Farm PowerShell Security SharePoint SharePoint 2010 SharePoint 2013 SharePoint 2016 SharePoint Server 

How to Add User to Farm Administrator Group in SharePoint?

Salaudeen Rajack 2 Comments , , , ,

By default, the account which was used (logged in) to install SharePoint becomes the SharePoint Farm Administrator. There are situations, where we need to add additional Farm Administrators to our SharePoint farm in order to delegate the tasks. Follow these three steps to add a farm administrator in SharePoint.

  1. Add user to Central Administration Farm Administrator Group
  2. Add user to Web Application Policy with FULL control
  3. Add the user as a ShellAdmin for all SharePoint databases.

1. Add new user to farm administrator group from Central Administration:

To add farm administrator in SharePoint 2010, Navigate to Central Administration >> Security >> Manage the farm administrator group >> Add the user by clicking New >> Add Users
how to add sharepoint farm administrator
SharePoint Farm Administrators group by default consists of Local server administrators. So, You can see (BUILTIN\Administrators) group is already referenced in the Farm Administrators group in Central Administration.

Add user to SharePoint farm administrators group using PowerShell: 
Adding farm admin in SharePoint 2010 can be done in PowerShell also. Here is the PowerShell script to add a new farm admin.

Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

#User to Add
$UserID="domain\userID"

#Get Central Admin Web App
$CAWebApp = Get-SPWebApplication -IncludeCentralAdministration | where-object {$_.DisplayName -eq "SharePoint Central Administration v4"} 

#Get Central Admin site
$CAWeb = Get-SPweb($CAWebApp.Url) 
#Get Farm Administrators Group
$FarmAdminGroup = $CAWeb.SiteGroups["Farm Administrators"] 
#Add user to the Group
$FarmAdminGroup.AddUser($UserID,"",$UserID , "")
Write-Host "User: $($UserID) has been added to Farm Administrators Group!"
$CAWeb.Dispose()

Create a new SharePoint farm administrator with STSADM command line:
The Equivalent STSADM command for the above:
stsadm -o adduser -url <Central Admin URL> -userlogin “Global\FarmAdmin” -useremail “FarmAdmin@domain.com” -group “Farm Administrators” -username “Farm Administrator”

2. Add user to Web Application Policy with FULL control

Just adding user to SharePoint Farm administrators group will not serve the purpose. If users are only added to central administration farm administrators group (and below two steps are skipped!), they will get “Access denied” error when they try to invoke STSADM command.

They will get: “The local farm is not accessible. Cmdlets with FeatureDependencyId are not registered.” Error if they try to use SharePoint PowerShell cmdlets.
sharepoint farm administrator gets access denied
So the solution is: To add a web application policy for SharePoint 2010 farm administrator account on the selected/all web application(s).  Follow SharePoint 2010 user policy for web application. We can also use PowerShell to create a web application user policy which is explained in the provided link.

Once granted FULL control via web application policy, the SharePoint Farm administrators group gets full control as site collection administrator access to all site collections of a particular web application.

3. Add user as a ShellAdmin for all SharePoint databases

The next step is to grant “Shell Admin” Access to the user, via PowerShell.

You must run this cmdlet from an existing Farm Administrator account’s context, otherwise, you’ll get an error!
Add-SPShellAdmin -UserName "domain\user" -database (Get-SPContentDatabase -Identity "SharePoint_Database_Name")

This cmdlet grants Farm Administrators necessary SQL permissions and adds the account to a local server group WSS_ADMIN_WPG group in the local Windows server. We can verify the access by Log on to the SQL Server > SQL Server Management Studio > verify the new login created for the new user.
sharepoint farm administrator sql permissions
And the user is mapped to SharePoint databases and will add the user to SharePoint 2010 farm administrator SQL permissions: db_owner, public and SharePoint_Shell_Access Roles for all SharePoint databases in the server farm. This gives user permission to do things that require changes to the database.

sharepoint farm administrator sql permissions

SharePoint 2010: Add farm admin using PowerShell

So, the complete Script to Add user to Farm Administrator Group in SharePoint,

Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

#User to Add
$UserID="domain\user"

#*** Add User to SharePoint 2010 Farm Administrator Group ***
#Get Central Admin Web App
$CAWebApp = Get-SPWebApplication -IncludeCentralAdministration | where-object {$_.DisplayName -eq "SharePoint Central Administration v4"} 
#Get Central Admin site
$CAWeb = Get-SPweb($CAWebApp.Url) 
#Get Farm Administrators Group
$FarmAdminGroup = $CAWeb.SiteGroups["Farm Administrators"] 
#Add user to the Group
$FarmAdminGroup.AddUser($UserID,"",$UserID , "")
Write-Host "User: $($UserID) has been added to Farm Administrators Group!"
$CAWeb.Dispose()

#***Add user to Web App Policy ***
   Get-SPWebApplication | foreach-object {
                $WebAppPolicy = $_.Policies.Add($UserID, $UserID)
                $PolicyRole = $_.PolicyRoles.GetSpecialRole([Microsoft.SharePoint.Administration.SPPolicyRoleType]::FullControl)
                $WebAppPolicy.PolicyRoleBindings.Add($PolicyRole)
                $_.Update()
    Write-Host "Added user to $($_.URL)"
                } 

#*** Grant Shell Admin Access *** 
#Get All SharePoint Databases and Add user into Shell Admin access
Get-SPDatabase | Add-SPShellAdmin -Username $UserID

Now the members of this group can perform tasks from SharePoint Central Administration.

If you planned to use this account as Server Farm Account, then grant these server roles in SQL Server: dbcreator & securityadmin.

To run Add-SPShellAdmin, Your account must have:

  • Security_Admin role on SQL Server instance
  • db_owner on the SharePoint content database
  • Member of Local administrator Group on SharePoint server

Tail:

  • To get all Shell Administrators, use: Get-SPShellAdmin
  • To remove a user from Shell Admin Group: Remove-SPShellAdmin -UserName “Domain\User”

Find Farm Administrators using PowerShell

You may want to check if the SharePoint user is a farm administrator. To check SharePoint farm administrator below code can help:

Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

#Get Central Admin Web App
$CAWebApp = Get-SPWebApplication -IncludeCentralAdministration | where-object {$_.DisplayName -eq "SharePoint Central Administration v4"} 

#Get Central Admin site
$CAWeb = Get-SPweb($CAWebApp.Url) 

$FarmAdminGroup = $CAWeb.SiteGroups["Farm Administrators"] 
foreach ($Admin in $FarmAdminGroup.users) 
{ 
   write-host $Admin.LoginName
}

Salaudeen Rajack

Salaudeen Rajack - SharePoint Expert with Two decades of SharePoint Experience. Love to Share my knowledge and experience with the SharePoint community, through real-time articles!

2 thoughts on “How to Add User to Farm Administrator Group in SharePoint?

  • #Get All Content Databases and Add user into Shell Admin access
    Get-SPDatabase | Add-SPShellAdmin -Username $UserID

    This should be Get-SPContentDatabase I guess

    Reply

    • In fact, the Add-ShellAdmin should be run on both SharePoint content database and the configuration database!

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *