Share via

SharePoint direct access replacement

Anonymous
2023-10-16T13:56:23+00:00

I have an issue that users are breaking the inherited on the folder and providing direct access to the files and folder. is there a powershell script to run to replace the user with another user?

Example:

User is the only one that have access to the folder, need to replace the user with a new employee.

Microsoft 365 and Office | SharePoint | For business | Windows

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2023-10-16T17:42:33+00:00

    Hi Jaime,

    Thanks for posting in the community. We are happy to help you.

    Regarding your query, yes, there are PowerShell scripts that can achieve your needs, however, the process actually should be two parts, not replace the user's permission directly. Part 1 is to remove this user's permission for the folder (including permission for sub-folders and files). Part 2 is to grant the permissions to the new user for the folder.

    As the situation happens only in one user and one folder, it is simple to manually replace the user's permissions. The site owner can go to the library/list, select the folder, click three points, Manage Access, click the three points in the upper right corner of the window, Advanced settings, click "Stop Inhering Permissions", tick the user and select "Remove User Permissions". After that, please click "Grant Permissions" to grant permissions to the new user.

    If you prefer to run the PowerShell scripts, please try the following scripts. The following scripts are from a 3rd-part website called "SharePoint Diary".

    Remove User from folder permissions using PowerShell

    #Load SharePoint CSOM Assemblies

    Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"

    Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"

    Function Remove-SPOUserPermissionsFromList()

    {

      param

        (

            [Parameter(Mandatory=$true)] [string] $SiteURL,

            [Parameter(Mandatory=$true)] [string] $FolderURL,

            [Parameter(Mandatory=$true)] [string] $UserAccount

        )

        Try {

            #Get credentials to connect

            $Cred= Get-Credential

            $Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.Username, $Cred.Password)

            #Setup the context

            $Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)

            $Ctx.Credentials = $Credentials

            $Web = $Ctx.web

            #Get the Folder

            $Folder = $Web.GetFolderByServerRelativeUrl($FolderURL)

            $Ctx.Load($Folder)

            $Ctx.ExecuteQuery()

            #Break Permission inheritence - Keep all existing list permissions & Don't keep Item level permissions

            $Folder.ListItemAllFields.BreakRoleInheritance($True,$False)

            $Ctx.ExecuteQuery()

            Write-host -f Yellow "Folder's Permission inheritance broken..."

            #Get the SharePoint User object from the site

            $User = $Web.EnsureUser($UserAccount)

            $Ctx.load($User)

            #Get permissions assigned to the folder

            $Ctx.Load($Folder.ListItemAllFields.RoleAssignments)

            $Ctx.ExecuteQuery()

            #Check if the user has permission on the list

            [Bool]$UserFound = $False

            ForEach($RoleAssignment in $Folder.ListItemAllFields.RoleAssignments)

            {

                $ctx.Load($RoleAssignment.Member)

                $Ctx.ExecuteQuery()

                #remove user permission from folder

                If($RoleAssignment.Member.LoginName -eq $User.LoginName)

                {

                    $Folder.ListItemAllFields.RoleAssignments.GetByPrincipal($User).DeleteObject()

                    $Ctx.ExecuteQuery()

                    $UserFound = $True

                    Write-host "User Permissions Removed from the List Successfully!" -ForegroundColor Green 

                }

            }

            #If user doesn't exist in list permissions

            If($UserFound -eq $False) { Write-host "User Not found in List Permissions!" -ForegroundColor Red}

        }

        Catch {

           write-host -f Red "Error Removing permissions from the Folder!" $_.Exception.Message

        }

    }

    #Config Variables

    $SiteURL="https://crescent.sharepoint.com"

    $FolderURL="/Project Docs/Active"

    $UserAccount="******@Crescent.com"

    #Call the function to remove user permissions from a list

    Remove-SPOUserPermissionsFromList -SiteURL $SiteURL -FolderURL $FolderURL -UserAccount $UserAccount

    PowerShell to change folder level permissions SharePoint Online:

    #Load SharePoint CSOM Assemblies

    Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"

    Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"

    #Variables

    $SiteURL="https://crescent.sharepoint.com" #Or https://crescent.sharepoint.com/sites/Marketing

    $FolderURL="/Project Documents/Active" #Or /sites/Marketing/Project Documents/Active - Server Relative URL of the Folder!

    $GroupName="Team Site Members"

    $UserAccount="******@crescent.com"

    $PermissionLevel="Edit"

    Try {

        $Cred= Get-Credential

        $Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.Username, $Cred.Password)

        #Setup the context

        $Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)

        $Ctx.Credentials = $Credentials

        $Web = $Ctx.web

        #Get the Folder

        $Folder = $Web.GetFolderByServerRelativeUrl($FolderURL)

        $Ctx.Load($Folder)

        $Ctx.ExecuteQuery()

        #Break Permission inheritence of the folder - Keep all existing folder permissions & keep Item level permissions

        $Folder.ListItemAllFields.BreakRoleInheritance($False,$True)

        $Ctx.ExecuteQuery()

        Write-host -f Yellow "Folder's Permission inheritance broken..."

        #Get the SharePoint Group & User

        $Group =$Web.SiteGroups.GetByName($GroupName)

        $User = $Web.EnsureUser($UserAccount)

        $Ctx.load($Group)

        $Ctx.load($User)

        $Ctx.ExecuteQuery()

        #sharepoint online powershell set permissions on folder

        #Get the role required

        $Role = $web.RoleDefinitions.GetByName($PermissionLevel)

        $RoleDB = New-Object Microsoft.SharePoint.Client.RoleDefinitionBindingCollection($Ctx)

        $RoleDB.Add($Role)

        #add sharepoint online group to folder using powershell

        $GroupPermissions = $Folder.ListItemAllFields.RoleAssignments.Add($Group,$RoleDB)

        #powershell add user to sharepoint online folder

        $UserPermissions = $Folder.ListItemAllFields.RoleAssignments.Add($User,$RoleDB)

        $Folder.Update()

        $Ctx.ExecuteQuery()

        Write-host "Permission Granted Successfully!" -ForegroundColor Green 

    }

    Catch {

        write-host -f Red "Error Granting permission to  Folder!" $_.Exception.Message

    }

    We look forward to your response. Thanks for your cooperation.

    Sincerely,

    George | Microsoft Community Moderator

    Was this answer helpful?

    0 comments