PowerShell Get all users from a subsite

sharepoint.stackexchange https://sharepoint.stackexchange.com/questions/236591

Question

I'm trying to get all the users that have access to a specific subsite in a SharePoint 2010 environment. When I lookup the SiteGroups of an SPWeb object, I get all the groups of the site collection, not just that web. How can I get just the groups and users for that specific subsite? The Problem code is as follows:

$SPWeb = Get-SPWeb https://mysitecollection/mysubsite
$SPWeb.SiteGroups #displays all groups in the site collection, not web
Get-SPUser -Web $SPWeb -Limit ALL #displays all users in the site collection, not web

My entire script looks like:

Clear-Host  

#--------------------------------------------------#
# modules
#--------------------------------------------------#
if(-not (Get-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue)){Add-PSSnapin "Microsoft.SharePoint.PowerShell"}
Import-Module ActiveDirectory
#--------------------------------------------------#
# main
#--------------------------------------------------#


$SPSite = Get-SPSite https://mysitecollection
$SPWebs = $SPSite.AllWebs | Where-Object { $_.Url -like "*/MySubsite*" }

$ADGroupOutput = @()
$FailedADGroupOutput = @()
$FailedADUserOutput = @()
$uniqueAdGroups = @()
$UserOutput = @()
$uniqueUsers = @()


foreach ($SPWeb in $SPWebs) {
    write-host -foregroundcolor green "Connected to Site: "$SPWeb.Title

    $SPUsers= Get-SPUser -Web $SPWeb -Limit ALL | Where-Object { -not ($_.IsDomainGroup) }
    $ADgroups= Get-SPUser -Web $SPWeb -Limit ALL | Where-Object { $_.IsDomainGroup }

    foreach($ADgroup in $ADgroups) {
        if($ADGroupOutput -notcontains $ADgroup.DisplayName) {
            if ($ADgroup.DisplayName -ne "everyone" -and $ADgroup.DisplayName -notlike "NT AUTHORITY*") {
                $ADGroupOutput += ($ADgroup.DisplayName)
                if (($ADgroup.DisplayName).lastIndexOf('\') -ne 1) {
                    $groupDisplayName = ($ADgroup.DisplayName).Substring(($ADgroup.DisplayName).lastIndexOf('\')+1)
                } else {
                    $groupDisplayName = $ADgroup.DisplayName
                }

                $group = new-object psobject
                $group | add-member noteproperty -name "GroupDisplayName" -value $groupDisplayName
                $uniqueAdGroups += $group
            }
        }
    }

    foreach($uniqueAdGroup in $uniqueAdGroups) {
        $AllErmAdUsers = $null
        try {
            $AllErmAdUsers = Get-ADGroupMember -identity $($uniqueAdGroup.GroupDisplayName) -Recursive -ErrorAction stop  | where-object { Get-ADUser -Identity $_.SamAccountName -Properties Name,SamAccountName,enabled -ErrorAction stop } | Where-Object {$_.Enabled -eq $True}
            Write-Host "Iterating over users in group: $($uniqueAdGroup.GroupDisplayName)"

            foreach($AdUser in $AllErmAdUsers) {
                if($UserOutput -notcontains $AdUser.SamAccountName) {
                    Select-Object DisplayName
                    $UserOutput += ($AdUser.SamAccountName)
                    $user = new-object psobject
                    $user | add-member noteproperty -name "UserName" -value $AdUser.SamAccountName
                    $user | add-member noteproperty -name "DisplayName" -value $AdUser.Name
                    $uniqueUsers += $user
                }
            }
        } 
        catch [system.exception] {
            $AllErmAdUsers = $null
            Write-Host "Unable to get users from group: $($uniqueAdGroup.GroupDisplayName)"
            $FailedADGroupOutput += $uniqueAdGroup.GroupDisplayName
        }
    }

    foreach($SPUser in $SPUsers) {
        if (($SPUser.UserLogin).lastIndexOf('\') -ne 1) {
            $SpSamAccountName = ($SPUser.UserLogin).Substring(($SPUser.UserLogin).lastIndexOf('\')+1)
        } else {
            $SpSamAccountName = $SPUser.UserLogin
        }

        if($UserOutput -notcontains $SpSamAccountName) {
            $curentAdUser = $null
            try {
                $curentAdUser = Get-ADUser -Identity $SpSamAccountName -Properties Name,SamAccountName,enabled -ErrorAction stop | Where-Object {$_.Enabled -eq $True}
            } catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] {
                $curentAdUser = $null
                Write-Host "Unable to get user: $SpSamAccountName"
                $FailedADUserOutput += $SpSamAccountName
            }

            if ($curentAdUser) {
                #write-host $ADgroup.DisplayName
                $UserOutput += ($curentAdUser.SamAccountName)
                $user = new-object psobject
                $user | add-member noteproperty -name "UserName" -value $curentAdUser.SamAccountName
                $user | add-member noteproperty -name "DisplayName" -value $curentAdUser.Name
                $uniqueUsers += $user
            }
        }
    }

    $SPWeb.Dispose()
}

$SPSite.Dispose()

$uniqueUsers | export-csv "$PSScriptRoot\users.csv" -notypeinformation
$FailedADUserOutput | export-csv "$PSScriptRoot\failedUsers.csv" -notypeinformation
$FailedADGroupOutput | export-csv "$PSScriptRoot\failedAdGroups.csv" -notypeinformation
Was it helpful?

Solution

the SiteGroups property is a collection of cross site SP Groups that are available throughout the collection, the Groups property is a collection of SP Groups that have been USED in the current site, these are both properties of the SPWeb object so if you loop through the webs then you can loop through the SPGroups to get the accounts in each

Licensed under: CC-BY-SA with attribution
Not affiliated with sharepoint.stackexchange
scroll top