When is a SharePoint Farm Administrator not a SharePoint Farm Administrator?

By

Have you seen in documentation any of the following statements?

  • You’ll need to work closely with your SharePoint farm administrator.
  • To complete the following tasks you must be a SharePoint farm administrator.

The first statement may be more about a person’s role and responsibility, than the tasks they can physically complete on a Microsoft SharePoint® installation. The second statement could be found when a new SharePoint-related product needs to be installed in your on-premises installation of SharePoint.

This blog post concerns the set of activities needed to make a user a “SharePoint farm administrator”, so that they can complete all SharePoint farm administrative tasks, whether those tasks can be completed using the SharePoint Central Administration web site or Windows PowerShell®.

So how does a user become a SharePoint Farm Administrator? Surely all that is needed, is an existing SharePoint Farm Administrator completes the following steps:

  1. Open the SharePoint Central Administration web site in the browser.
    clip_image001
  2. In the Quick Launch, under Central Administration, click Security.
  3. On the Security page, under Users, click Manage the farm administrators group.
  4. In the Farm Administrators page, click New.
    clip_image003
  5. On the Share ‘Central Administrator’ dialog, under Add people to the Farm Administrators group, type a userid and then click Share.
    clip_image004

Note: The above steps are for Microsoft SharePoint 2013, however similar steps can be used in a Microsoft SharePoint 2010 farm.

Unfortunately, as you may have guessed, completing the above steps is not sufficient. These steps adds the user to the Farm Administrators SharePoint group and to the WSS_ADMIN_WPG local security group on each server in the SharePoint farm. This only allows the user to complete tasks using the SharePoint Central Administration web site and access SharePoint resources, such as, Logs and Web services. The user will also need to be a member of the local Administrator’s security group as well, otherwise they will be prompted to provide an administrator’s userid and password when they try to start the SharePoint Central Administration web site. However, the user is still not a fully-fledged SharePoint farm administrator.

If the user tries to run the SharePoint Management Shell, then they will receive the error message:

“The local farm is not accessible. Cmdlets with FeatureDependencyId are not registered.”

For a user to execute all SharePoint-related Windows PowerShell cmdlets to complete tasks on any Web Application in the SharePoint farm, they need to be a member of the Microsoft SQL Server® SharePoint_Shell_Access database role on the SharePoint configuration database and all content databases that contains resources you want the user to manage. This can be accomplished by using the Add-SPShellAdmin Windows PowerShell® cmdlets. SharePoint.

Tip: You can identify users who have SharePoint Window PowerShell capability by using the Get-SPShellAdmin cmdlet.

The Add-SPShellAdmin cmdlet can only be executed by an existing SharePoint farm administrator, or a user that is associated with the SQL Server securityadmin server role and db_owner database role on all affected databases, and local administrative permission on the local computer.

Note: The user that is the first SharePoint farm administrator is the Active Directory security account that was used to run the SharePoint Products Configuration Wizard to install the first server in a Microsoft SharePoint farm.

Therefore to make a user SharePoint Farm Administrator who can complete all SharePoint server related tasks no matter whether they need to use the SharePoint Central Administration web site or Windows PowerShell, they need to be a member of the:

  • Local Administrator security group for each server in the farm
  • Farm Administration SharePoint Group
  • SQL Server SharePoint_Shell_Access database role for the SharePoint configuration database and all content databases.

Note: If additional servers are added to the farm or additional content databases are created, then the existing SharePoint Farm administrators will need to be added to the appropriate groups/roles at that time.

The best way to ensure that no settings are missed, is to complete all tasks in a Windows PowerShell script. Here is an example of what such a script may look like:

<# —————————————-
SharePoint 2013 Sample script to create a new SharePoint Farm Administrator
Provided by LightningTools as is
where $userid is of the format domain\username
and the function is called:
New-LTSPFarmAdmin –userid “DP\chuck”
…Please test in your environment before use
——————————————#>
Function New-LTSPFarmAdmin ([string]$userid)
{
# Get Central Administration Web Application
$caWebApp = Get-SPWebApplication –IncludeCentralAdministration | ‘
where {$_.DisplayName –like “SharePoint Central Administration*”};
# Add user to the Farm Administrators SharePoint group
New-SPUser –UserAlias $userid –Web $caWebApp.URL –Group “Farm Administrators”;
# Get content database for Central Administration web site
$caContentDB = Get-SPContentDatabase –WebApplication $caWebApp;
# Allow the user to use SharePoint Windows PowerShell cmdlets
Add-SPShellAdmin -Database $caContentDB -Username $userid;

# Complete for each content database in farm
$contentDBs = Get-SPContentDatabase;
foreach ($contentDB in $contentDBs) {
Add-SPShellAdmin -Database $contentDB -Username $userid;
}
} # End of Function New-LTSPFarmAdmin
# ####################### End of Script ############################################ #

Tip: If you are a new SharePoint Farm Administrator and new to Windows PowerShell then you may want to read the Chapter written by Penelope Coventry from the Microsoft SharePoint 2010 Administrator’s Companion, Microsoft Press, August 2010, which is still relevant for SharePoint 2013, and can be found at: http://technet.microsoft.com/en-us/library/gg550867.aspx.

<Penny Coventry/>