Thursday, July 11, 2013

PowerShell to Reset Unique Permissions (Inherit Permissions) on a List or Library and it's Items in SharePoint

From time to time I will come across a list or library that has had its inheritance broken resulting in unique permissions.  Sometimes this also includes items that have unique permissions.  When the item count gets very large it can be a real pain to reset all the permissions in the list/library from the UI.  Luckily PowerShell can come to the rescue.

Using PowerShell we can grab all the items in a list/library that have unique permissions and reset them.  Let's take a look at the script to accomplish this.

You can download the complete script from the TechNet Gallery here:

For this script I wanted to use arguments when the script is run, these are very simple and include the following:
  • Web URL - This is a fully qualified URL to the site where the list/library is located.
  • List Name - This is the list/library name.
  • Should List Inherit - This is a Boolean and indicates if the list/library should have its permissions reset as well.
So using the script would look like the following:
  • Restore-Inheritance.ps1 "http://SPURL/SITE" "LIST NAME" true   
So first, we'll make sure the SharePoint snap-in is loaded:
if ((Get-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue) -eq $null) {
    Add-PSSnapin "Microsoft.SharePoint.PowerShell"
Next, we'll populate some variables from the arguments:
$webUrl = $args[0]
$listName = $args[1]
$listInherits = $args[2] 
# Varibale to hold document count
$count = 0
We also include a "count" variable that will hold a count of objects that have been updated.  Now, in a try/catch block we'll execute the main code.
try {
 # Open the web and list objects
 $web = Get-SPWeb $webUrl
 $list = $web.Lists[$listName] 
 # If the list should inherit, reset the role inheritance
 if ($listInherits -eq $true) {
  Write-Host "Updated permissions on list." -foregroundcolor Green
 # Get all items with unique permissions
 $itemsWithUniquePermissions = $list.GetItemsWithUniquePermissions()
 Write-Host $itemsWithUniquePermissions.Count "number of items with unique permissions found." 
 # Only update items if some exist
 if ($itemsWithUniquePermissions.Count -gt 0) {
  foreach ($itemInfo in $itemsWithUniquePermissions) {
   $item = $list.GetItemById($itemInfo.Id)
  # Display number of items updated
  Write-Host "Updated permissions on $count items." -foregroundcolor Green
 else {
  Write-Host "No items with unique permissions exist, nothing to update."
 # Dispose of web object
catch [Exception] {
 Write-Host "Exception encountered.  Please ensure all arguments are valid." -foregroundcolor Red
 Write-Host $_.Exception.Message -foregroundcolor Red
Here is an overview of what's going on:
  • First we open the web and list objects.
  • Next, if the user has specified that the list should have its permissions reset, we do that with a ResetRoleInheritance() method call.
  • Next, we get a list of items that have unique permissions using the GetItemsWithUniquePermissions() method call.  This is key since you may have thousands of items, but only a few with unique permissions.  Using this method, we only get back the few and don't have to take actions on the rest.
  • Now we iterate through the items that we found.  The GetItemsWithUniquePermissions() returns a collection of SPListItemInfo objects.  These objects don't hold the list item, but they do have the ID of the items.  We can take the ID and use the GetItemById() method call on the list to get the actual item back.
  • Finally we spit out the results using a Write-Host and dispose of the web object.
Its a pretty simple script, but can save you a lot of time if you need to do this on many items all at once.

You can download the complete script from the TechNet Gallery here:



  1. any thoughts about how to get this to work with SharePoint Online ?

    1. Unfortunately you can't run any PowerShell on SharePoint Online. If you wanted to do something like this, mass change permissions, you would probably need to reach out for support from Microsoft if you're using that service.