Check SharePoint 2010 anonymous permissions

Great PowerShell for checking the state of SharePoint anonymous permissions from Max Ruswell at Microsoft:

SharePoint PowerShell Script Series Part 6 – Is Anonymous Access Enabled?

Note:  This PowerShell script is tested only on SharePoint 2010

Instructions for running the script:

1. Copy the below script and save it in notepad
2. Save it with a anyfilename.ps1 extension
3. To run, copy the file to a SharePoint Server
4. Select StartMicrosoft SharePoint 2010 ProductsSharePoint 2010 Management Shell
5. Browse to directory holding the copied script file
6. Run the script: .anyfilename.ps1 (assuming anyfilename is the name of the file)

<# ==============================================================
//
// Microsoft provides programming examples for illustration only,
// without warranty either expressed or implied, including, but not
// limited to, the implied warranties of merchantability and/or
// fitness for a particular purpose.
//
// This sample assumes that you are familiar with the programming
// language being demonstrated and the tools used to create and debug
// procedures. Microsoft support professionals can help explain the
// functionality of a particular procedure, but they will not modify
// these examples to provide added functionality or construct
// procedures to meet your specific needs. If you have limited
// programming experience, you may want to contact a Microsoft
// Certified Partner or the Microsoft fee-based consulting line at
// (800) 936-5200.
//
// For more information about Microsoft Certified Partners, please
// visit the following Microsoft Web site:
// </span><a href="https://partner.microsoft.com/global/30000104"><span style="font-size: x-small;">https://partner.microsoft.com/global/30000104</span></a>
<span style="font-size: x-small;">//
// Author: Russ Maxwell (russmax@microsoft.com)
//
// ---------------------------------------------------------- #></span>
<h3></h3>
<span style="font-size: x-small;">[Void][System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint") </span>
<h3></h3>
<span style="font-size: x-small;">Start-SPAssignment -Global</span>
<h3></h3>
<span style="font-size: x-small;">######################################
##Creating and Returning a DataTable##
######################################
function createDT()
{
###Creating a new DataTable###
$tempTable = New-Object System.Data.DataTable

##Creating Columns for DataTable##
$col1 = New-Object System.Data.DataColumn("Anonymous Access")
$col2 = New-Object System.Data.DataColumn("Level")
$col3 = New-Object System.Data.DataColumn("URL")
$col4 = New-Object System.Data.DataColumn("Configured ListLib")

###Adding Columns for DataTable###
$tempTable.columns.Add($col1)
$tempTable.columns.Add($col2)
$tempTable.columns.Add($col3)
$tempTable.columns.Add($col4)

return ,$tempTable
}</span>
<h3></h3>
<span style="font-size: x-small;">#####################################
##Check WebApp for Anonymous Access##
#####################################
function checkwebappAnon()
{
$webAnon = $site.IISAllowsAnonymous.tostring()
$tempanonCheck = 0;
if ($webAnon -eq "true")
{
#Add a row to DataTable
$row = $dTable.NewRow()
$row["Anonymous Access"] = "Enabled"
$row["Level"] = "WebApplication"
$row["URL"] = $site.WebApplication.Name
$dTable.rows.Add($row)
}

}</span>
<h3></h3>
<span style="font-size: x-small;">######################################
##Check the Site for Anonymous Access#
######################################
function checksiteAnon()
{
$tempanonCheck = 0
$checkWeb = $web.AllowAnonymousAccess.tostring()
$checkWebState = $web.AnonymousState.tostring()
$webMask = $web.AnonymousPermMask64.tostring()
Write-Host
Write-Host "Checking how Anonymous is set up on site: " $web.Url -ForegroundColor Magenta

if(($checkWeb -eq "True") -and ($checkWebState -eq "On"))
{
#Add a row to DataTable#
$row = $dTable.NewRow()
$row["Anonymous Access"] = "Enabled"
$row["Level"] = "Site Level: Entire WebSite"
$row["URL"] = $web.Url.tostring()
$dTable.rows.Add($row)
$tempResult = 1
}

elseif(($checkWeb -eq "False") -and ($checkWebState -eq "Enabled") -and ($webMask -eq "Open"))
{
#Add a row to DataTable#
$row = $dTable.NewRow()
$row["Anonymous Access"] = "Enabled"
$row["Level"] = "Site Level: Lists and Libraries"
$row["URL"] = $web.Url.tostring()
$dTable.rows.Add($row)
$tempResult = 2
}

else
{
$tempResult = 3
}

return $tempResult
}</span>
<h3></h3>
<span style="font-size: x-small;">############################################
##Check ListLibraries for Anonymous Access#
############################################
function checklistAnon()
{
###Checking each list and library for anonymous access###
$lists = $web.lists
$count1 = $lists.count
$hasAnon = 0

Write-Host "Checking " $lists.count " listslibaries for Anonymous Access" -ForegroundColor Magenta

###Setting String Vars###
$defMask1 = "OpenWeb"
$defMask2 = "EmptyMask"
$defTax = "TaxonomyHiddenList"

foreach($list in $lists)
{
$listUrl = $web.url + "/" + $list.Title
$listMask = $list.AnonymousPermMask.tostring()
$tax = $list.Title.ToString()

##Checking List eventhough Anonymous Access was disabled at SPWeb Level##
if(($webResult -eq '3') -and ($defTax.CompareTo($tax) -ne '0'))
{
if($listMask.CompareTo($defMask2) -ne '0')
{
if($listMask.CompareTo($defMask1) -eq '0')
{
#Anonymous Access is Enabled but not Configured on listlibrary#
$row = $dTable.NewRow()
$row["Anonymous Access"] = "Enabled"
$row["Level"] = "ListLibrary"
$row["URL"] = $listUrl
$row["Configured ListLib"] = "No"
$dTable.rows.Add($row)
$hasAnon++
}
else
{
#Anonymous Access Enabled and Configured on listlibrary#
$row = $dTable.NewRow()
$row["Anonymous Access"] = "Enabled"
$row["Level"] = "ListLibrary"
$row["URL"] = $listUrl
$row["Configured ListLib"] = "Yes"
$dTable.rows.Add($row)
$hasAnon++
}
}
}

elseif(($webResult -eq '2') -and ($defTax.CompareTo($tax) -ne '0'))
{
if(($listMask.CompareTo($defMask2) -ne '0') -and ($listMask.CompareTo($defMask1) -ne '0'))
{
#Anonymous Access Enabled and Configured on listlibrary#
$row = $dTable.NewRow()
$row["Anonymous Access"] = "Enabled"
$row["Level"] = "ListLibrary"
$row["URL"] = $listURL
$row["Configured ListLib"] = "Yes"
$dTable.rows.Add($row)
$hasAnon++
}
}
$count1--
if($count1 % '10' -eq '0')
{
Write-Host "Total # of listslibraries left to check: " $count1 -ForegroundColor DarkYellow
}
}
Write-Host
Write-Host "Total # of listslibraries with Anonymous Access Enabled: " $hasAnon -ForegroundColor Cyan
}
</span>
<h3></h3>
<span style="font-size: x-small;">########################
###Script Starts Here###
########################
$output = Read-Host "Enter a location for the output file (For Example: c:logs)"
$filename = Read-Host "Enter a filename"
$url = Read-Host "Please enter the URL of desired site collection and press enter"</span>
<h3></h3>
<span style="font-size: x-small;">###Getting a new DataTable###
[System.Data.DataTable]$dTable = createDT</span>
<h3></h3>
<span style="font-size: x-small;">###Getting Site Collection###
$site = Get-SPSite $url</span>
<h3></h3>
<span style="font-size: x-small;">###Checking if WebApp has Anonymous set###
checkwebappAnon</span>
<h3></h3>
<span style="font-size: x-small;">###Gathering web collection###
$webs = $site.Allwebs
$count = $webs.Count
Write-Host "Checking for Anonymous Access on " $count " Sites" -ForegroundColor Magenta</span>
<h3></h3>
<span style="font-size: x-small;">foreach($web in $webs)
{
$webResult = 0
###calling function to check anonymons on spweb###
$webResult = checksiteAnon

if(($webResult -eq '2') -or ($webResult -eq '3'))
{
Write-Host "Checking for Anonymous Access on List and Libraries" -ForegroundColor Magenta
###calling function to check anonymons on lists and libs###
checklistAnon
}

$count--

if($count -ne '0')
{
Write-Host
Write-Host "Total # of sites left to check: " $count -ForegroundColor DarkYellow
}

else{Write-Host "Operation Completed" -ForegroundColor DarkYellow}
}</span>
<h3></h3>
<span style="font-size: x-small;">if($dTable -ne $null)
{
$name = $output + "" + $filename + ".csv"
$dTable | Export-Csv $name -NoTypeInformation
Write-Host "Anonymous Access was detected" -ForegroundColor Green
Write-Host "Log File Created: " $name
}
else
{
Write-Host "Anonymous Access is Disabled for the entire Site Collection" -ForegroundColor Green
Write-Host "No Log File Created" -ForegroundColor Green
}

Stop-SPAssignment -Global

anonymous access, anonymous permissions

Leave a Reply

Your email address will not be published. Required fields are marked *