Copy Permission from windows authentication to LDAP Membership FBA
作者:互联网
在将Web Application 验证从windows authentication改成LDAP Membership FBA后,用PowerShell将Windows用户的权限复制到LDAP Membership用户
Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue #Function to copy user permissions Function Copy-UserPermissions($SourceUserID, $TargetUserID, [Microsoft.SharePoint.SPSecurableObject]$Object) { #Determine the given Object type and Get URL of it Switch($Object.GetType().FullName) { "Microsoft.SharePoint.SPWeb" { $ObjectType = "Site" ; $ObjectURL = $Object.URL; $web = $Object } "Microsoft.SharePoint.SPListItem" { If($Object.Folder -ne $null) { $ObjectType = "Folder" ; $ObjectURL = "$($Object.Web.Url)/$($Object.Url)"; $web = $Object.Web } Else { $ObjectType = "List Item"; $ObjectURL = "$($Object.Web.Url)/$($Object.Url)" ; $web = $Object.Web } } #Microsoft.SharePoint.SPList, Microsoft.SharePoint.SPDocumentLibrary, Microsoft.SharePoint.SPPictureLibrary,etc Default { $ObjectType = "List/Library"; $ObjectURL = "$($Object.ParentWeb.Url)/$($Object.RootFolder.URL)"; $web = $Object.ParentWeb } } #Get Source and Target Users $SourceUser = $Web.EnsureUser($SourceUserID) $TargetUser = $Web.EnsureUser($TargetUserID) #Get Permissions of the Source user on given object - Such as: Web, List, Folder, ListItem $SourcePermissions = $Object.GetUserEffectivePermissionInfo($SourceUser) #Iterate through each permission and get the details ForEach($SourceRoleAssignment in $SourcePermissions.RoleAssignments) { #Get all permission levels assigned to User account directly or via SharePOint Group $SourceUserPermissions=@() ForEach($SourceRoleDefinition in $SourceRoleAssignment.RoleDefinitionBindings) { #Exclude "Limited Accesses" If($SourceRoleDefinition.Name -ne "Limited Access") { $SourceUserPermissions += $SourceRoleDefinition.Name } } #Check Source Permissions granted directly or through SharePoint Group If($SourceUserPermissions) { If($SourceRoleAssignment.Member -is [Microsoft.SharePoint.SPGroup]) { $SourcePermissionType = "'Member of SharePoint Group - " + $SourceRoleAssignment.Member.Name +"'" #Add Target User to the Source User's Group #Get the Group $Group = [Microsoft.SharePoint.SPGroup]$SourceRoleAssignment.Member #Check if user is already member of the group - If not, Add to group if( ($Group.Users | where {$_.UserLogin -eq $TargetUserID}) -eq $null ) { #Add User to Group $Group.AddUser($TargetUser) #Write-Host Added to Group: $Group.Name } } else { $SourcePermissionType = "Direct Permission" #Add Each Direct permission (such as "Full Control", "Contribute") to Target User ForEach($NewRoleDefinition in $SourceUserPermissions) { #Role assignment is a linkage between User object and Role Definition $NewRoleAssignment = New-Object Microsoft.SharePoint.SPRoleAssignment($TargetUser) $NewRoleAssignment.RoleDefinitionBindings.Add($web.RoleDefinitions[$NewRoleDefinition]) $object.RoleAssignments.Add($NewRoleAssignment) $object.Update() } } $SourceUserPermissions = $SourceUserPermissions -join ";" Write-Host "***$($ObjectType) Permissions Copied: $($SourceUserPermissions) at $($ObjectURL) via $($SourcePermissionType)***" } } } Function Clone-SPUser($SourceUserID, $TargetUserID, $WebAppURL) { ###Check Whether the Source Users is a Farm Administrator ### # Write-host "Scanning Farm Administrators Group..." #Get the SharePoint Central Administration site # $AdminWebApp = Get-SPwebapplication -includecentraladministration | where {$_.IsAdministrationWebApplication} # $AdminSite = Get-SPWeb $AdminWebApp.Url # $AdminGroupName = $AdminSite.AssociatedOwnerGroup # $FarmAdminGroup = $AdminSite.SiteGroups[$AdminGroupName] # #Enumerate in farm adminidtrators groups # ForEach ($user in $FarmAdminGroup.users) # { # If($User.LoginName.Endswith($SourceUserID,1)) #1 to Ignore Case # { # #Add the target user to Farm Administrator Group # $FarmAdminGroup.AddUser($TargetUserID,"",$TargetUserID , "") # Write-Host "***Added to Farm Administrators Group!***" # } # } # ### Check Web Application User Policies ### Write-host "Scanning Web Application Policies..." $WebApp = Get-SPWebApplication $WebAppURL #Convert UserID Into Claims format - If WebApp is claims based! Domain\User to i:0#.w|Domain\User # If( $WebApp.UseClaimsAuthentication) # { # $SourceUserID = (New-SPClaimsPrincipal -identity $SourceUserID -identitytype 1).ToEncodedString() # $ip = New-SPIdentityProvider -ASPNetMembershipProvider "membership" -ASPNetRoleProvider "rolemanager" # $TargetUserID = (New-SPClaimsPrincipal $TargetUserID -TrustedIdentityTokenIssuer $ip).ToEncodedString() # } Foreach ($Policy in $WebApp.Policies) { #Check if the search users is member of the group If($Policy.UserName.EndsWith($SourceUserID,1)) { #Write-Host $Policy.UserName $PolicyRoles=@() ForEach($Role in $Policy.PolicyRoleBindings) { $PolicyRoles+= $Role } } } #Add Each Policy found If($PolicyRoles) { $WebAppPolicy = $WebApp.Policies.Add($TargetUserID, $TargetUserID) ForEach($Policy in $PolicyRoles) { $WebAppPolicy.PolicyRoleBindings.Add($Policy) } $WebApp.Update() Write-host "***Added to Web application Policies!***" } ### Drill down to Site Collections, Webs, Lists & Libraries, Folders and List items ### #Get all Site collections of given web app $SiteCollections = Get-SPSite -WebApplication $WebAppURL -Limit All #Loop through all site collections Foreach($Site in $SiteCollections) { #Prepare the Target user $TargetUser = $Site.RootWeb.EnsureUser($TargetUserID) Write-host "Scanning Site Collection Administrators Group for:" $site.Url ###Check Whether the User is a Site Collection Administrator Foreach($SiteCollAdmin in $Site.RootWeb.SiteAdministrators) { If($SiteCollAdmin.LoginName.EndsWith($SourceUserID,1)) { #Make the user as Site collection Admin $TargetUser.IsSiteAdmin = $true $TargetUser.Update() Write-host "***Added to Site Collection Admin Group***" } } #Get all webs $WebsCollection = $Site.AllWebs #Loop throuh each Site (web) Foreach($Web in $WebsCollection) { If($Web.HasUniqueRoleAssignments -eq $True) { Write-host "Scanning Site:" $Web.Url #Call the function to Copy Permissions to TargetUser Copy-UserPermissions $SourceUserID $TargetUserID $Web } #Check Lists with Unique Permissions Write-host "Scanning Lists on $($web.url)..." Foreach($List in $web.Lists) { If($List.HasUniqueRoleAssignments -eq $True -and ($List.Hidden -eq $false)) { #Call the function to Copy Permissions to TargetUser Copy-UserPermissions $SourceUserID $TargetUserID $List } #Check Folders with Unique Permissions $UniqueFolders = $List.Folders | where { $_.HasUniqueRoleAssignments -eq $True } #Get Folder permissions If($UniqueFolders) { Foreach($folder in $UniqueFolders) { #Call the function to Copy Permissions to TargetUser Copy-UserPermissions $SourceUserID $TargetUserID $folder } } #Check List Items with Unique Permissions $UniqueItems = $List.Items | where { $_.HasUniqueRoleAssignments -eq $True } If($UniqueItems) { #Get Item level permissions Foreach($item in $UniqueItems) { #Call the function to Copy Permissions to TargetUser Copy-UserPermissions $SourceUserID $TargetUserID $Item } } } } } Write-Host "Permission are copied successfully!" } #Define variables for processing $WebAppURL = "http://WebApplicationURL/" #Provide input for source and Target user Ids $SourceUser ="i:0#.w|contoso\s.p" $TargetUser ="i:0#.f|membership|s.p" #Call the function to clone user access rights Clone-SPUser $SourceUser $TargetUser $WebAppURL
标签:Web,SharePoint,Group,TargetUserID,Permission,windows,Object,Get,Membership 来源: https://www.cnblogs.com/suif/p/11227716.html