使用 PowerShell 在 SharePoint 中将权限从一个用户复制到另一个用户

SharePoint 中的权限管理始终是一项复杂的任务，尤其是在大型环境中。当您尝试克隆现有用户的访问权限时，在 SharePoint 中授予权限会变得很麻烦。考虑以下场景：您的部门中的现有用户被授予对各种 SharePoint Web 应用程序、网站、列表、文件等的访问权限，当新用户加入该部门时，SharePoint 管理员会收到添加新用户的要求与现有团队成员具有相同访问权限的所有地点！

您将如何比较现有团队成员的访问权限并批量授予访问权限？他可能被授予具有不同访问权限的不同级别的许可。查找多个 SharePoint 对象上的多个用户并为其授予相同级别的权限将变得非常耗时。作为以下内容的一部分，现有用户可能会被授予访问权限：

• 场管理员组和/或作为 Web 应用程序策略的一部分
• 网站集管理员组成员
• 作为 SharePoint 组的一部分或通过直接权限在网站级别授予的权限
• 通过打破继承授予列表或库的权限
• 访问权限可以通过列表项或文件夹级别权限来实现。

简而言之，可以在 SharePoint 中按以下级别授予权限：

为了将上述级别的权限从一个用户复制到另一用户，我编写了这个 PowerShell 脚本。它只是扫描给定源用户的访问权限的所有可能级别，并向目标用户授予权限。

用于克隆 SharePoint 用户权限的 PowerShell 脚本：

此脚本迭代每个级别（如上图所示），并在列表项/文件夹、列表、网站、网站集、Web 应用程序和场级别的给定用户之间复制权限。只需相应地更改变量 $SourceUser、$TargetUser 和 $WebAppURL 的参数并运行脚本即可。您会发现脚本在屏幕上输出日志，无论它复制权限在哪里。

Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue
  
#Function to copy user permissions 
Function Copy-UserPermissions($SourceUserID, $TargetUserID, [Microsoft.SharePoint.SPSecurableObject]$Object)
{
    #Determine the given Object type and Get URL of it
    Switch($Object.GetType().FullName)
    {
        "Microsoft.SharePoint.SPWeb"  { $ObjectType = "Site" ; $ObjectURL = $Object.URL; $web = $Object }
        "Microsoft.SharePoint.SPListItem"
        { 
            If($Object.Folder -ne $null)
            {
                $ObjectType = "Folder" ; $ObjectURL = "$($Object.Web.Url)/$($Object.Url)"; $web = $Object.Web
            }
            Else
            {
                $ObjectType = "List Item"; $ObjectURL = "$($Object.Web.Url)/$($Object.Url)" ; $web = $Object.Web
            }
        }
        #Microsoft.SharePoint.SPList, Microsoft.SharePoint.SPDocumentLibrary, Microsoft.SharePoint.SPPictureLibrary,etc
        Default { $ObjectType = "List/Library"; $ObjectURL = "$($Object.ParentWeb.Url)/$($Object.RootFolder.URL)"; $web = $Object.ParentWeb }
    }
  
    #Get Source and Target Users
    $SourceUser = $Web.EnsureUser($SourceUserID)
    $TargetUser = $Web.EnsureUser($TargetUserID)
 
    #Get Permissions of the Source user on given object - Such as: Web, List, Folder, ListItem
    $SourcePermissions = $Object.GetUserEffectivePermissionInfo($SourceUser)
  
    #Iterate through each permission and get the details
    ForEach($SourceRoleAssignment in $SourcePermissions.RoleAssignments)
    {
        #Get all permission levels assigned to User account directly or via SharePOint Group
        $SourceUserPermissions=@()
        ForEach($SourceRoleDefinition in $SourceRoleAssignment.RoleDefinitionBindings)
        {
            #Exclude "Limited Accesses"
            If($SourceRoleDefinition.Name -ne "Limited Access")
            {
                $SourceUserPermissions += $SourceRoleDefinition.Name
            }
        }

        #Check Source Permissions granted directly or through SharePoint Group
        If($SourceUserPermissions)
        {
            If($SourceRoleAssignment.Member -is [Microsoft.SharePoint.SPGroup])
            {
                $SourcePermissionType = "'Member of SharePoint Group - " + $SourceRoleAssignment.Member.Name +"'"       
                #Add Target User to the Source User's Group
                #Get the Group
                $Group = [Microsoft.SharePoint.SPGroup]$SourceRoleAssignment.Member
        
                #Check if user is already member of the group - If not, Add to group
                if( ($Group.Users | where {$_.UserLogin -eq $TargetUserID}) -eq $null )
                {
                    #Add User to Group
                    $Group.AddUser($TargetUser)
                    #Write-Host Added to Group: $Group.Name
                }
            }
            else
            {
                $SourcePermissionType = "Direct Permission"       
                #Add Each Direct permission (such as "Full Control", "Contribute") to Target User
                ForEach($NewRoleDefinition in $SourceUserPermissions)
                {
                    #Role assignment is a linkage between User object and Role Definition
                    $NewRoleAssignment = New-Object Microsoft.SharePoint.SPRoleAssignment($TargetUser)
                    $NewRoleAssignment.RoleDefinitionBindings.Add($web.RoleDefinitions[$NewRoleDefinition])
 
                    $object.RoleAssignments.Add($NewRoleAssignment)
                    $object.Update()
                }
            }
            $SourceUserPermissions = $SourceUserPermissions -join ";"
            Write-Host "***$($ObjectType) Permissions Copied: $($SourceUserPermissions) at $($ObjectURL) via $($SourcePermissionType)***"
        }
    }
}
  
Function Clone-SPUser($SourceUserID, $TargetUserID, $WebAppURL)
{
    ###Check Whether the Source Users is a Farm Administrator ###
    Write-host "Scanning Farm Administrators Group..."
    #Get the SharePoint Central Administration site
    $AdminWebApp = Get-SPwebapplication -includecentraladministration | where {$_.IsAdministrationWebApplication}
    $AdminSite = Get-SPWeb $AdminWebApp.Url
    $AdminGroupName = $AdminSite.AssociatedOwnerGroup
    $FarmAdminGroup = $AdminSite.SiteGroups[$AdminGroupName]
 
    #Enumerate in farm administrators groups
    ForEach ($user in $FarmAdminGroup.users)
    {
        If($User.LoginName.Endswith($SourceUserID,1)) #1 to Ignore Case
        {
            #Add the target user to Farm Administrator Group
            $FarmAdminGroup.AddUser($TargetUserID,[string]::Empty,$TargetUserID , [string]::Empty)
            Write-Host "***Added to Farm Administrators Group!***"
        }
    }
      
    ### Check Web Application User Policies ###
    Write-host "Scanning Web Application Policies..."
    $WebApp = Get-SPWebApplication $WebAppURL 
   
    Foreach ($Policy in $WebApp.Policies)
    {
        #Check if the search users is member of the group
        If($Policy.UserName.EndsWith($SourceUserID,1))
        {
            #Write-Host $Policy.UserName
            $PolicyRoles=@()
            ForEach($Role in $Policy.PolicyRoleBindings)
            {
                $PolicyRoles+= $Role
            }
        }
    }
    #Add Each Policy found
    If($PolicyRoles)
    {
        $WebAppPolicy = $WebApp.Policies.Add($TargetUserID, $TargetUserID)
        ForEach($Policy in $PolicyRoles)
        {
            $WebAppPolicy.PolicyRoleBindings.Add($Policy)
        }
        $WebApp.Update()
        Write-host "***Added to Web application Policies!***"
    }
    
    ### Drill down to Site Collections, Webs, Lists & Libraries, Folders and List items ###
    #Get all Site collections of given web app
    $SiteCollections = Get-SPSite -WebApplication $WebAppURL -Limit All
  
    #Convert UserID Into Claims format - If WebApp is claims based! Domain\User to i:0#.w|Domain\User
    If( (Get-SPWebApplication $WebAppURL).UseClaimsAuthentication)
    {
        $SourceUserID = (New-SPClaimsPrincipal -identity $SourceUserID -identitytype 1).ToEncodedString()
        $TargetUserID = (New-SPClaimsPrincipal -identity $TargetUserID -identitytype 1).ToEncodedString()
    }
   
    #Loop through all site collections 
    Foreach($Site in $SiteCollections)
    {
        #Prepare the Target user 
        $TargetUser = $Site.RootWeb.EnsureUser($TargetUserID)
   
        Write-host "Scanning Site Collection Administrators Group for:" $site.Url
        ###Check Whether the User is a Site Collection Administrator
        Foreach($SiteCollAdmin in $Site.RootWeb.SiteAdministrators)
        {
            If($SiteCollAdmin.LoginName.EndsWith($SourceUserID,1))
            {
                #Make the user as Site collection Admin
                $TargetUser.IsSiteAdmin = $true
                $TargetUser.Update()
                Write-host "***Added to Site Collection Admin Group***"
            }
        }
 
        #Get all webs
        $WebsCollection = $Site.AllWebs
        #Loop throuh each Site (web)
        Foreach($Web in $WebsCollection)
        {
            If($Web.HasUniqueRoleAssignments -eq $True)
            {
                Write-host "Scanning Site:" $Web.Url
       
                #Call the function to Copy Permissions to TargetUser
                Copy-UserPermissions $SourceUserID $TargetUserID $Web  
            }
 
            #Check Lists with Unique Permissions
            Write-host "Scanning Lists on $($web.url)..."
            Foreach($List in $web.Lists)
            {
                If($List.HasUniqueRoleAssignments -eq $True -and ($List.Hidden -eq $false))
                {
                    #Call the function to Copy Permissions to TargetUser
                    Copy-UserPermissions $SourceUserID $TargetUserID $List
                }

                #Check Folders with Unique Permissions
                $UniqueFolders = $List.Folders | where { $_.HasUniqueRoleAssignments -eq $True }
                #Get Folder permissions
                If($UniqueFolders)
                {
                    Foreach($folder in $UniqueFolders)
                    {
                        #Call the function to Copy Permissions to TargetUser
                        Copy-UserPermissions $SourceUserID $TargetUserID $folder    
                    }
                }
      
                #Check List Items with Unique Permissions
                $UniqueItems = $List.Items | where { $_.HasUniqueRoleAssignments -eq $True }
                If($UniqueItems)
                {
                    #Get Item level permissions
                    Foreach($item in $UniqueItems)
                    {
                        #Call the function to Copy Permissions to TargetUser
                        Copy-UserPermissions $SourceUserID $TargetUserID $Item
                    }
                }
            }
        }
    }
    Write-Host "Permission are copied successfully!" 
}

#Define variables for processing
$WebAppURL = "https://sharepoint.crescent.com"

#Provide input for source and Target user Ids
$SourceUser ="Crescent\TonyW"
$TargetUser ="Crescent\Salaudeen"

#Call the function to clone user access rights
Clone-SPUser $SourceUser $TargetUser $WebAppURL 

复制列表级别的用户权限：

该脚本分为两个函数：Copy-UserPermissions 和 为了方便起见，克隆-SPSuer。假设您想在列表级别复制权限，那么您可以使用 Copy-UserPermission 函数，如下所示：

 
$WebURL = "https://sharepoint.crescent.com/sites/sales"

$web = Get-SPWeb $WebURL

$SourceUser ="i:0#.w|Crescent\TonyW"
$TargetUser ="i:0#.w|Crescent\Salaudeen"

$list = $Web.Lists["Invoice"]

#$folder = $list.Folders[0]
#$ListItem = $list.Items[0]

#Call the function to copy user permissions programmatically at LIST level
Copy-UserPermissions $SourceUser $TargetUser $list

此脚本克隆列表级别的用户权限（仅在列表级别复制，不深入到文件夹和项目！）。

从 CSV 文件克隆用户权限：

当您必须复制多个用户的权限时，可以使用 CSV 文件和 PowerShell 脚本。这是一个例子：

创建此格式的 CSV 文件并根据您的要求填充它：

使用此 PowerShell 脚本读取 CSV 文件并复制用户权限：

$CSVFilePath = "C:\temp\CloneUsers.csv"

#Get the CSV file
$CSVFile = Import-Csv $CSVFilePath

#Read CSV file and create document document library
ForEach($Line in $CSVFile)
{
    #Get CSV File Entries
    $WebAppURL = $Line.WebAppURL
    $SourceUser = $Line.SourceUser
    $TargetUser = $Line.TargetUser
    
    #Call the Function to Clone user permissions
    Clone-SPUser $SourceUser $TargetUser $WebAppURL
}