How to Add User to Farm Administrator Group in SharePoint?
By default, the account which was used (logged in) to install SharePoint becomes the SharePoint Farm Administrator. There are situations, where we need to add additional Farm Administrators to our SharePoint farm in order to delegate the tasks. Follow these three steps to add a farm administrator in SharePoint.
- Add user to Central Administration Farm Administrator Group
- Add user to Web Application Policy with FULL control
- Add the user as a ShellAdmin for all SharePoint databases.
1. Add new user to farm administrator group from Central Administration:
To add farm administrator in SharePoint 2010, Navigate to Central Administration >> Security >> Manage the farm administrator group >> Add the user by clicking New >> Add Users
SharePoint Farm Administrators group by default consists of Local server administrators. So, You can see (BUILTIN\Administrators) group is already referenced in the Farm Administrators group in Central Administration.
Add user to SharePoint farm administrators group using PowerShell:Â
Adding farm admin in SharePoint 2010 can be done in PowerShell also. Here is the PowerShell script to add a new farm admin.
Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue
#User to Add
$UserID="domain\userID"
#Get Central Admin Web App
$CAWebApp = Get-SPWebApplication -IncludeCentralAdministration | where-object {$_.DisplayName -eq "SharePoint Central Administration v4"}
#Get Central Admin site
$CAWeb = Get-SPweb($CAWebApp.Url)
#Get Farm Administrators Group
$FarmAdminGroup = $CAWeb.SiteGroups["Farm Administrators"]
#Add user to the Group
$FarmAdminGroup.AddUser($UserID,"",$UserID , "")
Write-Host "User: $($UserID) has been added to Farm Administrators Group!"
$CAWeb.Dispose()
Create a new SharePoint farm administrator with STSADM command line:
The Equivalent STSADM command for the above:
stsadm -o adduser -url <Central Admin URL> -userlogin “Global\FarmAdmin” -useremail “FarmAdmin@domain.com” -group “Farm Administrators” -username “Farm Administrator”
2. Add user to Web Application Policy with FULL control
Just adding user to SharePoint Farm administrators group will not serve the purpose. If users are only added to central administration farm administrators group (and below two steps are skipped!), they will get “Access denied” error when they try to invoke STSADM command.
They will get: “The local farm is not accessible. Cmdlets with FeatureDependencyId are not registered.” Error if they try to use SharePoint PowerShell cmdlets.
So the solution is: To add a web application policy for SharePoint 2010 farm administrator account on the selected/all web application(s). Follow SharePoint 2010 user policy for web application. We can also use PowerShell to create a web application user policy which is explained in the provided link.
Once granted FULL control via web application policy, the SharePoint Farm administrators group gets full control as site collection administrator access to all site collections of a particular web application.
3. Add user as a ShellAdmin for all SharePoint databases
The next step is to grant “Shell Admin” Access to the user, via PowerShell.
Add-SPShellAdmin -UserName "domain\user" -database (Get-SPContentDatabase -Identity "SharePoint_Database_Name")
This cmdlet grants Farm Administrators necessary SQL permissions and adds the account to a local server group WSS_ADMIN_WPG group in the local Windows server. We can verify the access by Log on to the SQL Server > SQL Server Management Studio > verify the new login created for the new user.
And the user is mapped to SharePoint databases and will add the user to SharePoint 2010 farm administrator SQL permissions: db_owner, public and SharePoint_Shell_Access Roles for all SharePoint databases in the server farm. This gives user permission to do things that require changes to the database.
SharePoint 2010: Add farm admin using PowerShell
So, the complete Script to Add user to Farm Administrator Group in SharePoint,
Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue
#User to Add
$UserID="domain\user"
#*** Add User to SharePoint 2010 Farm Administrator Group ***
#Get Central Admin Web App
$CAWebApp = Get-SPWebApplication -IncludeCentralAdministration | where-object {$_.DisplayName -eq "SharePoint Central Administration v4"}
#Get Central Admin site
$CAWeb = Get-SPweb($CAWebApp.Url)
#Get Farm Administrators Group
$FarmAdminGroup = $CAWeb.SiteGroups["Farm Administrators"]
#Add user to the Group
$FarmAdminGroup.AddUser($UserID,"",$UserID , "")
Write-Host "User: $($UserID) has been added to Farm Administrators Group!"
$CAWeb.Dispose()
#***Add user to Web App Policy ***
Get-SPWebApplication | foreach-object {
$WebAppPolicy = $_.Policies.Add($UserID, $UserID)
$PolicyRole = $_.PolicyRoles.GetSpecialRole([Microsoft.SharePoint.Administration.SPPolicyRoleType]::FullControl)
$WebAppPolicy.PolicyRoleBindings.Add($PolicyRole)
$_.Update()
Write-Host "Added user to $($_.URL)"
}
#*** Grant Shell Admin Access ***
#Get All SharePoint Databases and Add user into Shell Admin access
Get-SPDatabase | Add-SPShellAdmin -Username $UserID
Now the members of this group can perform tasks from SharePoint Central Administration.
To run Add-SPShellAdmin, Your account must have:
- Security_Admin role on SQL Server instance
- db_owner on the SharePoint content database
- Member of Local administrator Group on SharePoint server
Tail:
- To get all Shell Administrators, use: Get-SPShellAdmin
- To remove a user from Shell Admin Group: Remove-SPShellAdmin -UserName “Domain\User”
Find Farm Administrators using PowerShell
You may want to check if the SharePoint user is a farm administrator. To check SharePoint farm administrator below code can help:
Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue
#Get Central Admin Web App
$CAWebApp = Get-SPWebApplication -IncludeCentralAdministration | where-object {$_.DisplayName -eq "SharePoint Central Administration v4"}
#Get Central Admin site
$CAWeb = Get-SPweb($CAWebApp.Url)
$FarmAdminGroup = $CAWeb.SiteGroups["Farm Administrators"]
foreach ($Admin in $FarmAdminGroup.users)
{
write-host $Admin.LoginName
}
#Get All Content Databases and Add user into Shell Admin access
Get-SPDatabase | Add-SPShellAdmin -Username $UserID
This should be Get-SPContentDatabase I guess
In fact, the Add-ShellAdmin should be run on both SharePoint content database and the configuration database!