PowerShell Script To Cleanup Site Collection Administrator

Objective

This purpose of this document is to mention the steps to cleanup site collection administrator from site collection administrator group using PowerShell script. The reusable script for this job has also attached with this document.

This script offers

  • To read a set of site collections, which we want to exclude/include in this process, from a configurable XML file.
  • Configure a set of users with their login id, whom you want to remove from Site Collection Administrator group.

Business Case

S. No.Business Case
1For several reasons (Some application troubleshooting, Deployment,Migration, Testing etc.) SharePoint Support team requires an access toPROD site collections. Most of the time we forgot to revoke access ofthese users from PROD sites which may result into access matrixviolation for Customer. However, there are some test site collectionwhich we use for testing purpose for offshore development team, we wantteam to have an access to only those test Site collection. This scriptwill allow administrator to do this job just by configuring the XMLfile.
 

Targeted Audience

  • SharePoint Application Developers
  • SharePoint Administrator
  • SharePoint Architect

Offerings

  • One reusable PowerShell script is provided which needs to be run to cleanup a setoff users from site collection administrator group.
  • Format of XML file is provided where site collection (which you want to exclude/include) needs to be configured.
  • Configure a list of users with their login id in provided XML format.

Technical Details

Below are the technical details for this PowerShell script,

  1. Pre-requisites

    • Login to server with Farm administrator account and copy the folder and paste the same to the location where you want to keep it.

    • Open the folder and Configure XML file as per your requirement.
      1. <?xml version="1.0" encoding="utf-8" ?>  
      2. <Configuration Environment="DEV" Version="1.0.0.0">  
      3.   <GlobalWebApplications>  
      4.     <GlobalWebApplication url="http://myWebApplication" SitesToExclude="False">  
      5.     <SiteCollections>  
      6.             <SiteCollection relativeURL="sites/TeamSite"></SiteCollection>  
      7.         <SiteCollection relativeURL="Sites/ProjectSite"></SiteCollection>  
      8.         </SiteCollections>  
      9.       <UsersToCleanup>  
      10.         <User UserLogin="i:0#.w|Domain\LoginId"></User>  
      11.     <User UserLogin="i:0#.w|Domain\LoginId"></User>  
      12.       </UsersToCleanup>  
      13.     </GlobalWebApplication>  
      14.   </GlobalWebApplications>  
      15. </Configuration>  

    As shown in above image;

    • Enter Web Application URL.
    • Define SitesToExculde Tag to True/False

      • True

        If we configure this attribute value to True; which means we want to exclude the below configured site collections in this process. So that the cleanup activity will not work on this Site Collections.

      • False

        If we configure this attribute value to False; which means we want to include the below configured site collections in this process. So that the cleanup activity will work on all other Site Collections but not on those which are configured in XML.

    • Configure a set of Site collection relative URL which you want to exclude form this cleanup activity.
    • Configure a list of users which you want to cleanup from Site Collection Administrator group.

      Note:
      Name the file as Configuration.xml only.

  2. Execution

    Prerequisite:

    Login to SharePoint Server as Farm Administrator and copy the required files (PowerShell script and configuration XML).Configure the XML file as per your requirement.

    Run:

    • Run the PowerShell Script as “Run as Administrator“.

    • Browse the folder path where you have kept this PowerShell script file and execute a command as shown in below image.

      command

PowerShell Script

  1. ##########################################################################################################################  
  2. ######## V 1.0  
  3. ######## PowerShell Script to Cleanup not required admins form Site Collection other than those defined in Config file  
  4. ##########################################################################################################################  
  5.  
  6. #check to see if the PowerShell Snapin is added  
  7. if((Get-PSSnapin | Where {$_.Name -eq "Microsoft.SharePoint.PowerShell"}) -eq $null) {  
  8.     Add-PSSnapin Microsoft.SharePoint.PowerShell;  
  9. }  
  10.  
  11. ## SharePoint DLL   
  12. [void][System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint")   
  13. $global:currentPhysicalPath = Split-Path ((Get-Variable MyInvocation -Scope 0).Value).MyCommand.Path  
  14. [xml]$xmlinput = (Get-Content "$global:currentPhysicalPath\Configuration.xml")  
  15.   
  16.   
  17. function Global_CleanUpAdminsFromSiteCollections([xml]$xmlinput)  
  18. {  
  19.    foreach($configWebApp in $xmlinput.Configuration.GlobalWebApplications.GlobalWebApplication)  
  20.    {  
  21.         $webApp = Get-SPWebApplication $configWebApp.url -ErrorAction silentlycontinue  
  22.         $Choice = $configWebApp.SitesToExclude  
  23.         if($webApp -eq $null)  
  24.         {   
  25.              Write-host Web Application at url : $configWebApp.url does not Exists.. -foregroundcolor Red  
  26.         }  
  27.         else  
  28.         {  
  29.             $AllSiteCollections = $webApp | Get-SPSite -Limit ALL  
  30.             if($choice.ToString().ToLower() -eq "true")  
  31.             {  
  32.                 $SiteCollectionsToExclude = $AllSiteCollections  
  33.                 foreach($siteColl in $xmlinput.Configuration.GlobalWebApplications.GlobalWebApplication.SiteCollections.SiteCollection)  
  34.                 {  
  35.                     $SiteCollectionsToExclude = $SiteCollectionsToExclude | Where-Object {$_.url -ne $($webApp.url + $siteColl.relativeUrl) }     
  36.                 }  
  37.              
  38.                 foreach($UserID in $xmlinput.Configuration.GlobalWebApplications.GlobalWebApplication.UsersToCleanup.User)  
  39.                 {  
  40.                     foreach($SiteCollection in $SiteCollectionsToExclude)  
  41.                     {  
  42.                         # Remove Site Collection Admin function call  
  43.                         RemoveSiteCollAdmin $UserID.UserLogin $SiteCollection.url  
  44.                     }   
  45.                 }  
  46.             }  
  47.             else  
  48.             {  
  49.                 $SiteCollectionsToInclude = @()  
  50.                 if($choice.ToString().ToLower() -eq "false")  
  51.                 {                      
  52.                     foreach($siteColl in $xmlinput.Configuration.GlobalWebApplications.GlobalWebApplication.SiteCollections.SiteCollection)  
  53.                     {  
  54.                         foreach($site in $AllSiteCollections)  
  55.                         {  
  56.                             if($site.url -eq $($webApp.url + $siteColl.relativeUrl))  
  57.                             {  
  58.                                 $SiteCollectionsToInclude =  $SiteCollectionsToInclude + $($webApp.url + $siteColl.relativeUrl);  
  59.                             }     
  60.                         }  
  61.                     }  
  62.              
  63.                     foreach($UserID in $xmlinput.Configuration.GlobalWebApplications.GlobalWebApplication.UsersToCleanup.User)  
  64.                     {  
  65.                         foreach($SiteCollection in $SiteCollectionsToInclude)  
  66.                         {  
  67.                             # Remove Site Collection Admin function call  
  68.                             RemoveSiteCollAdmin $UserID.UserLogin $SiteCollection  
  69.                         }   
  70.                     }  
  71.                 }  
  72.             }  
  73.         }  
  74.     }  
  75. }  
  76. #EndRegion  
  77.   
  78. function RemoveSiteCollAdmin([string]$AdminID, [string]$SiteCollectionURL)  
  79. {  
  80.          
  81.     #Get the site collection object  
  82.      $site = Get-SPSite $SiteCollectionURL  
  83.    
  84.     if ($site -ne $null)   
  85.     {   
  86.        Write-host -ForegroundColor Magenta "Site" $siteObject.Url "exists!"   
  87.  
  88.  
  89.        #Get the Admin to remove from Site collection Administrator Group  
  90.        $Account = $site.RootWeb.SiteAdministrators | Where-Object {$_.UserLogin -eq $AdminID}  
  91.    
  92.        #if User account found  
  93.        if($Account)  
  94.        {  
  95.           $Account.IsSiteAdmin = $false  
  96.           $Account.Update()  
  97.           Write-Host -ForegroundColor Green "$($AdminID) has been removed from Site Collection $($SiteCollectionURL) Administrator Group!"  
  98.        }  
  99.        else  
  100.        {  
  101.           Write-Host -ForegroundColor DarkMagenta "$($AdminID) Not found in Site Collection Administrator Group!"  
  102.        }  
  103.     }  
  104.     else  
  105.     {   
  106.           Write-Host -ForeGroundColor Red "- Make sure you have typed the URl Correctly.Site at this" $SiteCollectionURL "does not exist."  
  107.     }   
  108.   
  109. }  
  110.  
  111. #Region function call  
  112. #start-transcript -path .\CleanUpAdminsFromSiteCollections_Output.txt  
  113. Global_CleanUpAdminsFromSiteCollections $xmlinput  
  114. #stop-transcript  
  115. #EndRegion