#Written by Alister Thornley 14/07/20 #Custom script to remove all user access to a SharePoint site #Create Data table $SPSitePermissions = New-Object System.Data.DataTable “SPSitePermissions” $SPSitePermissions.Columns.Add("Row_ID",[String]) | Out-Null $SPSitePermissions.PrimaryKey = $SPSitePermissions.Columns["Row_ID"] $SPSitePermissions.Columns.Add("Site_ID",[String]) | Out-Null $SPSitePermissions.Columns.Add("Web_ServerRelativeURL",[String]) | Out-Null $SPSitePermissions.Columns.Add("Web_GroupName",[String]) | Out-Null $SPSitePermissions.Columns.Add("Web_BoundDefinition",[String]) | Out-Null #Create output file $filename = (get-date -format "dd_MMM_yyyy_HH_mm_ss") + "_SPWebPermissions" $columns = "Row ID", "Site ID", "Server Relative URL","Group Name","Bound Definition" $columns -join ";" >> c:\SPAudit\$filename.csv $rowCount = 0 $siteList = Import-csv -Path C:\SPAudit\SiteList.csv $ErrorActionPreference = 'SilentlyContinue' Add-PSSnapin Microsoft.SharePoint.PowerShell >$null $ErrorActionPreference = 'Continue' #New SharePoint assignment store Start-SPAssignment –Global foreach($address in $siteList){ $target = "http://Yourdomain" + $address.Address $spsite = get-spsite $target $spweb = get-spweb $target #Create the No Access role definition $spRoleDefinition = New-Object Microsoft.SharePoint.SPRoleDefinition; $spRoleDefinition.Name = "No Access"; $spRoleDefinition.Description = "No Access"; $spRoleDefinition.BasePermissions = "EmptyMask"; $spweb.RoleDefinitions.Add($spRoleDefinition); $spweb.update() #Find the No Access role definition and store for later use foreach($roleDefinition in $spweb.RoleDefinitions){ if($roleDefinition.Name -eq "No Access"){ $noAccessRole = $roleDefinition $noAccessRole.Name } } $spweb.dispose() foreach($spweb in $spsite.allwebs){ #Check if the subweb has unique permissions, if it does, remove all permissions and replace with an empty mask. if($spweb.hasuniqueroleassignments -eq "True"){ #Process each SharePoint permission group foreach($roleAssignment in $spweb.RoleAssignments){ #Skip the system account group if present if($roleAssignment.Member.Name -eq "System Account"){ }else{ #Add the No Access role to the groups defined permissions and commit write-host -foregroundcolor green "Adding No Access permission to Group Name: "$roleAssignment.Member.Name "..." $roleAssignment.RoleDefinitionBindings.Add($noAccessRole); $roleAssignment.Update(); } } #Process each SharePoint permission group again foreach($roleAssignment in $spweb.RoleAssignments){ #Skip the system account group if present if($roleAssignment.Member.Name -eq "System Account"){ }else{ #Process each role assigned to this group and remove it if it is not either 'Limited Access' or 'No Access' foreach($roleDefinition in $roleAssignment.RoleDefinitionBindings){ if($roleDefinition.Name -eq "Limited Access"){ write-host -foregroundcolor blue "Skipping Limited access permission assignment" }elseif($roleDefinition.Name -eq "No Access"){ }else{ write-host -foregroundcolor red "Removing Permission Name: "$roleDefinition.Name "From Group: "$roleAssignment.Member.Name $rowCount++ #Log current permission settings $Row = $SPSitePermissions.NewRow() $Row.Row_ID = $rowCount $Row.Site_ID = $spsite.ID.ToString() $Row.Web_ServerRelativeURL = $spweb.serverrelativeurl $Row.Web_GroupName = $roleAssignment.Member.Name $Row.Web_BoundDefinition = $roleDefinition.Name $SPSitePermissions.Rows.Add($Row) $RowNo = $SPSitePermissions.Rows.Find($rowCount) $output = $RowNo.Row_ID, $RowNo.Site_ID, $RowNo.Web_ServerRelativeURL, $RowNo.Web_GroupName, $RowNo.Web_BoundDefinition #output $output -join ";" >> c:\SPAudit\$filename.csv #Remove the role definition $roleAssignment.RoleDefinitionBindings.Remove($roleDefinition); $roleAssignment.Update(); } } } } } $spweb.Dispose(); } $spsite.Dispose(); } Stop-SPAssignment –Global