Managing SharePoint Groups in PowerShell
SharePoint Groups are a great mechanism for managing user permissions, however they exist within a single site collection. What if you have hundreds of site collections? We can easily script a range of common operations.
I prefer to use a CSV fed approach to manage groups and users. I create a CSV with the name of the group, and the users, which I list in pipe separated format (commas are already being used for the CSV). To read in a CSV use:
Import-Csv "L:PowerShellAD and SP group mapping.csv" |
Let’s get the Site, Root Web, as well as an SPUser for the group owner, and get the groups object:
$Site = New-Object Microsoft.SharePoint.SPSite($SiteName) write-host $site.Url $rootWeb = $site.RootWeb; $Owner = $rootWeb.EnsureUser($OwnerName) $Groups = $rootWeb.SiteGroups; |
Here’s how to add a Group:
$Groups.Add($SPGroupName, $Owner, $web.Site.Owner, “SharePoint Group to hold AD group for Members") |
Here’s how to give the group Read access, for example:
$GroupToAddRoleTo = $Groups[$SPGroupName] if ($GroupToAddRoleTo) #if group exists { $MyAcctassignment = New-Object Microsoft.SharePoint.SPRoleAssignment($GroupToAddRoleTo) $MyAcctrole = $RootWeb.RoleDefinitions["Read"] $MyAcctassignment.RoleDefinitionBindings.Add($MyAcctrole) $RootWeb.RoleAssignments.Add($MyAcctassignment) } |
Here’s how to add a Member to a Group:
$UserObj = $rootWeb.EnsureUser($userName); if ($UserObj) #if it exists { $GroupToAddTo.addUser($UserObj) } |
Note that a duplicate addition of a member is a null-op, throwing no errors.
Here’s how to remove a member:
$UserObj = $rootWeb.EnsureUser($userName); if ($UserObj) { $GroupToAddTo.RemoveUser($UserObj) } |
Here’s how to remove all the members from a given group. This wipes the users from the whole site collection, so use this approach with care and consideration:
$user1 = $RootWeb.EnsureUser($MyUser) try { $RootWeb.SiteUsers.Remove($MyUser) $RootWeb.update() } |
Here’s the full script, with flags to setting the specific actions described above:
Add-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue # uses feedfile to load and create set of SharePoint Groups. $mylogfile="L:PowerShellongoinglogfile.txt" $ADMap= Import-Csv "L:PowerShellAD and SP group mapping.csv" $OwnerName = "DOMAIN/sp2013farm" $AddGroups = $false; $AddMembers = $false; # optionally populates those groups, Comma separated list $GrantGroupsRead = $true; #grants read at top rootweb level $RemoveMembers = $false; # optionally removes Comma separated list of users from the associated group $WipeMembers = $false; # wipes the groups clean $WipeUsersOutOfSite = $false; #The Nuclear option. Useful to eliminate AD groups used directly as groups #we do not need a hashtable for this work, but let's load it for extensibility $MyMap=@{} #load CSV contents into HashTable for ($i=0; $i -lt $AD.Count; $i++) { $MyMap[$ADMap[$i].SharePoint Group] = $ADMap[$i].ADGroup; } # Script changes the letter heading for each site collection $envrun="Dev" # selects environment to run in if ($envrun -eq "Dev") { $siteUrl = "h ttp://DevServer/sites/" $mylogfile="L:PowerShellongoinglogfile.txt" $LoopString = "A,B,C,D,E,F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W,X,Y,Z" $LoopStringArr = $LoopString.Split(“,”) } elseif ($envrun -eq "Prod") { $siteUrl = "ht tp://SharePoint/sites/" $mylogfile="L:PowerShellongoinglogfile.txt" $LoopString = "A,B,C,D,E,F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W,X,Y,Z" $LoopStringArr = $LoopString.Split(“,”) } else { Write-Host "ENVIRONMENT SETTING NOT VALID: script terminating..." $siteUrl = $null; return; } Write-Host "script starting" $myheader = "STARTING: $(get-date)" foreach ($letter in $LoopStringArr) { $SiteName=$siteurl+$letter $Site = New-Object Microsoft.SharePoint.SPSite($SiteName) write-host $site.Url $rootWeb = $site.RootWeb; $Owner = $rootWeb.EnsureUser($OwnerName) $Groups = $rootWeb.SiteGroups; for ($ADi = 0; $ADi -lt $ADMap.count; $ADi++) { $SPGroupName = $ADMap[$ADi].SharePoint Group; if ($AddGroups) { if (!$Groups[$SPGroupName]) #no exist, so create { try { $Groups.Add($SPGroupName, $Owner, $web.Site.Owner, “SharePoint Group to hold AD group members") } catch { Write-Host -ForegroundColor DarkRed "Ouch, could not create $($SPgroupName)" } } else { Write-Host -ForegroundColor DarkGreen "Already exists: $($SPgroupName)" } } #endif Add Groups if ($GrantGroupsRead) { $GroupToAddRoleTo = $Groups[$SPGroupName] if ($GroupToAddRoleTo) #if group exists { $MyAcctassignment = New-Object Microsoft.SharePoint.SPRoleAssignment($GroupToAddRoleTo) $MyAcctrole = $RootWeb.RoleDefinitions["Read"] $MyAcctassignment.RoleDefinitionBindings.Add($MyAcctrole) $RootWeb.RoleAssignments.Add($MyAcctassignment) } #if the group exists in the first place } #ActionFlagTrue if ($AddMembers) { $GroupToAddTo = $Groups[$SPGroupName] if ($GroupToAddTo) #if group exists { $usersToAdd = $ADMap[$ADi].ADGroup; if ($usersToAdd.length -gt 0) #if no users to add, skip { $usersToAddArr = $usersToAdd.split("|") foreach ($userName in $usersToAddArr) { try { $UserObj = $rootWeb.EnsureUser($userName); if ($UserObj) { $GroupToAddTo.addUser($UserObj) #dup adds are a null-op, throwing no errors } } catch { Write-Host -ForegroundColor DarkRed "cannot add user ($($userName) to $($GroupToAddTo)" } } } #users to add } #if the group exists in the first place } #ActionFlagTrue if ($RemoveMembers) { $GroupToAddTo = $Groups[$SPGroupName] if ($GroupToAddTo) #if group exists { $usersToAdd = $ADMap[$ADi].SharePoint Group; if ($usersToAdd.length -gt 0) #if no users to add, skip { $usersToAddArr = $usersToAdd.split("|") foreach ($userName in $usersToAddArr) { try { $UserObj = $rootWeb.EnsureUser($userName); if ($UserObj) { $GroupToAddTo.RemoveUser($UserObj) #dup adds are a null-op, throwing no errors } } catch { Write-Host -ForegroundColor DarkRed "cannot add user ($($userName) to $($GroupToAddTo)" } } } #users to add } #if the group exists in the first place } #ActionFlagTrue if ($WipeMembers) #Nukes all users in the group { $GroupToAddTo = $Groups[$SPGroupName] if ($GroupToAddTo) #if group exists { foreach ($userName in $GroupToAddTo.Users) { try { $UserObj = $rootWeb.EnsureUser($userName); if ($UserObj) { $GroupToAddTo.RemoveUser($UserObj) #dup adds are a null-op, throwing no errors } } catch { Write-Host -ForegroundColor DarkRed "cannot remove user ($($userName) to $($GroupToAddTo)" } } } #if the group exists in the first place } #ActionFlagTrue if ($WipeUsersOutOfSite) #Nukes all users in the group { $usersToNuke = $ADMap[$ADi].ADGroup; if ($usersToNuke.length -gt 0) #if no users to add, skip { $usersToNukeArr = $usersToNuke.split("|") foreach ($MyUser in $usersToNukeArr) { try { try { $user1 = $RootWeb.EnsureUser($MyUser) } catch { Write-Host "x1: Failed to ensure user $($MyUser) in $($Site.url)" } try { $RootWeb.SiteUsers.Remove($MyUser) $RootWeb.update() } catch { Write-Host "x2: Failed to remove $($MyUser) from all users in $($Site.url)" } } catch { Write-Host "x4: other failure for $($MyUser) in $($Site.url)" } } #if user is not null } #foreach user to nuke } #ActionFlagTrue } $rootWeb.dispose() $site.dispose() } #foreach site |
Start Your SharePoint Online Project in a Click
Our technology and wide delivery footprint have created billions of dollars in value for clients globally and are widely recognized by industry professionals and analysts.
Want to talk?
Drop us a line. We are here to answer your questions 24*7.