Introduction
A few days ago I had a request from one of the SharePoint team. Could we give him Site Collection Admin rights to all site collections in a web application.
Now one method would be to use a Web Application User Policy (see below) and give them the full access permission.
However, we didn’t want to take that approach.
So we looked at using a PowerShell script. The important point was that we did not want to assign the permission using the Owner or SecondaryContact properties of the SPSiteobject. Instead we just wanted to add the user as the site collection admin.
When using the user interface this is achieved by doing the following:-
- Browse to the site collection
- Click Site Settings
- Click Site collection administrators (Under Users and Permissions)
- Add the user to the list and click OK.
- After a bit of investigation using PowerShell I could see how this permissions was set.
Solution
So to the solution, how is a user configured as a Site Collection Admin?
Well it turns out that its based on the following property, SPUser.IsSiteAdmin. Site Collection Administrators have the IsSiteAdmin property set to true.
Once that information had been understood, then the script was relatively easy and the following script was created:-
param
(
[Parameter(Mandatory=$true, HelpMessage='username in format DOMAIN\username')]
[string]$Username = "",
[Parameter(Mandatory=$true, HelpMessage='url for web application e.g. http://collab')]
[string]$WebApplicationUrl = ""
)
Write-Host "Setting up user $Username as site collection admin on all sitecollections in Web Application $WebApplicationUrl" -ForegroundColor White;
$webApplication = Get-SPWebApplication $WebApplicationUrl;
if($webApplication -ne $null)
{
foreach($siteCollection in $webApplication.Sites){
Write-Host "Setting up user $Username as site collection admin for $siteCollection" -ForegroundColor White;
$userToBeMadeSiteCollectionAdmin = $siteCollection.RootWeb.EnsureUser($Username);
if($userToBeMadeSiteCollectionAdmin.IsSiteAdmin -ne $true)
{
$userToBeMadeSiteCollectionAdmin.IsSiteAdmin = $true;
$userToBeMadeSiteCollectionAdmin.Update();
Write-Host "User is now site collection admin for $siteCollection" -ForegroundColor Green;
}
else
{
Write-Host "User is already site collection admin for $siteCollection" -ForegroundColor DarkYellow;
}
Write-Host "Current Site Collection Admins for site: " $siteCollection.Url " " $siteCollection.RootWeb.SiteAdministrators;
}
}
else
{
Write-Host "Could not find Web Application $WebApplicationUrl" -ForegroundColor Red;
}
The PowerShell script accepts the following parameters:-
- -UserName – the user to add as a site collection admin (DOMAIN\username)
- -WebApplication – the URL to the Web Application that should be updated
The script tries to get resolve the Web Application. The script then runs through each site collection in the web application and ensures that the user can be found in the site collection.
If the user is not already a site collection admin then the property is updated and the user object is saved.
The script is not perfect and could have a bit more exception handling, for example the Get-SPWebApplication call does not check the return value.
Anyway the link to the PowerShell script is below (just rename the file extension from .txt to ps1):-
Doy's Microsoft 365 and Azure Dev Blog 