function AddAccountToAllSites ($siteURL, $accountName, $permLevel, [switch]$skipRootSite, $newGroupDescription)
{
#Get Site Collection
$site = Get-SPSite $siteURL
#Check if the accountName variable contains a slash - if so, it is an AD account
#If not, it is a SharePoint Group
$rootWeb = $site.RootWeb
if ($accountName.Contains("\")) { $account = $rootWeb.EnsureUser($accountName) }
else {
#If the SharePoint Group does not exist, create it with the name and description specified
if (!$rootWeb.SiteGroups[$accountName])
{
$rootWeb.SiteGroups.Add($accountName, $rootWeb.CurrentUser, $rootWeb.CurrentUser, $newGroupDescription)
}
$account = $rootWeb.SiteGroups[$accountName]
}
$rootWeb.Dispose()
#Step through each site in the site collection
$site | Get-SPWeb -limit all | ForEach-Object {
#Check if the user has chosen to skip the root site - if so, do not change permissions on it
if (($skipRootSite) -and ($site.Url -eq $_.Url)) { write-host "Root site" $_.Url "will be bypassed" }
else {
#Check if the current site is inheriting permissions from its parent
#If not, set permissions on current site
if ($_.HasUniqueRoleAssignments) {
$assignment = New-Object Microsoft.SharePoint.SPRoleAssignment($account)
$role = $_.RoleDefinitions[$permLevel]
$assignment.RoleDefinitionBindings.Add($role)
$_.RoleAssignments.Add($assignment)
write-host "Account" $accountName "added to site" $_.Url "with" $permLevel "permissions."
}
else {
write-host "Site" $_.Url "will not be modified as it inherits permissions from a parent site."
}
}
}
#Display completion message and dispose of site object
write-host "Operation Complete."
$site.Dispose()
}
Once the script has been run, you can use it to assign permissions to your site collection by calling the function. Here are some scenarios:
- Add the Active Directory user PACDOMAIN\Phil to all sites except the root site and assign Read permissions to them:
AddAccountToAllSites -siteURL "http://portal" -accountName "PACDOMAIN\Phil" -permLevel "Read" -skipRootSite
- Add the Active Directory user PACDOMAIN\Phil to all sites including the root site and assign Read permissions to them:
AddAccountToAllSites -siteURL "http://portal" -accountName "PACDOMAIN\Phil" -permLevel "Read"
- Add the Active Directory group PACDOMAIN\Portal Users to all sites including the root site and assign Read permissions to it:
AddAccountToAllSites -siteURL "http://portal" -accountName "PACDOMAIN\Portal Users" -permLevel "Read"
- Add the SharePoint group “Test Group” to all sites except the root site and assign Full Control permissions to it. I am also assuming that this group has already been created in the site collection:
AddAccountToAllSites -siteURL "http://portal" -accountName "Test Group" -permLevel "Full Control" -skipRootSite
- Add the SharePoint group “Test New Group” to all sites except the root site and assign Contribute permissions to it. This time I would like to create the group in the site collection as it doesn’t currently exist, and so I am also specifying the group description to be used during creation:
AddAccountToAllSites -siteURL "http://portal" -accountName "Test New Group" -permLevel "Contribute" -skipRootSite -newGroupDescription "This is a test group"