Tuesday, May 7, 2013

Add User to Farm Administrator Group in SharePoint 2010

By default, the account which was used (logged in) to install SharePoint becomes the SharePoint Farm Administrator. There are situations, where we need to add additional Farm Administrators to our SharePoint farm in order to delegate the tasks. Follow these three steps to add a farm administrator in SharePoint.

  1. Add user to Central Administration Farm Administrator Group
  2. Add user to Web Application Policy with FULL control
  3. Add user as a ShellAdmin for all SharePoint databases.

 

1. SharePoint 2010 add new user to farm administrator group from Central Administration:

To add farm administrator in SharePoint 2010, Navigate to Central Administration >> Security >> Manage the farm administrator group >> Add the user by clicking New >> Add Users
how to add sharepoint farm administrator
SharePoint Farm Administrators group by default consists of Local server administrators. So, You can see (BUILTIN\Administrators) group is already referenced in the Farm Administrators group in Central Administration.

Add user to SharePoint 2010 farm administrators group using PowerShell: 
Adding farm admin in SharePoint 2010 can be done in PowerShell also. Here is the PowerShell script to add new farm admin.
Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

#User to Add
$UserID="domain\userID"

#Get Central Admin Web App
$CAWebApp = Get-SPWebApplication -IncludeCentralAdministration | where-object {$_.DisplayName -eq "SharePoint Central Administration v4"} 

#Get Central Admin site
$CAWeb = Get-SPweb($CAWebApp.Url) 
#Get Farm Administrators Group
$FarmAdminGroup = $CAWeb.SiteGroups["Farm Administrators"] 
#Add user to the Group
$FarmAdminGroup.AddUser($UserID,"",$UserID , "")
Write-Host "User: $($UserID) has been added to Farm Administrators Group!"
$CAWeb.Dispose()
    Create a new SharePoint farm administrator with STSADM command line:
    The Equallent STSADM command for the above:
    stsadm -o adduser -url <Central Admin URL> -userlogin "Global\FarmAdmin" -useremail "FarmAdmin@domain.com" -group "Farm Administrators" -username "Farm Administrator"


    2. Add user to Web Application Policy with FULL control

    Just adding user to SharePoint Farm administrators group will not serve the purpose. If users are only added to central administration farm administrators group (and below two steps are skipped!), they will get "Access denied" error when they try to invoke STSADM command.

    They will get: "The local farm is not accessible. Cmdlets with FeatureDependencyId are not registered." Error if they try to use SharePoint PowerShell cmdlets.
    sharepoint farm administrator gets access denied
    So the solution is: To add a web application policy for SharePoint 2010 farm administrator account on the selected/all web application(s).  Follow SharePoint 2010 user policy for web application. We can also use PowerShell to create web application user policy which is explained in the provided link.

    Once granted FULL control via web application policy, SharePoint Farm administrators group gets full control as site collection administrator access to all site collections of a particular web application.


    3. Add user as a ShellAdmin for all SharePoint databases

    The next step is to grant "Shell Admin" Access to the user, via PowerShell.
    You must run this cmdlet from an existing Farm Administrator account's context, otherwise you'll get an error!
    Add-SPShellAdmin -UserName "domain\user' -database (Get-SPContentDatabase -Identity "SharePoint_Database_Name)

    This cmdlet grants Farm Administrators necessary SQL permissions and adds the account to a local server group WSS_ADMIN_WPG group in local windows server. We can verify the access by Log on to the SQL Server > SQL Server Management Studio > verify the new login created for the new user.
    sharepoint farm administrator sql permissions
    and the user is mapped to SharePoint databases and will add the user to SharePoint 2010 farm administrator SQL permissions: db_owner, public and SharePoint_Shell_Access Roles for all SharePoint databases in the server farm. This gives user permission to do things that require changes to the database.
    sharepoint farm administrator sql permissions


    So, the complete Script to Add user to Farm Administrator Group in SharePoint:
    Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue
    
    #User to Add
    $UserID="domian\user
    
    #*** Add User to SharePoint 2010 Farm Administrator Group ***
    #Get Central Admin Web App
    $CAWebApp = Get-SPWebApplication -IncludeCentralAdministration | where-object {$_.DisplayName -eq "SharePoint Central Administration v4"} 
    #Get Central Admin site
    $CAWeb = Get-SPweb($CAWebApp.Url) 
    #Get Farm Administrators Group
    $FarmAdminGroup = $CAWeb.SiteGroups["Farm Administrators"] 
    #Add user to the Group
    $FarmAdminGroup.AddUser($UserID,"",$UserID , "")
    Write-Host "User: $($UserID) has been added to Farm Administrators Group!"
    $CAWeb.Dispose()
    
    #***Add user to Web App Policy ***
       Get-SPWebApplication | foreach-object {
                    $WebAppPolicy = $_.Policies.Add($UserID, $UserID)
                    $PolicyRole = $_.PolicyRoles.GetSpecialRole([Microsoft.SharePoint.Administration.SPPolicyRoleType]::FullControl)
                    $WebAppPolicy.PolicyRoleBindings.Add($PolicyRole)
                    $_.Update()
        Write-Host "Added user to $($_.URL)"
                    } 
    
    #*** Grant Shell Admin Access *** 
    #Get All Content Databases and Add user into Shell Admin access
    Get-SPDatabase | Add-SPShellAdmin -Username $UserID
    
    Now the Members of this group can perform tasks from SharePoint Central Administration.
    If you planned to use this account as: Server Farm Account, then grant these server roles in SQL Server: dbcreator & securityadmin.

    To run Add-SPShellAdmin, Your account must have:
    • Security_Admin role on SQL Server instance
    • db_owner on the SharePoint content database
    • Member of Local administrator Group on SharePoint server


    Tail: SharePoint 2010 find farm administrators
    You may want to check if SharePoint user is a farm administrator.To check SharePoint farm administrator below code can help:
    Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue
    
    #Get Central Admin Web App
    $CAWebApp = Get-SPWebApplication -IncludeCentralAdministration | where-object {$_.DisplayName -eq "SharePoint Central Administration v4"} 
    
    #Get Central Admin site
    $CAWeb = Get-SPweb($CAWebApp.Url) 
    
    $FarmAdminGroup = $CAWeb.SiteGroups["Farm Administrators"] 
      foreach ($Admin in $FarmAdminGroup.users) 
          { 
           write-host $Admin.LoginName
          }
    



    You might also like:
    SharePoint Usage Reports
    Usage reports, collaboration and audit for SharePoint.
    Document SharePoint Farm
    Automatically generate SharePoint documentation.
    *Sponsored


    Check out these SharePoint products:

    No comments :

    Post a Comment

    Please Login and comment to get your questions answered!

    You might also like:

    Related Posts Plugin for WordPress, Blogger...