SharePointファーム全体でADのセキュリティグループに割り当てられているアクセス権を洗い出すPowerShellスクリプト

題名、長かったですね。

SharePointファーム全体でADのセキュリティグループで付与されている権限の一覧を取りたい!取らねばならぬ!しかもアイテム単位まで!となったことがありまして、PowerShellなんかほとんどいじくったことなかったけどエイヤーと書いてみました。
ちなみに、これ動かした環境はMOSS2007 なので、2010、2013だと書き方のお作法が違うと思います。

[void][System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint")
Function UserSource([string]$userName)
{
if($userName.split("\").count -gt 1)
{
$userName.split("\")[0]
}
elseif ($userName.split(":").count -gt 1)
{
$userName.split(":")[0]
}
else
{
""
}
}
$Permissions=@()
$farm = [Microsoft.SharePoint.Administration.SPFarm]::Local
$farmWebServices = $farm.Services | where -FilterScript {$_.GetType() -eq [Microsoft.SharePoint.Administration.SPWebService]}
foreach ($farmWebService in $farmWebServices) {
foreach ($webApplication in $farmWebService.WebApplications) {
foreach ($webApplication in $SPWebApp) {
foreach ($site in $webApplication.Sites)
{
foreach ($web in $site.AllWebs)
{
Write-Host "Site Collection: ID:" $site.ID " - URL: " $web.Url " - rootweb" $web.IsRootweb
if ($web.HasUniqueRoleAssignments)
{
foreach ($RoleAssignment in $web.RoleAssignments)
{
$domain = UserSource($RoleAssignment.Member.LoginName)
if($domain -ne "")
{
if ($RoleAssignment.Member.IsDomainGroup)
{
if ($domain -ne "NT AUTHORITY")
{
$users = new-object psobject
$users | add-member noteproperty -name "ObjectType" -value "SPWeb"
$users | add-member noteproperty -name "ObjectTitle" -value $web.Title
$users | add-member noteproperty -name "Type" -value "direct"
$users | add-member noteproperty -name "URL" -value "$($web.url)/_layouts/user.aspx"
$users | add-member noteproperty -name "user" -value $RoleAssignment.Member.LoginName
$users | add-member noteproperty -name "Group" -value ""
$permlist = ""
$RoleAssignment.RoleDefinitionBindings | select-object name | ForEach-Object { $permlist += $_.name + ";" }
$users | add-member noteproperty -name "Permission" -value $permlist
write-host $users
$Permissions += $users
}
}
}
else
{
$allUsers = $Roleassignment.member.users
foreach($user in $AllUsers)
{
if ($user.IsDomainGroup)
{
$domain = UserSource($user.LoginName)
if ($domain -ne "NT AUTHORITY")
{
$users = new-object psobject
$users | add-member noteproperty -name "ObjectType" -value "SPWeb"
$users | add-member noteproperty -name "ObjectTitle" -value $web.Title
$users | add-member noteproperty -name "Type" -value "role"
$users | add-member noteproperty -name "URL" -value "$($web.url)/_layouts/user.aspx"
$users | add-member noteproperty -name "user" -value $user.LoginName
$users | add-member noteproperty -name "Group" -value $RoleAssignment.member.name
$permlist = ""
$RoleAssignment.RoleDefinitionBindings | select-object name | ForEach-Object { $permlist += $_.name + ";" }
$users | add-member noteproperty -name "Permission" -value $permlist
write-host $users
$Permissions += $users
}
}
}
}
}
}
foreach ($aList in $Web.lists)
{
$listType = @{$true="doclib";$false="list"}[$aList.BaseType -eq "DocumentLibrary"]
if ($aList.HasUniqueRoleAssignments)
{
foreach ($RoleAssignment in $aList.RoleAssignments)
{
$domain = UserSource($RoleAssignment.Member.LoginName)
if($domain -ne "")
{
if ($RoleAssignment.Member.IsDomainGroup)
{
if ($domain -ne "NT AUTHORITY")
{
$users = new-object psobject
$users | add-member noteproperty -name "ObjectType" -value "List"
$users | add-member noteproperty -name "ObjectTitle" -value $aList.Title
$users | add-member noteproperty -name "Type" -value "direct"
$users | add-member noteproperty -name "URL" -value "$($web.url)/_layouts/user.aspx?obj=$($aList.id),$($listType)&List=$($aList.id)"
$users | add-member noteproperty -name "user" -value $RoleAssignment.Member.LoginName
$users | add-member noteproperty -name "Group" -value ""
$permlist = ""
$RoleAssignment.RoleDefinitionBindings | select-object name | ForEach-Object { $permlist += $_.name + ";" }
$users | add-member noteproperty -name "Permission" -value $permlist
write-host $users
$Permissions += $users
}
}
}
else
{
$allUsers = $Roleassignment.member.users
foreach($user in $AllUsers)
{
if ($user.IsDomainGroup)
{
$domain = UserSource($user.LoginName)
if ($domain -ne "NT AUTHORITY")
{
$users = new-object psobject
$users | add-member noteproperty -name "ObjectType" -value "List"
$users | add-member noteproperty -name "ObjectTitle" -value $aList.Title
$users | add-member noteproperty -name "Type" -value "role"
$users | add-member noteproperty -name "URL" -value "$($web.url)/_layouts/user.aspx?obj=$($aList.id),$($listType)&List=$($aList.id)"
$users | add-member noteproperty -name "user" -value $user.LoginName
$users | add-member noteproperty -name "Group" -value $RoleAssignment.member.name
$permlist = ""
$RoleAssignment.RoleDefinitionBindings | select-object name | ForEach-Object { $permlist += $_.name + ";" }
$users | add-member noteproperty -name "Permission" -value $permlist
write-host $users
$Permissions += $users
}
}
}
}
}
} # end if $aList.HasUniqueRoleAssignments
foreach($folder in $aList.Folders)
{
if ($folder.HasUniqueRoleAssignments)
{
foreach ($RoleAssignment in $folder.RoleAssignments)
{
$domain = UserSource($RoleAssignment.Member.LoginName)
if($domain -ne "")
{
if ($RoleAssignment.Member.IsDomainGroup)
{
if ($doamin -ne "NT AUTHORITY")
{
$users = new-object psobject
$users | add-member noteproperty -name "ObjectType" -value "folder"
$users | add-member noteproperty -name "ObjectTitle" -value $folder.Name
$users | add-member noteproperty -name "Type" -value "direct"
$users | add-member noteproperty -name "URL" -value "$($web.url)/_layouts/user.aspx?obj=$($aList.id),$($folder.id),LISTITEM&List=$($aList.id)"
$users | add-member noteproperty -name "user" -value $RoleAssignment.Member.LoginName
$users | add-member noteproperty -name "Group" -value ""
$permlist = ""
$RoleAssignment.RoleDefinitionBindings | select-object name | ForEach-Object { $permlist += $_.name + ";" }
$users | add-member noteproperty -name "Permission" -value $permlist
write-host $users
$Permissions += $users
}
}
}
else
{
$allUsers = $Roleassignment.member.users
foreach($user in $AllUsers)
{
if ($user.IsDomainGroup)
{
$domain = UserSource($user.LoginName)
if ($domain -ne "NT AUTHORITY")
{
$users = new-object psobject
$users | add-member noteproperty -name "ObjectType" -value "folder"
$users | add-member noteproperty -name "ObjectTitle" -value $folder.Name
$users | add-member noteproperty -name "Type" -value "direct"
$users | add-member noteproperty -name "URL" -value "$($web.url)/_layouts/user.aspx?obj=$($aList.id),$($folder.id),LISTITEM&List=$($aList.id)"
$users | add-member noteproperty -name "user" -value $user.LoginName
$users | add-member noteproperty -name "Group" -value $RoleAssignment.member.name
$permlist = ""
$RoleAssignment.RoleDefinitionBindings | select-object name | ForEach-Object { $permlist += $_.name + ";" }
$users | add-member noteproperty -name "Permission" -value $permlist
write-host $users
$Permissions += $users
}
}
}
}
}
}
} # end foreach $folder
foreach ($anItem in $aList.Items)
{
if ($anItem.HasUniqueRoleAssignments)
{
# Write-host $anItem.URL
foreach ($RoleAssignment in $anItem.RoleAssignments)
{
$domain = UserSource($RoleAssignment.Member.LoginName)
if($domain -ne "")
{
if ($RoleAssignment.Member.IsDomainGroup)
{
if ($domain -ne "NT AUTHORITY")
{
$users = new-object psobject
$users | add-member noteproperty -name "ObjectType" -value "item"
$users | add-member noteproperty -name "ObjectTitle" -value $anItem.Name
$users | add-member noteproperty -name "Type" -value "direct"
$users | add-member noteproperty -name "URL" -value "$($web.url)/_layouts/user.aspx?obj=$($aList.id),$($anItem.id),LISTITEM&List=$($aList.id)"
$users | add-member noteproperty -name "user" -value $RoleAssignment.Member.LoginName
$users | add-member noteproperty -name "Group" -value ""
$permlist = ""
$RoleAssignment.RoleDefinitionBindings | select-object name | ForEach-Object { $permlist += $_.name + ";" }
$users | add-member noteproperty -name "Permission" -value $permlist
write-host $users
$Permissions += $users
}
}
}
else
{
$allUsers = $Roleassignment.member.users
foreach($user in $AllUsers)
{
if ($user.IsDomainGroup)
{
$domain = UserSource($user.LoginName)
if ($domain -ne "NT AUTHORITY")
{
$users = new-object psobject
$users | add-member noteproperty -name "ObjectType" -value "item"
$users | add-member noteproperty -name "ObjectTitle" -value $anItem.Name
$users | add-member noteproperty -name "Type" -value "role"
$users | add-member noteproperty -name "URL" -value "$($web.url)/_layouts/user.aspx?obj=$($aList.id),$($anItem.id),LISTITEM&List=$($aList.id)"
$users | add-member noteproperty -name "user" -value $user.LoginName
$users | add-member noteproperty -name "Group" -value $RoleAssignment.member.name
$permlist = ""
$RoleAssignment.RoleDefinitionBindings | select-object name | ForEach-Object { $permlist += $_.name + ";" }
$users | add-member noteproperty -name "Permission" -value $permlist
write-host $users
$Permissions += $users
}
}
}
}
}
} # end foreach item
} # end foreach list
} #end if $web.HasUniqueRoleAssignments
} # end foreach web
$site.Dispose()
} # end foreach site
# } # end foreach webapp
}
$permissions | Export-Csv -Path D:\Work\DomainGroups.csv -encoding UTF8

PowerShell初心者ゆえコードきたなくて済みません。
もっと簡単に書けるよ、というアドバイスがありましたら、ぜひコメントくださいませ。

ともあれPowerShellのパワーを思い知りました(シャレではない)。使いこなせればいろいろできそう。
2013バージョンなどもそのうち機会がありましたら書くかも、書きたいな。

広告

コメントを残す

以下に詳細を記入するか、アイコンをクリックしてログインしてください。

WordPress.com ロゴ

WordPress.com アカウントを使ってコメントしています。 ログアウト /  変更 )

Twitter 画像

Twitter アカウントを使ってコメントしています。 ログアウト /  変更 )

Facebook の写真

Facebook アカウントを使ってコメントしています。 ログアウト /  変更 )

%s と連携中

このサイトはスパムを低減するために Akismet を使っています。コメントデータの処理方法の詳細はこちらをご覧ください