Programmatically modify SharePoint Group Members – add and subtract

If you’ve ever wanted to allow admins of your farm a quick way to add a user to a SharePoint group, or a few groups, this is the script to do it.

 

Now, this script assumes you have a Forms Based Authentication solution in place, or at least have FBA as the only means to access the site.  It allows you to add the users to the various SharePoint groups, provided you have site collection admin, or higher level access to the site.

 

You could modify the groups to affect, from what is shown here, to the actual group names of different groups.  For example, say you didn’t want to add them to the Approvers and Designers SharePoint groups, then you could change those SharePoint group names.  These are the group names that you see in your site when looking at site permissions.  The script does not have any error handling, so if you try to add the user to a SharePoint group that does not exist, the script is gonna err out.

add-pssnapin *SharePoint* -ErrorAction SilentlyContinue

$HNSCURL = Read-Host "`nEnter the URL for the Site you just created `nFor example for the site URL you would type https://company1.mydomain.com"

$FBAUserName = Read-Host "`nEnter the FBA User name you just created `nFor example if it the user has named Joe, enter Joe"

$FBAUserNameProper = "i:0#.f|fbamembershipprovider|" + $FBAUserName

Write-Host "Setting the elevated permissions for: $FBAUserName now!" -ForegroundColor Green

Set-SPUser -Identity $FBAUserNameProper -Web $HNSCURL -Group "Approvers"
Set-SPUser -Identity $FBAUserNameProper -Web $HNSCURL -Group "Designers"

Write-Host "`nSript Complete `nGo ahead and close this window" -ForegroundColor Green

If you wanted to remove those users and add them to the Visitors group, assuming you had added the user to the Approvers group and the Designers SharePoint group, then you could run this PowerShell to remove them and add them to the Visitors group.

add-pssnapin *SharePoint* -ErrorAction SilentlyContinue

$HNSCURL = Read-Host "`nEnter the URL for the Site you just created `nFor example for the site URL you would type https://company1.mydomain.com"

$FBAUserName = Read-Host "`nEnter the FBA User name you just created `nFor example if it the user has named Joe, enter Joe"


$FBAUserNameProper = "i:0#.f|fbamembershipprovider|" + $FBAUserName
$user = Get-SPUser -identity "$FBAUserNameProper" -web $HNSCURL

Write-Host "Removing Elevated permissions for: $FBAUserName and making $FBAUserName a reader now!" -ForegroundColor Green

$HNSCSite = Get-spweb $HNSCURL

$Group1 = $HNSCSite.SiteGroups | ? {$_.Name -eq "Approvers"}
$Group1.RemoveUser($user)
Write-Host "$FBAUserName Removed from the Group: Approvers"

$Group2 = $HNSCSite.SiteGroups | ? {$_.Name -eq "Designers"}
$Group2.RemoveUser($user)
Write-Host "$FBAUserName Removed from the Group: Designers"

Write-Host "$FBAUserName added to the Group: Visitors"

Set-SPUser -Identity $FBAUserNameProper -Web $HNSCURL -Group "Visitors"

Write-Host "`nSript Complete `nGo ahead and close this window" -ForegroundColor Green

Now, in order to run either of these two powershell scripts, you need to be logged into the Front End SharePoint server, have an account with either Farm Admin access, full control on the web application user policy, or site collection admin, or full control on the site that you’re targeting.

 

When you run the command, it’s gonna ask you for the URL, you need to input the full URL, so http://site.sitecolleciton.com, not site.sitecollection.com.  Then just have to enter the FBA user name.

 

You could modify this for a site that does not use FBA by changing the prefix used in the lines that read

$FBAUserNameProper = “i:0#.f|fbamembershipprovider|” + $FBAUserName

to something like this

$FBAUserNameProper = “UPN\” + $FBAUserName

where upn is what your users type in, e.g. contoso\JoeUser, the contoso\ portion of that name.

Have a Happy and Safe New Year!

 

Set-SPUser TechNet