Copy Permission from windows authentication to LDAP Membership FBA
在将Web Application 验证从windows authentication改成LDAP Membership FBA后,用PowerShell将Windows用户的权限复制到LDAP Membership用户
Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue
#Function to copy user permissions
Function Copy-UserPermissions($SourceUserID, $TargetUserID, [Microsoft.SharePoint.SPSecurableObject]$Object)
{
#Determine the given Object type and Get URL of it
Switch($Object.GetType().FullName)
{
"Microsoft.SharePoint.SPWeb" { $ObjectType = "Site" ; $ObjectURL = $Object.URL; $web = $Object }
"Microsoft.SharePoint.SPListItem"
{
If($Object.Folder -ne $null)
{
$ObjectType = "Folder" ; $ObjectURL = "$($Object.Web.Url)/$($Object.Url)"; $web = $Object.Web
}
Else
{
$ObjectType = "List Item"; $ObjectURL = "$($Object.Web.Url)/$($Object.Url)" ; $web = $Object.Web
}
}
#Microsoft.SharePoint.SPList, Microsoft.SharePoint.SPDocumentLibrary, Microsoft.SharePoint.SPPictureLibrary,etc
Default { $ObjectType = "List/Library"; $ObjectURL = "$($Object.ParentWeb.Url)/$($Object.RootFolder.URL)"; $web = $Object.ParentWeb }
}
#Get Source and Target Users
$SourceUser = $Web.EnsureUser($SourceUserID)
$TargetUser = $Web.EnsureUser($TargetUserID)
#Get Permissions of the Source user on given object - Such as: Web, List, Folder, ListItem
$SourcePermissions = $Object.GetUserEffectivePermissionInfo($SourceUser)
#Iterate through each permission and get the details
ForEach($SourceRoleAssignment in $SourcePermissions.RoleAssignments)
{
#Get all permission levels assigned to User account directly or via SharePOint Group
$SourceUserPermissions=@()
ForEach($SourceRoleDefinition in $SourceRoleAssignment.RoleDefinitionBindings)
{
#Exclude "Limited Accesses"
If($SourceRoleDefinition.Name -ne "Limited Access")
{
$SourceUserPermissions += $SourceRoleDefinition.Name
}
}
#Check Source Permissions granted directly or through SharePoint Group
If($SourceUserPermissions)
{
If($SourceRoleAssignment.Member -is [Microsoft.SharePoint.SPGroup])
{
$SourcePermissionType = "'Member of SharePoint Group - " + $SourceRoleAssignment.Member.Name +"'"
#Add Target User to the Source User's Group
#Get the Group
$Group = [Microsoft.SharePoint.SPGroup]$SourceRoleAssignment.Member
#Check if user is already member of the group - If not, Add to group
if( ($Group.Users | where {$_.UserLogin -eq $TargetUserID}) -eq $null )
{
#Add User to Group
$Group.AddUser($TargetUser)
#Write-Host Added to Group: $Group.Name
}
}
else
{
$SourcePermissionType = "Direct Permission"
#Add Each Direct permission (such as "Full Control", "Contribute") to Target User
ForEach($NewRoleDefinition in $SourceUserPermissions)
{
#Role assignment is a linkage between User object and Role Definition
$NewRoleAssignment = New-Object Microsoft.SharePoint.SPRoleAssignment($TargetUser)
$NewRoleAssignment.RoleDefinitionBindings.Add($web.RoleDefinitions[$NewRoleDefinition])
$object.RoleAssignments.Add($NewRoleAssignment)
$object.Update()
}
}
$SourceUserPermissions = $SourceUserPermissions -join ";"
Write-Host "***$($ObjectType) Permissions Copied: $($SourceUserPermissions) at $($ObjectURL) via $($SourcePermissionType)***"
}
}
}
Function Clone-SPUser($SourceUserID, $TargetUserID, $WebAppURL)
{
###Check Whether the Source Users is a Farm Administrator ###
# Write-host "Scanning Farm Administrators Group..."
#Get the SharePoint Central Administration site
# $AdminWebApp = Get-SPwebapplication -includecentraladministration | where {$_.IsAdministrationWebApplication}
# $AdminSite = Get-SPWeb $AdminWebApp.Url
# $AdminGroupName = $AdminSite.AssociatedOwnerGroup
# $FarmAdminGroup = $AdminSite.SiteGroups[$AdminGroupName]
# #Enumerate in farm adminidtrators groups
# ForEach ($user in $FarmAdminGroup.users)
# {
# If($User.LoginName.Endswith($SourceUserID,1)) #1 to Ignore Case
# {
# #Add the target user to Farm Administrator Group
# $FarmAdminGroup.AddUser($TargetUserID,"",$TargetUserID , "")
# Write-Host "***Added to Farm Administrators Group!***"
# }
# }
# ### Check Web Application User Policies ###
Write-host "Scanning Web Application Policies..."
$WebApp = Get-SPWebApplication $WebAppURL
#Convert UserID Into Claims format - If WebApp is claims based! Domain\User to i:0#.w|Domain\User
# If( $WebApp.UseClaimsAuthentication)
# {
# $SourceUserID = (New-SPClaimsPrincipal -identity $SourceUserID -identitytype 1).ToEncodedString()
# $ip = New-SPIdentityProvider -ASPNetMembershipProvider "membership" -ASPNetRoleProvider "rolemanager"
# $TargetUserID = (New-SPClaimsPrincipal $TargetUserID -TrustedIdentityTokenIssuer $ip).ToEncodedString()
# }
Foreach ($Policy in $WebApp.Policies)
{
#Check if the search users is member of the group
If($Policy.UserName.EndsWith($SourceUserID,1))
{
#Write-Host $Policy.UserName
$PolicyRoles=@()
ForEach($Role in $Policy.PolicyRoleBindings)
{
$PolicyRoles+= $Role
}
}
}
#Add Each Policy found
If($PolicyRoles)
{
$WebAppPolicy = $WebApp.Policies.Add($TargetUserID, $TargetUserID)
ForEach($Policy in $PolicyRoles)
{
$WebAppPolicy.PolicyRoleBindings.Add($Policy)
}
$WebApp.Update()
Write-host "***Added to Web application Policies!***"
}
### Drill down to Site Collections, Webs, Lists & Libraries, Folders and List items ###
#Get all Site collections of given web app
$SiteCollections = Get-SPSite -WebApplication $WebAppURL -Limit All
#Loop through all site collections
Foreach($Site in $SiteCollections)
{
#Prepare the Target user
$TargetUser = $Site.RootWeb.EnsureUser($TargetUserID)
Write-host "Scanning Site Collection Administrators Group for:" $site.Url
###Check Whether the User is a Site Collection Administrator
Foreach($SiteCollAdmin in $Site.RootWeb.SiteAdministrators)
{
If($SiteCollAdmin.LoginName.EndsWith($SourceUserID,1))
{
#Make the user as Site collection Admin
$TargetUser.IsSiteAdmin = $true
$TargetUser.Update()
Write-host "***Added to Site Collection Admin Group***"
}
}
#Get all webs
$WebsCollection = $Site.AllWebs
#Loop throuh each Site (web)
Foreach($Web in $WebsCollection)
{
If($Web.HasUniqueRoleAssignments -eq $True)
{
Write-host "Scanning Site:" $Web.Url
#Call the function to Copy Permissions to TargetUser
Copy-UserPermissions $SourceUserID $TargetUserID $Web
}
#Check Lists with Unique Permissions
Write-host "Scanning Lists on $($web.url)..."
Foreach($List in $web.Lists)
{
If($List.HasUniqueRoleAssignments -eq $True -and ($List.Hidden -eq $false))
{
#Call the function to Copy Permissions to TargetUser
Copy-UserPermissions $SourceUserID $TargetUserID $List
}
#Check Folders with Unique Permissions
$UniqueFolders = $List.Folders | where { $_.HasUniqueRoleAssignments -eq $True }
#Get Folder permissions
If($UniqueFolders)
{
Foreach($folder in $UniqueFolders)
{
#Call the function to Copy Permissions to TargetUser
Copy-UserPermissions $SourceUserID $TargetUserID $folder
}
}
#Check List Items with Unique Permissions
$UniqueItems = $List.Items | where { $_.HasUniqueRoleAssignments -eq $True }
If($UniqueItems)
{
#Get Item level permissions
Foreach($item in $UniqueItems)
{
#Call the function to Copy Permissions to TargetUser
Copy-UserPermissions $SourceUserID $TargetUserID $Item
}
}
}
}
}
Write-Host "Permission are copied successfully!"
}
#Define variables for processing
$WebAppURL = "http://WebApplicationURL/"
#Provide input for source and Target user Ids
$SourceUser ="i:0#.w|contoso\s.p"
$TargetUser ="i:0#.f|membership|s.p"
#Call the function to clone user access rights
Clone-SPUser $SourceUser $TargetUser $WebAppURL
浙公网安备 33010602011771号