This script remove / add / update permissions of folders and libraries.

2/5/2015 - 12:39 PM
This script remove / add / update permissions of folders and libraries.

# ----------------------------------------------
# Author: Romain Blanchard
# Date: 04.02.2015
# Description: This script remove / add / update permissions of folders and libraries.
# ----------------------------------------------

# Parameters
param(
        [parameter(Mandatory = $true)]
        [ValidateNotNullOrEmpty()]
        $Url 
    )

Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

# Initialize log file.
$date = Get-Date -Format yyyy-MM-d-HHmmss
$logfile = "MBD_RemoveUnwantedPermissions_tmp_" + $date + ".txt"
Start-Transcript -Path $logfile -Force | Out-Null

# Initialize variables
$oWeb = Get-SPWeb $Url
$oWeb.AllowUnsafeUpdates = $true

Write-Host ""
Write-Host "## Working on MBD Document ##"  -ForegroundColor Yellow
Write-Host ""

## Update MBD Document library permissions ##
$oDocLib = $oWeb.Lists["MBD Documents"]
if ($oDocLib -ne $null)
{
    foreach ($folder in $oDocLib.RootFolder.SubFolders)
    {
        # Skip hidden "Forms" folder
        if ($folder.Name -eq "Forms")
        {
            continue
        }
        
        # Work on all folders of the library
        Write-Host "Working on '$folder' folder..."  -ForegroundColor Yellow
        [Microsoft.SharePoint.SPRoleAssignmentCollection]$spRoleAssignments = $folder.Item.RoleAssignments        
        for([int] $a=$spRoleAssignments.Count-1; $a -ge 0;$a--)
        {
           # Edit all group's permissions who contains "Approvers", except the one who contains the name of the list
           $filter = "*"+ $folder.Name + "*"
           if($spRoleAssignments[$a].Member.Name -notlike $filter -and $spRoleAssignments[$a].Member.Name -like "*Approvers*")
           {
                # Remove existing permissions
                $groupname = $spRoleAssignments[$a].Member.Name        
                Write-Host "    Remove permission for"$spRoleAssignments[$a].Member.Name"..." -NoNewLine
                $spRoleAssignments.Remove($a);
                Write-Host " done!" -ForegroundColor green
                
                # Add new permissions
                Write-Host "    Add read permission for "$groupname"..."  -NoNewLine
                $account        = $oWeb.SiteGroups[$groupname]
                $readassignment = New-Object Microsoft.SharePoint.SPRoleAssignment($account)
                $role           = $oWeb.RoleDefinitions["Read"]
                $readassignment.RoleDefinitionBindings.Add($role);
                $folder.Item.RoleAssignments.Add($readassignment)
                Write-Host " done!" -ForegroundColor green
           }
        }
    }    
}
else {
    Write-Host "MBD Document library cannot be found." -ForegroundColor Red
}

Write-Host ""
Write-Host "## Working on Archives ##"  -ForegroundColor Yellow
Write-Host ""

## Update Archives library permissions ##
$oArchives = $oWeb.Lists["Archives"]
if ($oArchives -ne $null)
{   
    Write-Host "Breaking role inheritance of the library..." -NoNewLine
    $oArchives.BreakRoleInheritance($true)
    Write-Host " done!" -ForegroundColor green
    
    [Microsoft.SharePoint.SPRoleAssignmentCollection]$spRoleAssignments = $oArchives.RoleAssignments
    for([int] $a=$spRoleAssignments.Count-1; $a -ge 0;$a--)
    {
       # Remove all group's permissions and give only read access, except for Owners group       
       if($spRoleAssignments[$a].Member.Name -like "*Owners*")
       {
            # Remove existing permissions
            $groupname = $spRoleAssignments[$a].Member.Name        
            Write-Host "    Remove permission for"$spRoleAssignments[$a].Member.Name"..." -NoNewLine
            $spRoleAssignments.Remove($a);
            Write-Host " done!" -ForegroundColor green
            
            # Add full control permissions
            Write-Host "    Add full permission for "$groupname"..."  -NoNewLine
            $account = $oWeb.SiteGroups[$groupname]
            $fullcontrolassignment = New-Object Microsoft.SharePoint.SPRoleAssignment($account)
            $role = $oWeb.RoleDefinitions["Full Control"]
            $fullcontrolassignment.RoleDefinitionBindings.Add($role);
            $oArchives.RoleAssignments.Add($fullcontrolassignment)
            Write-Host " done!" -ForegroundColor green
       }
       else
       {
            # Remove existing permissions
            $groupname = $spRoleAssignments[$a].Member.Name        
            Write-Host "    Remove permission for"$spRoleAssignments[$a].Member.Name"..." -NoNewLine
            $spRoleAssignments.Remove($a);
            Write-Host " done!" -ForegroundColor green
            
            # Add read permissions
            Write-Host "    Add read permission for "$groupname"..."  -NoNewLine
            $account = $oWeb.SiteGroups[$groupname]
            $fullcontrolassignment = New-Object Microsoft.SharePoint.SPRoleAssignment($account)
            $role = $oWeb.RoleDefinitions["Read"]
            $fullcontrolassignment.RoleDefinitionBindings.Add($role);
            $oArchives.RoleAssignments.Add($fullcontrolassignment)
            Write-Host " done!" -ForegroundColor green
       }
    }
}
else {
    Write-Host "Archives library cannot be found." -ForegroundColor Red
}

# Set back options
$oWeb.AllowUnsafeUpdates = $false

# Write log file
Stop-Transcript | Out-Null
$log = Get-Content $logfile
$log > $logfile.Replace('txt','log')
Remove-Item $logfile -Confirm:$false
Cacher is the code snippet organizer for pro developers

We empower you and your team to get more done, faster

This script remove / add / update permissions of folders and libraries.
