This script also revoke the "delete historical versions" permission from contributors. That's what I do for almost all site collections.
Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction "SilentlyContinue"
# remove "DeleteVersions" from "Contribute"
# remove "ManageSubwebs" from "Full Control"
function ChangePermissionLevel([string]$SiteUrl)
{
$web = Get-SPWeb -Identity $SiteUrl
$contributePermissionLevel=$web.RoleDefinitions["Contribute"]
# $contributePermissionLevel.BasePermissions="ViewListItems, OpenItems, ViewVersions, ManagePersonalViews, ViewFormPages, Open, ViewPages, CreateSSCSite, BrowseDirectories, BrowseUserInfo, AddDelPrivateWebParts, UpdatePersonalWebParts, UseClientIntegration, UseRemoteAPIs, CreateAlerts, EditMyUserInfo"
$contributePermissionLevel.BasePermissions="ViewListItems, AddListItems, EditListItems, DeleteListItems, OpenItems, ViewVersions, ManagePersonalViews, ViewFormPages, Open, ViewPages, BrowseDirectories, BrowseUserInfo, UseClientIntegration, UseRemoteAPIs, CreateAlerts, EditMyUserInfo"
$contributePermissionLevel.Update()
$FullControlPermissionLevel=$web.RoleDefinitions["Full Control"]
#[System.Enum]::GetNames("Microsoft.SharePoint.SPBasePermissions")
# $FullControlPermissionLevel.BasePermissions="FullMask"
$FullControlPermissionLevel.BasePermissions="ViewListItems, AddListItems, EditListItems, DeleteListItems, ApproveItems, OpenItems, ViewVersions, DeleteVersions, CancelCheckout, ManagePersonalViews, ManageLists, ViewFormPages, Open, ViewPages, AddAndCustomizePages, ApplyThemeAndBorder, ApplyStyleSheets, ViewUsageData, CreateSSCSite, CreateGroups, ManagePermissions, BrowseDirectories, BrowseUserInfo, AddDelPrivateWebParts, UpdatePersonalWebParts, ManageWeb, UseClientIntegration, UseRemoteAPIs, ManageAlerts, CreateAlerts, EditMyUserInfo, EnumeratePermissions"
$FullControlPermissionLevel.Update()
$web.Dispose()
}
ChangePermissionLevel "http://sharepoint/sites/demo"
rm function:/ChangePermissionLevel
Write-Host "Finished! Press enter key to exit." -ForegroundColor Green
Read-Host
I totally agree with the concepts here and in your linked post regarding governance of sites. Though useing only site collections vs sites will vary from case to case. This example of stripping the create sites permissions is great as long as the site collection owners still retain the possibility.
ReplyDeleteHi,
ReplyDeleteI try to find a way to prevent SubSite/Blog creation inside MySite Users Collections.
Do you think your script below could do this ?
I'm actually working on a Sharepoint 2013 Project... thanks for your reply
Yes, I think so.
Delete