecureString
    
    $reportPath = $PSScriptRoot + "\UserDetails_Dev.csv";
    
    #Load the references
    Add-Type –Path "C:\Program Files\Common Files\microsoft shared\Web Server Extensions\15\ISAPI\Microsoft.SharePoint.Client.dll" 
    Add-Type –Path "C:\Program Files\Common Files\microsoft shared\Web Server Extensions\15\ISAPI\Microsoft.SharePoint.Client.Runtime.dll" 
    Add-Type –Path "C:\Program Files\SharePoint Client Components\Assemblies\Microsoft.Online.SharePoint.Client.Tenant.dll"
    Import-Module 'C:\Program Files\SharePoint Online Management Shell\Microsoft.Online.SharePoint.PowerShell'
    
    $AdminUrl = "https://$tenantName-admin.sharepoint.com";
    $O365Credential = New-Object System.Management.Automation.PsCredential($username, $password);
    $results = @();
    
    function Get-OwnerConfiguration($siteURL){
        $context = New-Object Microsoft.SharePoint.Client.ClientContext($siteURL);
           $context.Credentials = New-Object Microsoft.Sharepoint.Client.SharePointOnlineCredentials($username, $password);
    
           $spWeb = $context.Web;
        $subSites = $spWeb.Webs;
        $siteGroup = $context.Web.SiteGroups;
        $spRoleAssignments = $spWeb.RoleAssignments;
    
        $context.Load($spWeb);   
        $context.Load($subSites);
        $context.Load($siteGroup);
        $context.Load($spRoleAssignments); 
    
        try
        {
               $context.ExecuteQuery();  
    
            $spRoleAssignments |%{
                $context.Load($_.Member);   
                $context.Load($_.RoleDefinitionBindings);
                $context.ExecuteQuery();
    
                $permissionGroupName = $_.Member.Title;
    
                Write-Host "Permission group/individual user name: $permissionGroupName" -ForegroundColor Yellow
    
                $_.RoleDefinitionBindings |%{
    
                Write-Host "Permission level: $($_.Name)" -ForegroundColor Cyan;
    
                   if($_.Name -eq "Content-Edit"){
                     $siteGroup |% {
                         if($_.Title -eq $permissionGroupName){
                            $grp = $_ ;                       
                         }
                     }
    
                     $context.Load($grp.Users);
                     $context.ExecuteQuery();
    
                     $grp.Users |%{
                        $obj = New-Object PSObject;
                        $obj | Add-Member -MemberType NoteProperty -Name "Site URL" $siteURL;
                        $obj | Add-Member -MemberType NoteProperty -Name "Permission Group Name" $permissionGroupName;
                        $obj | Add-Member -MemberType NoteProperty -Name "User Name" $_.Title;
            
                        $global:results += $obj;
                        Write-Host $(Get-Date -format g) $obj -ForegroundColor Green;   
                      }
                   }
                }
            }
    
            #Recursive function for retrieving sub site information
            $subSites |%{        
                Get-OwnerConfiguration $_.Url;
            }            
        }
        catch
        {
            Write-Host $(Get-Date -format g) $_.Exception.Message -ForegroundColor Red;      
        }     
    }
    
    Get-OwnerConfiguration "https://$tenantName.sharepoint.com";
    
    #Export the result to CSV
    $results | Export-CSV "$reportPath" -NoTypeInformation -Force 
    

    Thursday, May 12, 2016 6:39 AM

All replies

  • Hi All,

    Able to get the results and below is the script for the same.

    #User input
    $tenantName = "MyDev" # for example: MyDev, MyQA, or MyProd (Provide Appropriate Tenant Name)
    $username = "FirstName.LastName@abc.xyz.com" #Enter appropriate User Name
    $password = Read-Host -Prompt "Enter Password for $username" -AsSecureString
    
    $reportPath = $PSScriptRoot + "\UserDetails_Dev.csv";
    
    #Load the references
    Add-Type –Path "C:\Program Files\Common Files\microsoft shared\Web Server Extensions\15\ISAPI\Microsoft.SharePoint.Client.dll" 
    Add-Type –Path "C:\Program Files\Common Files\microsoft shared\Web Server Extensions\15\ISAPI\Microsoft.SharePoint.Client.Runtime.dll" 
    Add-Type –Path "C:\Program Files\SharePoint Client Components\Assemblies\Microsoft.Online.SharePoint.Client.Tenant.dll"
    Import-Module 'C:\Program Files\SharePoint Online Management Shell\Microsoft.Online.SharePoint.PowerShell'
    
    $AdminUrl = "https://$tenantName-admin.sharepoint.com";
    $O365Credential = New-Object System.Management.Automation.PsCredential($username, $password);
    $results = @();
    
    function Get-OwnerConfiguration($siteURL){
        $context = New-Object Microsoft.SharePoint.Client.ClientContext($siteURL);
           $context.Credentials = New-Object Microsoft.Sharepoint.Client.SharePointOnlineCredentials($username, $password);
    
           $spWeb = $context.Web;
        $subSites = $spWeb.Webs;
        $siteGroup = $context.Web.SiteGroups;
        $spRoleAssignments = $spWeb.RoleAssignments;
    
        $context.Load($spWeb);   
        $context.Load($subSites);
        $context.Load($siteGroup);
        $context.Load($spRoleAssignments); 
    
        try
        {
               $context.ExecuteQuery();  
    
            $spRoleAssignments |%{
                $context.Load($_.Member);   
                $context.Load($_.RoleDefinitionBindings);
                $context.ExecuteQuery();
    
                $permissionGroupName = $_.Member.Title;
    
                Write-Host "Permission group/individual user name: $permissionGroupName" -ForegroundColor Yellow
    
                $_.RoleDefinitionBindings |%{
    
                Write-Host "Permission level: $($_.Name)" -ForegroundColor Cyan;
    
                   if($_.Name -eq "Content-Edit"){
                     $siteGroup |% {
                         if($_.Title -eq $permissionGroupName){
                            $grp = $_ ;                       
                         }
                     }
    
                     $context.Load($grp.Users);
                     $context.ExecuteQuery();
    
                     $grp.Users |%{
                        $obj = New-Object PSObject;
                        $obj | Add-Member -MemberType NoteProperty -Name "Site URL" $siteURL;
                        $obj | Add-Member -MemberType NoteProperty -Name "Permission Group Name" $permissionGroupName;
                        $obj | Add-Member -MemberType NoteProperty -Name "User Name" $_.Title;
            
                        $global:results += $obj;
                        Write-Host $(Get-Date -format g) $obj -ForegroundColor Green;   
                      }
                   }
                }
            }
    
            #Recursive function for retrieving sub site information
            $subSites |%{        
                Get-OwnerConfiguration $_.Url;
            }            
        }
        catch
        {
            Write-Host $(Get-Date -format g) $_.Exception.Message -ForegroundColor Red;      
        }     
    }
    
    Get-OwnerConfiguration "https://$tenantName.sharepoint.com";
    
    #Export the result to CSV
    $results | Export-CSV "$reportPath" -NoTypeInformation -Force 
    

    Thursday, May 12, 2016 6:39 AM
  • Hi Venugopal,

    I am getting below error when the script hits "$_.RoleDefinitionBindings" for indivisual users. Its working fine for groups. Could you please help me.

    Error: 

    Exception calling "Load" with "1" argument(s): "The object is used in the context different from the one associated w
    ith the object."

    Thanks in Advance.

    Friday, March 2, 2018 8:40 PM