Introduction
Consider a scenario where you need to add users to the user policy for multiple web applications in multiple Farms. PowerShell is useful for that. In this article I will outline how to add users or groups to a SharePoint web application user's policy.
Preparation
Before executing the script you must first identify the users and groups that need to be added to multiple web applications in the SharePoint Farm. Group the web application list into a text file (WebapplicationList.txt). The script parses through this input file and adds the users or groups to the user policy of each web application in the list.
Functionality
The script provides options to do the following tasks:
- Grant FULL CONTROL access
- Grant FULL READ access
- DENY WRITE
- DENY ALL
Function 1
The following piece of code helps you to provide “FULL CONTROL” access:
- Function FullControl()
- {
- $UserOrGroup = read-host "Enter the user or group for which you want to apply FULL CONTROL (e.g domain\user) "
- write-host "Place the WebapplicationList.txt file under the folder where the script exists" -fore Magenta
- $Didyouplacethefile = read-host "Did you place the WebapplicationList.txt file under the folder where the script exists (y/n)?"
- if($Didyouplacethefile -eq 'y')
- {
- $testpath = Test-path -path $scriptbase\WebapplicationList.txt
- if($testpath)
- {
- foreach($webapplication in get-content "$scriptbase\WebapplicationList.txt")
- {
- $webapp = get-spwebapplication $webapplication
- write-host "Adding user or group " $userorgroup " to the webapplication " $webapplication "user policy and providing FULL CONTROL access" -fore yellow
- $policy = $webApp.Policies.Add($userOrGroup, $userOrGroup)
- $policyRole = $webApp.PolicyRoles.GetSpecialRole([Microsoft.SharePoint.Administration.SPPolicyRoleType]::FullControl)
- $policy.PolicyRoleBindings.Add($policyRole)
- $webApp.Update()
- write-host "User or group " $userorgroup " added to the webapplication " $webapplication -fore green
- }
- }
- else
- {
- write-host "The file is not placed or its incorrectly spelled" -fore cyan
- }
- }
- else
- {
- write-host "The user choose to exit.... Please try again after placing the file" -fore cyan
- }
- }
Function 2
The following piece of code helps you to provide “FULL READ” access:
- Function FullRead()
- {
- $UserOrGroup = read-host "Enter the user or group for which you want to apply FULL READ (e.g domain\user) "
- write-host "Place the WebapplicationList.txt file under the folder where the script exists" -fore Magenta
- $Didyouplacethefile = read-host "Did you place the WebapplicationList.txt file under the folder where the script exists (y/n)?"
- if($Didyouplacethefile -eq 'y')
- {
- $testpath = Test-path -path $scriptbase\WebapplicationList.txt
- if($testpath)
- {
- foreach($webapplication in get-content "$scriptbase\WebapplicationList.txt")
- {
- $webapp = get-spwebapplication $webapplication
- write-host "Adding user or group " $userorgroup " to the webapplication " $webapplication "user policy and providing FULL READ access" -fore yellow
- $policy = $webApp.Policies.Add($userOrGroup, $userOrGroup)
- $policyRole = $webApp.PolicyRoles.GetSpecialRole([Microsoft.SharePoint.Administration.SPPolicyRoleType]::FullRead)
- $policy.PolicyRoleBindings.Add($policyRole)
- $webApp.Update()
- write-host "User or group " $userorgroup " added to the webapplication " $webapplication -fore green
- }
- }
- else
- {
- write-host "The file is not placed or its incorrectly spelled" -fore cyan
- }
- }
- else
- {
- write-host "The user choose to exit.... Please try again after placing the file" -fore cyan
- }
- }
Function 3
The following piece of code helps you to provide “DENY WRITE” access:
- Function DenyWrite()
- {
- $UserOrGroup = read-host "Enter the user or group for which you want to apply DENY WRITE (e.g domain\user) "
- write-host "Place the WebapplicationList.txt file under the folder where the script exists" -fore Magenta
- $Didyouplacethefile = read-host "Did you place the WebapplicationList.txt file under the folder where the script exists (y/n)?"
- if($Didyouplacethefile -eq 'y')
- {
- $testpath = Test-path -path $scriptbase\WebapplicationList.txt
- if($testpath)
- {
- foreach($webapplication in get-content "$scriptbase\WebapplicationList.txt")
- {
- $webapp = get-spwebapplication $webapplication
- write-host "Adding user or group " $userorgroup " to the webapplication " $webapplication "user policy and providing DENY WRITE access" -fore yellow
- $policy = $webApp.Policies.Add($userOrGroup, $userOrGroup)
- $policyRole = $webApp.PolicyRoles.GetSpecialRole([Microsoft.SharePoint.Administration.SPPolicyRoleType]::DenyWrite)
- $policy.PolicyRoleBindings.Add($policyRole)
- $webApp.Update()
- write-host "User or group " $userorgroup " added to the webapplication " $webapplication -fore green
- }
- }
- else
- {
- write-host "The file is not placed or its incorrectly spelled" -fore cyan
- }
- }
- else
- {
- write-host "The user choose to exit.... Please try again after placing the file" -fore cyan
- }
- }
Function 4
The following piece of code helps you to provide “DENY ALL” access:
- Function DenyAll()
- {
- $UserOrGroup = read-host "Enter the user or group for which you want to apply DENY ALL (e.g domain\user) "
- write-host "Place the WebapplicationList.txt file under the folder where the script exists" -fore Magenta
- $Didyouplacethefile = read-host "Did you place the WebapplicationList.txt file under the folder where the script exists (y/n)?"
- if($Didyouplacethefile -eq 'y')
- {
- $testpath = Test-path -path $scriptbase\WebapplicationList.txt
- if($testpath)
- {
- foreach($webapplication in get-content "$scriptbase\WebapplicationList.txt")
- {
- $webapp = get-spwebapplication $webapplication
- write-host "Adding user or group " $userorgroup " to the webapplication " $webapplication "user policy and providing DENY ALL access" -fore yellow
- $policy = $webApp.Policies.Add($userOrGroup, $userOrGroup)
- $policyRole = $webApp.PolicyRoles.GetSpecialRole([Microsoft.SharePoint.Administration.SPPolicyRoleType]::DenyAll)
- $policy.PolicyRoleBindings.Add($policyRole)
- $webApp.Update()
- write-host "User or group " $userorgroup " added to the webapplication " $webapplication -fore green
- }
- }
- else
- {
- write-host "The file is not placed or its incorrectly spelled" -fore cyan
- }
- }
- else
- {
- write-host "The user choose to exit.... Please try again after placing the file" -fore cyan
- }
- }
Complete Code
Execution Procedure
Step 1: Download and copy the script to your SharePoint server. Populate the input file (WebapplicationList.txt) with the web application details and place it under the same location where the script exists.
Step 2: Navigate to the script path.
Step 3: Execute the script as in the following:
Enter option 1 or 2 or 3 or 4 to get the desired output.
Conclusion
Thus this article provides an outline for how to add users or groups to a web application's user policy using a PowerShell script.