首页
酷软
游戏
媒体
- 电影
- 剧集
- 动画
- 记录
- 综艺
- MV
- 有声世界
云资源
源码
更多
- 文库
- 系统
- web
- 站长帮
- 玩电脑
- 玩游戏
- 玩手机
- 涨姿势
- 玩软件
- 云图志
- 看漫画
- 微读书
- PS玩家
- 网文网语
- 硬件数码
- 编程开发
- 神秘之旅
- 福利线报
- 商业资源
- 网赚相关
- 健康加油站
赞助专区
云盘专区
资源阁
缘聚岛
BT种子库

[玩转系统] SharePoint Online：使用 PowerShell 的网站集中特定用户的权限报告

作者：精品下载站日期：2024-12-14 21:10:38 浏览：16 分类：玩电脑

SharePoint Online：使用 PowerShell 的网站集中特定用户的权限报告

要求： 生成权限报告以审核特定用户在给定 SharePoint Online 网站集、子网站、其所有列表、库和列表项中的权限。

如何检查 SharePoint Online 中的用户权限？

在 SharePoint Online 中，管理用户权限是确保安全访问敏感信息的一项重要任务。了解分配给特定用户的权限有助于管理用户对网站集的访问。在本指南中，我们将探讨如何使用 PowerShell 为网站集中的特定用户生成 SharePoint Online 权限报告。通过此报告，您可以快速轻松地检查用户的权限，识别任何潜在问题，并就授予或撤销对敏感信息的访问权限做出明智的决定。

要获取 SharePoint Online 中的用户权限，

导航到要检查权限的 SharePoint Online 网站。
单击设置齿轮>>站点设置>>单击“站点权限”链接。
在“站点权限”页面上，单击顶部功能区“权限”选项卡下的“检查权限”图标。
在“用户/组”字段中，输入您想要验证权限的用户名，然后单击“立即检查”按钮。
很快，您将看到用户在网站上拥有的权限列表。

但问题是：这种检查用户权限的方法一次只能显示对一个站点的访问权限。如果要检查网站集的用户访问权限，则应在每个网站上重复这些步骤。因此，让我们使用 PowerShell 生成 SharePoint Online 的用户权限报告。

SharePoint Online PowerShell 权限报告

让我们使用 PowerShell 脚本来检查 SharePoint Online 中的用户权限。此 PowerShell 脚本会检查用户权限并将结果导出到 CSV 文件中。如何运行这个脚本？根据您的环境将参数从 Line#6 更改为 Line#8，然后点击运行。

SharePoint Online：用于获取给定网站集的用户权限的 PowerShell

以下是如何在 SharePoint Online 中使用 PowerShell 检查用户权限。请注意，该脚本有一个限制：此 PowerShell 脚本不扫描 Active Directory 安全组！


#Load SharePoint CSOM Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"
  
#Set parameter values
$SiteURL="https://crescent.sharepoint.com/sites/ops"
$UserAccount="i:0#.f|membership|[email protected]"
$ReportFile="C:\Temp\PermissionRpt.csv"
$BatchSize = 500
 
#sharepoint online powershell to get user permissions Applied on a particular Object, such as: Web, List, Folder or Item
Function Get-Permissions([Microsoft.SharePoint.Client.SecurableObject]$Object)
{
    #Determine the type of the object
    Switch($Object.TypedObject.ToString())
    {
        "Microsoft.SharePoint.Client.Web"  { $ObjectType = "Site" ; $ObjectURL = $Object.URL }
        "Microsoft.SharePoint.Client.ListItem"
        { 
            $ObjectType = "List Item/Folder"
 
            #Get the URL of the List Item
            $Object.ParentList.Retrieve("DefaultDisplayFormUrl")
            $Ctx.ExecuteQuery()
            $DefaultDisplayFormUrl = $Object.ParentList.DefaultDisplayFormUrl
            $ObjectURL = $("{0}{1}?ID={2}" -f $Ctx.Web.Url.Replace($Ctx.Web.ServerRelativeUrl,''), $DefaultDisplayFormUrl,$Object.ID)
        }
        Default 
        { 
            $ObjectType = "List/Library"
            #Get the URL of the List or Library
            $Ctx.Load($Object.RootFolder)
            $Ctx.ExecuteQuery()            
            $ObjectURL = $("{0}{1}" -f $Ctx.Web.Url.Replace($Ctx.Web.ServerRelativeUrl,''), $Object.RootFolder.ServerRelativeUrl)
        }
    }
 
    #Get permissions assigned to the object
    $Ctx.Load($Object.RoleAssignments)
    $Ctx.ExecuteQuery()
 
    Foreach($RoleAssignment in $Object.RoleAssignments)
    { 
                $Ctx.Load($RoleAssignment.Member)
                $Ctx.executeQuery()
 
                #Check direct permissions
                if($RoleAssignment.Member.PrincipalType -eq "User")
                {
                    #Is the current user is the user we search for?
                    if($RoleAssignment.Member.LoginName -eq $SearchUser.LoginName)
                    {
                        Write-Host  -f Cyan "Found the User under direct permissions of the $($ObjectType) at $($ObjectURL)"
                         
                        #Get the Permissions assigned to user
                        $UserPermissions=@()
                        $Ctx.Load($RoleAssignment.RoleDefinitionBindings)
                        $Ctx.ExecuteQuery()
                        foreach ($RoleDefinition in $RoleAssignment.RoleDefinitionBindings)
                        {
                            $UserPermissions += $RoleDefinition.Name +";"
                        }
                        #Send the Data to Report file
                        "$($ObjectURL) `t $($ObjectType) `t $($Object.Title)`t Direct Permission `t $($UserPermissions)" | Out-File $ReportFile -Append
                    }
                }
                 
                Elseif($RoleAssignment.Member.PrincipalType -eq "SharePointGroup")
                {
                        #Search inside SharePoint Groups and check if the user is member of that group
                        $Group= $Web.SiteGroups.GetByName($RoleAssignment.Member.LoginName)
                        $GroupUsers=$Group.Users
                        $Ctx.Load($GroupUsers)
                        $Ctx.ExecuteQuery()
 
                        #Check if user is member of the group
                        Foreach($User in $GroupUsers)
                        {
                            #Check if the search users is member of the group
                            if($user.LoginName -eq $SearchUser.LoginName)
                            {
                                Write-Host -f Cyan "Found the User under Member of the Group '$($RoleAssignment.Member.LoginName)' on $($ObjectType) at $($ObjectURL)"
 
                                #Get the Group's Permissions on site
                                $GroupPermissions=@()
                                $Ctx.Load($RoleAssignment.RoleDefinitionBindings)
                                $Ctx.ExecuteQuery()
                                Foreach ($RoleDefinition  in $RoleAssignment.RoleDefinitionBindings)
                                {
                                    $GroupPermissions += $RoleDefinition.Name +";"
                                }          
                                #Send the Data to Report file
                                "$($ObjectURL) `t $($ObjectType) `t $($Object.Title)`t Member of '$($RoleAssignment.Member.LoginName)' Group `t $($GroupPermissions)" | Out-File $ReportFile -Append
                            }
                        }
                }
            }
}

Try {
    #Get Credentials to connect
    $Cred= Get-Credential
    $Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.Username, $Cred.Password)
  
    #Setup the context
    $Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
    $Ctx.Credentials = $Credentials
 
    #Get the Web
    $Web = $Ctx.Web
    $Ctx.Load($Web)
    $Ctx.ExecuteQuery()
 
    #Get the User object
    $SearchUser = $Web.EnsureUser($UserAccount)
    $Ctx.Load($SearchUser)
    $Ctx.ExecuteQuery()
 
    #Write CSV- TAB Separated File) Header
    "URL `t Object `t Title `t PermissionType `t Permissions" | out-file $ReportFile
 
    Write-host -f Yellow "Searching in the Site Collection Administrators Group..."
    #Check if Site Collection Admin
    If($SearchUser.IsSiteAdmin -eq $True)
    {
        Write-host -f Cyan "Found the User under Site Collection Administrators Group!"
        #Send the Data to report file
        "$($Web.URL) `t Site Collection `t $($Web.Title)`t Site Collection Administrator `t Site Collection Administrator" | Out-File $ReportFile -Append
    }
 
 
    #Function to Check Permissions of All List Items of a given List
    Function Check-SPOListItemsPermission([Microsoft.SharePoint.Client.List]$List)
    {
        Write-host -f Yellow "Searching in List Items of the List '$($List.Title)..."
 
        $Query = New-Object Microsoft.SharePoint.Client.CamlQuery
        $Query.ViewXml = "<View Scope='RecursiveAll'><Query><OrderBy><FieldRef Name='ID' Ascending='TRUE'/></OrderBy></Query><RowLimit Paged='TRUE'>$BatchSize</RowLimit></View>"

        $Counter = 0
        #Batch process list items - to mitigate list threshold issue on larger lists
        Do {  
            #Get items from the list in Batch
            $ListItems = $List.GetItems($Query)
            $Ctx.Load($ListItems)
            $Ctx.ExecuteQuery()
          
            $Query.ListItemCollectionPosition = $ListItems.ListItemCollectionPosition
            #Loop through each List item
            ForEach($ListItem in $ListItems)
            {
                $ListItem.Retrieve("HasUniqueRoleAssignments")
                $Ctx.ExecuteQuery()
                if ($ListItem.HasUniqueRoleAssignments -eq $true)
                {
                    #Call the function to generate Permission report
                    Get-Permissions -Object $ListItem
                }
                $Counter++
                Write-Progress -PercentComplete ($Counter / ($List.ItemCount) * 100) -Activity "Processing Items $Counter of $($List.ItemCount)" -Status "Searching Unique Permissions in List Items of '$($List.Title)'" 
            }
        } While ($Query.ListItemCollectionPosition -ne $null)
    }
 
    #Function to Check Permissions of all lists from the web
    Function Check-SPOListPermission([Microsoft.SharePoint.Client.Web]$Web)
    {
        #Get All Lists from the web
        $Lists = $Web.Lists
        $Ctx.Load($Lists)
        $Ctx.ExecuteQuery()
 
        #Get all lists from the web   
        ForEach($List in $Lists)
        {
            #Exclude System Lists
            If($List.Hidden -eq $False)
            {
                #Get List Items Permissions
                Check-SPOListItemsPermission $List
 
                #Get the Lists with Unique permission
                $List.Retrieve("HasUniqueRoleAssignments")
                $Ctx.ExecuteQuery()
 
                If( $List.HasUniqueRoleAssignments -eq $True)
                {
                    #Call the function to check permissions
                    Get-Permissions -Object $List
                }
            }
        }
    }
 
    #Function to Check Webs's Permissions from given URL
    Function Check-SPOWebPermission([Microsoft.SharePoint.Client.Web]$Web) 
    {
        #Get all immediate subsites of the site
        $Ctx.Load($web.Webs)  
        $Ctx.executeQuery()
  
        #Call the function to Get Lists of the web
        Write-host -f Yellow "Searching in the Web "$Web.URL"..."
 
        #Check if the Web has unique permissions
        $Web.Retrieve("HasUniqueRoleAssignments")
        $Ctx.ExecuteQuery()
 
        #Get the Web's Permissions
        If($web.HasUniqueRoleAssignments -eq $true) 
        { 
            Get-Permissions -Object $Web
        }
 
        #Scan Lists with Unique Permissions
        Write-host -f Yellow "Searching in the Lists and Libraries of "$Web.URL"..."
        Check-SPOListPermission($Web)
  
        #Iterate through each subsite in the current web
        Foreach ($Subweb in $web.Webs)
        {
                #Call the function recursively                            
                Check-SPOWebPermission($SubWeb)
        }
    }
 
    #Call the function with RootWeb to get site collection permissions
    Check-SPOWebPermission $Web
 
    Write-host -f Green "User Permission Report Generated Successfully!"
    }
Catch {
    write-host -f Red "Error Generating User Permission Report!" $_.Exception.Message
}

使用 PowerShell 的 SharePoint Online 用户权限报告的结果：脚本生成以下格式的 CSV 文件。

如果您正在查找网站集所有用户的权限报告，请使用我的其他脚本：SharePoint Online：PowerShell 权限报告

包起来

总之，使用 PowerShell 为网站集中的特定用户生成 SharePoint Online 权限报告是管理用户对敏感信息的访问的有用工具。该报告提供了用户权限的清晰简洁的概述，使您能够快速识别任何潜在问题并就授予或撤销访问权限做出明智的决定。无论您是经验丰富的管理员还是刚刚开始使用 SharePoint，本指南都是管理 SharePoint Online 中的用户权限的重要资源。通过使用本指南中提供的脚本，您可以生成权限报告并确保对敏感信息的安全访问并维护 SharePoint 环境的完整性。