Wednesday, February 20, 2013

How to prevent site owners to create sub site

If you agree that we should keep sub sites at minimum, the PowerShell script below can help to prevent site owners to create sub sites.

This script also revoke the "delete historical versions" permission from contributors. That's what I do for almost all site collections.

Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction "SilentlyContinue" 


# remove "DeleteVersions" from "Contribute" 
# remove "ManageSubwebs" from "Full Control" 
function ChangePermissionLevel([string]$SiteUrl) 

 $web = Get-SPWeb -Identity $SiteUrl 
 $contributePermissionLevel=$web.RoleDefinitions["Contribute"] 
 # $contributePermissionLevel.BasePermissions="ViewListItems, OpenItems, ViewVersions, ManagePersonalViews, ViewFormPages, Open, ViewPages, CreateSSCSite, BrowseDirectories, BrowseUserInfo, AddDelPrivateWebParts, UpdatePersonalWebParts, UseClientIntegration, UseRemoteAPIs, CreateAlerts, EditMyUserInfo" 
 $contributePermissionLevel.BasePermissions="ViewListItems, AddListItems, EditListItems, DeleteListItems, OpenItems, ViewVersions, ManagePersonalViews, ViewFormPages, Open, ViewPages, BrowseDirectories, BrowseUserInfo, UseClientIntegration, UseRemoteAPIs, CreateAlerts, EditMyUserInfo" 
 $contributePermissionLevel.Update() 

 $FullControlPermissionLevel=$web.RoleDefinitions["Full Control"] 
 #[System.Enum]::GetNames("Microsoft.SharePoint.SPBasePermissions") 
 # $FullControlPermissionLevel.BasePermissions="FullMask" 
 $FullControlPermissionLevel.BasePermissions="ViewListItems, AddListItems, EditListItems, DeleteListItems, ApproveItems, OpenItems, ViewVersions, DeleteVersions, CancelCheckout, ManagePersonalViews, ManageLists, ViewFormPages, Open, ViewPages, AddAndCustomizePages, ApplyThemeAndBorder, ApplyStyleSheets, ViewUsageData, CreateSSCSite, CreateGroups, ManagePermissions, BrowseDirectories, BrowseUserInfo, AddDelPrivateWebParts, UpdatePersonalWebParts, ManageWeb, UseClientIntegration, UseRemoteAPIs, ManageAlerts, CreateAlerts, EditMyUserInfo, EnumeratePermissions" 
 $FullControlPermissionLevel.Update() 

 $web.Dispose() 


ChangePermissionLevel "http://sharepoint/sites/demo" 

rm function:/ChangePermissionLevel 

Write-Host "Finished! Press enter key to exit." -ForegroundColor Green 
Read-Host 

3 comments:

  1. I totally agree with the concepts here and in your linked post regarding governance of sites. Though useing only site collections vs sites will vary from case to case. This example of stripping the create sites permissions is great as long as the site collection owners still retain the possibility.

    ReplyDelete
  2. Hi,
    I try to find a way to prevent SubSite/Blog creation inside MySite Users Collections.
    Do you think your script below could do this ?
    I'm actually working on a Sharepoint 2013 Project... thanks for your reply

    ReplyDelete