Did you ever tried to figure out where Person “John” has access in your SharePoint Farm? There are third party tools out there which help you get permission reports about your SharePoint environment. But you could also use a Powershell Script, which helps you to get a permission report for a specific user. This is really helpful if you need to remove Access or change access of a person cause he/she leaves the company, gets a different position or changes the department.
The challenge is, that sometimes people get access directly, or throug a SharePoint Group or even with an AD-Group. Last one makes it always a bit more complex to find out, who has access. In SharePoint permissions can be granted by different objects like Site Collection, Site, List, Library, Listitem, Document, Farm Administrator, Web Application Policy or as Site Collection Admin. So there are many objects to check.
Help from Powershell
You can download a ready script from this page: https://gallery.technet.microsoft.com/office/SharePoint-Permission-2840f327
You just have to change the input variables:
#Input Variables $WebAppURL = "http://sharepointserverurl" $Userid ="domain\user" $ReportPath = "D:\Reports\PermissionRpt.csv" #Call the function to generate user access report Generate-PermissionReport $Userid $WebAppURL $ReportPath
It depends on the size of your farm, how long it takes. You should plan with hours.
Here is an example of how a report looks like, which where for one user:
How it looks like and are there AD Groups inside? The report does not list an AD-Group. But in row 14 you see direct permission. This direct permission is given through an AD-Group. So the permissions will be listed, but indeed you do not know exactly which AD-Group is responsible for that. So the report helps you, but it has some limits. Please be aware that this Powershell Script is for free use. For that the result is great. Please keep that in mind.
Third Party Tools
There are a lot of 3rd Party tools available. Those are a few: Metalogix, Avepoint, SPDocKit