系统相关
首页 > 系统相关> > Copy Permission from windows authentication to LDAP Membership FBA

Copy Permission from windows authentication to LDAP Membership FBA

作者:互联网

  在将Web Application 验证从windows authentication改成LDAP Membership FBA后,用PowerShell将Windows用户的权限复制到LDAP Membership用户  
Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue
   
#Function to copy user permissions 
Function Copy-UserPermissions($SourceUserID, $TargetUserID, [Microsoft.SharePoint.SPSecurableObject]$Object)
{
    #Determine the given Object type and Get URL of it
    Switch($Object.GetType().FullName)
    {
        "Microsoft.SharePoint.SPWeb"  { $ObjectType = "Site" ; $ObjectURL = $Object.URL; $web = $Object }
        "Microsoft.SharePoint.SPListItem"
        { 
            If($Object.Folder -ne $null)
            {
                $ObjectType = "Folder" ; $ObjectURL = "$($Object.Web.Url)/$($Object.Url)"; $web = $Object.Web
            }
            Else
            {
                $ObjectType = "List Item"; $ObjectURL = "$($Object.Web.Url)/$($Object.Url)" ; $web = $Object.Web
            }
        }
        #Microsoft.SharePoint.SPList, Microsoft.SharePoint.SPDocumentLibrary, Microsoft.SharePoint.SPPictureLibrary,etc
        Default { $ObjectType = "List/Library"; $ObjectURL = "$($Object.ParentWeb.Url)/$($Object.RootFolder.URL)"; $web = $Object.ParentWeb }
    }
   
    #Get Source and Target Users
    $SourceUser = $Web.EnsureUser($SourceUserID)
    $TargetUser = $Web.EnsureUser($TargetUserID)
  
    #Get Permissions of the Source user on given object - Such as: Web, List, Folder, ListItem
    $SourcePermissions = $Object.GetUserEffectivePermissionInfo($SourceUser)
   
    #Iterate through each permission and get the details
    ForEach($SourceRoleAssignment in $SourcePermissions.RoleAssignments)
    {
        #Get all permission levels assigned to User account directly or via SharePOint Group
        $SourceUserPermissions=@()
        ForEach($SourceRoleDefinition in $SourceRoleAssignment.RoleDefinitionBindings)
        {
            #Exclude "Limited Accesses"
            If($SourceRoleDefinition.Name -ne "Limited Access")
            {
                $SourceUserPermissions += $SourceRoleDefinition.Name
            }
        }
 
        #Check Source Permissions granted directly or through SharePoint Group
        If($SourceUserPermissions)
        {
            If($SourceRoleAssignment.Member -is [Microsoft.SharePoint.SPGroup])
            {
                $SourcePermissionType = "'Member of SharePoint Group - " + $SourceRoleAssignment.Member.Name +"'"      
                #Add Target User to the Source User's Group
                #Get the Group
                $Group = [Microsoft.SharePoint.SPGroup]$SourceRoleAssignment.Member
         
                #Check if user is already member of the group - If not, Add to group
                if( ($Group.Users | where {$_.UserLogin -eq $TargetUserID}) -eq $null )
                {
                    #Add User to Group
                    $Group.AddUser($TargetUser)
                    #Write-Host Added to Group: $Group.Name
                }
            }
            else
            {
                $SourcePermissionType = "Direct Permission"      
                #Add Each Direct permission (such as "Full Control", "Contribute") to Target User
                ForEach($NewRoleDefinition in $SourceUserPermissions)
                {
                    #Role assignment is a linkage between User object and Role Definition
                    $NewRoleAssignment = New-Object Microsoft.SharePoint.SPRoleAssignment($TargetUser)
                    $NewRoleAssignment.RoleDefinitionBindings.Add($web.RoleDefinitions[$NewRoleDefinition])
  
                    $object.RoleAssignments.Add($NewRoleAssignment)
                    $object.Update()
                }
            }
            $SourceUserPermissions = $SourceUserPermissions -join ";"
            Write-Host "***$($ObjectType) Permissions Copied: $($SourceUserPermissions) at $($ObjectURL) via $($SourcePermissionType)***"
        }
    }
}
   
Function Clone-SPUser($SourceUserID, $TargetUserID, $WebAppURL)
{


    ###Check Whether the Source Users is a Farm Administrator ###
    # Write-host "Scanning Farm Administrators Group..."
    #Get the SharePoint Central Administration site
    # $AdminWebApp = Get-SPwebapplication -includecentraladministration | where {$_.IsAdministrationWebApplication}
    # $AdminSite = Get-SPWeb $AdminWebApp.Url
    # $AdminGroupName = $AdminSite.AssociatedOwnerGroup
    # $FarmAdminGroup = $AdminSite.SiteGroups[$AdminGroupName]
  
    # #Enumerate in farm adminidtrators groups
    # ForEach ($user in $FarmAdminGroup.users)
    # {
    #     If($User.LoginName.Endswith($SourceUserID,1)) #1 to Ignore Case
    #     {
    #         #Add the target user to Farm Administrator Group
    #         $FarmAdminGroup.AddUser($TargetUserID,"",$TargetUserID , "")
    #         Write-Host "***Added to Farm Administrators Group!***"
    #     }
    # }
       
    # ### Check Web Application User Policies ###
    Write-host "Scanning Web Application Policies..."
    $WebApp = Get-SPWebApplication $WebAppURL
    
    #Convert UserID Into Claims format - If WebApp is claims based! Domain\User to i:0#.w|Domain\User
    # If( $WebApp.UseClaimsAuthentication)
    # {
    #     $SourceUserID = (New-SPClaimsPrincipal -identity $SourceUserID -identitytype 1).ToEncodedString()
    #     $ip = New-SPIdentityProvider -ASPNetMembershipProvider "membership" -ASPNetRoleProvider "rolemanager"
    #     $TargetUserID = (New-SPClaimsPrincipal $TargetUserID -TrustedIdentityTokenIssuer $ip).ToEncodedString()
    # }
    


    Foreach ($Policy in $WebApp.Policies)
    {
        #Check if the search users is member of the group
        If($Policy.UserName.EndsWith($SourceUserID,1))
        {
            #Write-Host $Policy.UserName
            $PolicyRoles=@()
            ForEach($Role in $Policy.PolicyRoleBindings)
            {
                $PolicyRoles+= $Role
            }
        }
    }
    #Add Each Policy found
    If($PolicyRoles)
    {
        $WebAppPolicy = $WebApp.Policies.Add($TargetUserID, $TargetUserID)
        ForEach($Policy in $PolicyRoles)
        {
            $WebAppPolicy.PolicyRoleBindings.Add($Policy)
        }
        $WebApp.Update()
        Write-host "***Added to Web application Policies!***"
    }
     
    ### Drill down to Site Collections, Webs, Lists & Libraries, Folders and List items ###
    #Get all Site collections of given web app
    $SiteCollections = Get-SPSite -WebApplication $WebAppURL -Limit All
   
 
    #Loop through all site collections 
    Foreach($Site in $SiteCollections)
    {
        #Prepare the Target user 
        $TargetUser = $Site.RootWeb.EnsureUser($TargetUserID)
    
        Write-host "Scanning Site Collection Administrators Group for:" $site.Url
        ###Check Whether the User is a Site Collection Administrator
        Foreach($SiteCollAdmin in $Site.RootWeb.SiteAdministrators)
        {
            If($SiteCollAdmin.LoginName.EndsWith($SourceUserID,1))
            {
                #Make the user as Site collection Admin
                $TargetUser.IsSiteAdmin = $true
                $TargetUser.Update()
                Write-host "***Added to Site Collection Admin Group***"
            }
        }
  
        #Get all webs
        $WebsCollection = $Site.AllWebs
        #Loop throuh each Site (web)
        Foreach($Web in $WebsCollection)
        {
            If($Web.HasUniqueRoleAssignments -eq $True)
            {
                Write-host "Scanning Site:" $Web.Url
        
                #Call the function to Copy Permissions to TargetUser
                Copy-UserPermissions $SourceUserID $TargetUserID $Web 
            }
  
            #Check Lists with Unique Permissions
            Write-host "Scanning Lists on $($web.url)..."
            Foreach($List in $web.Lists)
            {
                If($List.HasUniqueRoleAssignments -eq $True -and ($List.Hidden -eq $false))
                {
                    #Call the function to Copy Permissions to TargetUser
                    Copy-UserPermissions $SourceUserID $TargetUserID $List
                }
 
                #Check Folders with Unique Permissions
                $UniqueFolders = $List.Folders | where { $_.HasUniqueRoleAssignments -eq $True }
                #Get Folder permissions
                If($UniqueFolders)
                {
                    Foreach($folder in $UniqueFolders)
                    {
                        #Call the function to Copy Permissions to TargetUser
                        Copy-UserPermissions $SourceUserID $TargetUserID $folder   
                    }
                }
       
                #Check List Items with Unique Permissions
                $UniqueItems = $List.Items | where { $_.HasUniqueRoleAssignments -eq $True }
                If($UniqueItems)
                {
                    #Get Item level permissions
                    Foreach($item in $UniqueItems)
                    {
                        #Call the function to Copy Permissions to TargetUser
                        Copy-UserPermissions $SourceUserID $TargetUserID $Item
                    }
                }
            }
        }
    }
    Write-Host "Permission are copied successfully!"
}
 
#Define variables for processing
$WebAppURL = "http://WebApplicationURL/"
 
#Provide input for source and Target user Ids
$SourceUser ="i:0#.w|contoso\s.p"
$TargetUser ="i:0#.f|membership|s.p"
 
#Call the function to clone user access rights
Clone-SPUser $SourceUser $TargetUser $WebAppURL

  

标签:Web,SharePoint,Group,TargetUserID,Permission,windows,Object,Get,Membership
来源: https://www.cnblogs.com/suif/p/11227716.html