Use PowerShell to Set Permissions on All SharePoint Libraries, Folders and Files

When you work with SharePoint permissions, you quickly figure out that you want to touch them as little as possible.  With a lot of things in SharePoint, permissions inherit top down.  So this means that it’s a best practice to always use that inheritance as much as possible. 

But invariably there will be times when you have to break that inheritance and set unique permissions.  Sooner or later, you might need to change those permissions en masse, but you have 30 libraries, and in each library you have multiple folders and files.  All with broken permissions! 

We can turn to our good friend PowerShell to make this an easy task.  This will apply to on-premise SharePoint, BUT it is possible with SharePoint Online as well, potentially made much easier using the PnP PowerShell commands.

Our Scenario

In my case, let’s say for example you have a SharePoint site for tracking your company’s budget process.  On this site, you create document libraries for each main department, then in those libraries you create folders for each departmental code.  Inside those folders are the actual budget Excel files.  It’s critical that each granular department can only edit their own budget files. 

SharePoint Budget library files

Well during the budget process, for a period of time we need to lock down all the permissions to read only while things are being reviewed and submitted. 

One option would be to just reset permission inheritance at the site level, then define a limited group of a few users in Finance with access.  But that would mean the users couldn’t read, they would lose all access. 

Another option is to use a 3rd-party tool to backup the permissions before we make any changes, then use a script to change them, then use this same tool to restore them.  One tool is called Quest Site Administrator, which comes with a tool called Security Explorer.  This allows us to click the site, and it will backup all the permissions of every object below it.  This has saved my bacon more than once.

Quest Security Explorer - Backup permissions

The Script

Per our requirement, I had 2 main goals for our budget site and tons of unique permissions:

  1. In our site, for every library, folder and file in each library keep permissions the way they are, but reset the permission the existing groups had from anything to Read. 
  2. For every object with custom permission, add in a SharePoint group called “Budgets Lockdown” with Full Control.

Let’s take a look at the script.  Click HERE to download it, save as PS1 instead of TXT.

I’ve got 2 helper functions that do the heavy lifting of actually changing permissions.  The function FixPerms checks all permissions on whatever object we pass in (library, folder, file, etc.) and removes all permissions for object in permissions, and adds the Read permission.  The AddGroup function just adds the SP group called Budgets Lockdown to the permissions with Full Control.

Helper functions

The next thing we do is build an array of library/list names that we want to exclude from our permission changes.  So any list or library name in this list will be excluded, and won’t have any changes made.  This is basically a list of all system libraries.

excluded library array

Now, we just need to do our foreach checks.  We start at the subsite level, then check all libraries, then check all folders in that library, then check all files in those folders.  For each object found, change the permission to Read, and add the group with Full Control (by calling our functions).

image

There are a couple little tricks I want to call out here, for the folders.  People think you have to navigate the folder hierarchy (get parent folder, check for child subfolders, check for subfolder in that folder, etc).  You don’t!  On the library, there’s an object called .folders that will give you a flat list of all subfolders in the library, regardless of hierarchy (line 48).  Awesome!