How to Add User to Farm Administrator Group in SharePoint?

One of the most critical roles in a SharePoint farm is that of the farm administrator. SharePoint Farm Administration is not merely a job title; it’s a responsibility that encompasses the management of servers, databases, and various components that make up the SharePoint farm. In this comprehensive guide, I’ll walk you through the process of adding a SharePoint farm administrator, providing detailed steps and best practices to help you confidently navigate this task.

Understanding the Role of a Farm Administrator in SharePoint

A SharePoint farm is a logical grouping of SharePoint servers that work together to provide a set of services and functionality to users. It comprises various components, such as Web Front-End (WFE) servers, Application servers, and Database servers. A SharePoint farm administrator is responsible for the overall management, maintenance, and performance of the SharePoint farm. Key tasks of SharePoint Admin include:

  1. Installing and configuring SharePoint servers and components
  2. Monitoring farm health and performance
  3. Applying updates and patches, run SharePoint products configuration wizard
  4. Managing security and permissions
  5. Setup Backup and Disaster Recovery
  6. Optimizing performance and troubleshooting issues

Step-by-Step Guide: Adding a SharePoint Farm Administrator

Now, let’s walk through the process of adding a farm administrator in SharePoint.

By default, the account that was used (logged in) to install SharePoint becomes the SharePoint Farm Administrator. However, there are situations where we need to add additional Farm Administrators to our SharePoint farm in order to delegate tasks. Follow these three steps to add a farm administrator in SharePoint.

  1. Add user to Central Administration Farm Administrator Group
  2. Add user to Web Application Policy with FULL control
  3. Add the user as a ShellAdmin for all SharePoint databases.

Step 1: Add a new user to the farm administrator group from Central Administration

To add a farm administrator to the SharePoint server, add the user to the members of the farm administrators group. Navigate to the SharePoint central administration website:

  1. Central Administration >> Click on “Security” from the left navigation
  2. Click on “Manage the farm administrator group”.
    how to add sharepoint farm administrator
  3. Add the user by clicking New >> Add Users.
  4. In the “Add Users” dialog box, enter the login name of the Active Directory user account you want to assign as a farm administrator.
  5. Click on the “Check Names” button to validate the entered login name.
  6. If the login name is valid, click on the “OK” button to add the user to the Farm Administrators group.
how to add sharepoint farm administrator

The SharePoint Farm Administrators group consists of Local server administrators by default. So, you can see that the members of the administrators group (BUILTIN\Administrators) is already referenced in the Farm Administrators group in Central Administration.

Add user to SharePoint farm administrators group using PowerShell

Adding SharePoint administrator to the SharePoint on-premises farm can also be done in PowerShell. Here is the PowerShell script to add a new farm admin.

Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

#User to Add
$UserID="domain\userID"

#Get Central Administration Web Application
$CAWebApp = Get-SPWebApplication -IncludeCentralAdministration | where-object {$_.IsAdministrationWebApplication}

#Get Central Admin site
$CAWeb = Get-SPweb($CAWebApp.Url) 
#Get Farm Administrators Group
$FarmAdminGroup = $CAWeb.SiteGroups["Farm Administrators"] 
#Add user to the Group
$FarmAdminGroup.AddUser($UserID,"",$UserID , "")
Write-Host "User: $($UserID) has been added to Farm Administrators Group!"
$CAWeb.Dispose()

Create a new SharePoint farm administrator with STSADM command line
The equivalent STSADM command to add the farm admin role:

stsadm -o adduser -url <Central Admin URL> -userlogin "Global\FarmAdmin" -useremail "FarmAdmin@domain.com" -group "Farm Administrators" -username "Farm Administrator"

Step 2: Add user to Web Application Policy with Full control

Just adding a user to the SharePoint Farm administrators group will not serve the purpose. If users are only added to the central administration farm administrators group (and the below two steps are skipped!), they will get an “Access denied” error when they try to invoke the STSADM command.

They will get: “The local farm is not accessible. Cmdlets with FeatureDependencyId are not registered.” Error if they try to use SharePoint PowerShell cmdlets.
sharepoint farm administrator gets access denied
So, the solution is To add a web application policy for the SharePoint 2010 farm administrator account on the selected/all web application(s).  Follow SharePoint user policy for web applications. We can also use PowerShell to create a web application user policy, which is explained in the provided link.

Once granted FULL control via web application policy, the SharePoint Farm administrators group gets full control as site collection administrator access to all site collections of a particular web application.

Step 3: Add the user as a Shell Admin for all SharePoint databases

The next step is to grant “Shell Admin” access to the user on each content database and configuration database via PowerShell.

You must run this cmdlet from an existing Farm Administrator account’s context, otherwise, you’ll get an error!
Add-SPShellAdmin -UserName "domain\user" -database (Get-SPContentDatabase -Identity "SharePoint_Database_Name")

This cmdlet grants Farm Administrators necessary SQL permissions and adds the account to a local server group WSS_ADMIN_WPG group in the local Windows server. We can verify the access by: Log on to the Microsoft SQL Server > SQL Server Management Studio > verify the new login created for the new user.
sharepoint farm administrator sql permissions
The user is mapped to SharePoint databases, and the user will be added to SharePoint farm administrator SQL permissions: db_owner, public, and SharePoint_Shell_Access Roles for all SharePoint databases in the server farm. This gives the user permission to make changes to the database.

sharepoint farm administrator sql permissions

Add farm admin in SharePoint using PowerShell

So, the complete script to add a user to the Farm Administrator Group in SharePoint is here:

Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

#User to Add
$UserID="domain\user"

#*** Add User to SharePoint Farm Administrator Group ***
#Get SharePoint Central Administration Web site
$CAWebApp = Get-SPWebApplication -IncludeCentralAdministration | where-object {$_.IsAdministrationWebApplication} 

#Get Central Admin site
$CAWeb = Get-SPweb($CAWebApp.Url) 

#Get Farm Administrators Group
$FarmAdminGroup = $CAWeb.SiteGroups["Farm Administrators"] 

#Add user to the Group
$FarmAdminGroup.AddUser($UserID,"",$UserID , "")
Write-Host "User: $($UserID) has been added to Farm Administrators Group!"
$CAWeb.Dispose()

#***Add user to Web App Policy ***
Get-SPWebApplication | foreach-object {
                $WebAppPolicy = $_.Policies.Add($UserID, $UserID)
                $PolicyRole = $_.PolicyRoles.GetSpecialRole([Microsoft.SharePoint.Administration.SPPolicyRoleType]::FullControl)
                $WebAppPolicy.PolicyRoleBindings.Add($PolicyRole)
                $_.Update()
    Write-Host "Added user to $($_.URL)"
} 

#*** Grant Shell Admin Access *** 
#Get All SharePoint Databases and Add user into Shell Admin access
Get-SPDatabase | Add-SPShellAdmin -Username $UserID

Now, the members of this group can perform tasks from the SharePoint Central Administration. To verify the user’s farm administrator privileges, log in to the SharePoint Central Administration website using the newly added user account and ensure that the user has access to all necessary farm-level settings and configurations.

If you planned to use this account as Server Farm Account, then grant these server roles in SQL Server: dbcreator & securityadmin. You have to also add the new user to the Members of the Local Administrator Group on each server, So that the new farm administrator can login to the web servers and perform operations such as backup, restore on the server’s file system, manage IIS, etc.

To run Add-SPShellAdmin, Your account must have:

  • Security_Admin role on SQL Server instance
  • db_owner on the SharePoint content databases
  • Member of Local Administrator Group on SharePoint server

Tail:

  • To get all Shell Administrators, use: Get-SPShellAdmin
  • To remove a user from the Shell Admin Group: Remove-SPShellAdmin -UserName “Domain\User”

Find Farm Administrators using PowerShell

You may want to check if the SharePoint user is a farm administrator. To check SharePoint farm administrator below code can help:

Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

#Get Central Admin Web App
$CAWebApp = Get-SPWebApplication -IncludeCentralAdministration | where-object {$_.IsAdministrationWebApplication} 

#Get Central Admin site
$CAWeb = Get-SPweb($CAWebApp.Url) 

$FarmAdminGroup = $CAWeb.SiteGroups["Farm Administrators"] 
foreach ($Admin in $FarmAdminGroup.users) 
{ 
   write-host $Admin.LoginName
}      

Best Practices for Managing Farm Administrators

While adding a farm administrator is a straightforward process, it’s essential to follow best practices to ensure the security and stability of your SharePoint environment.

  1. It’s a good idea to use a security group for SharePoint Farm Admins and add relevant users to it.
  2. Adhere to the principle of least privilege and only assign farm administrator rights to users who absolutely require them.
  3. Regularly review and audit the list of farm administrators to ensure that the permissions are up to date and aligned with the users’ current roles and responsibilities.
  4. Implement a process for onboarding and offboarding farm administrators, including proper documentation and knowledge transfer.
  5. Encourage farm administrators to follow best practices for SharePoint farm management, such as regular backups, performance monitoring, and security hardening.

Conclusion

Adding a SharePoint farm administrator is a crucial task that requires careful consideration and attention to detail. By following the step-by-step guide and best practices outlined in this article, you’ll be well-equipped to manage farm administrators effectively and maintain a secure and efficient SharePoint environment.

Remember, the role of a farm administrator is a critical one, and it’s essential to assign this responsibility to individuals who possess the necessary skills, knowledge, and expertise to handle the complexities of SharePoint farm management.

Salaudeen Rajack

Salaudeen Rajack - Information Technology Expert with Two-decades of hands-on experience, specializing in SharePoint, PowerShell, Microsoft 365, and related products. He has held various positions including SharePoint Architect, Administrator, Developer and consultant, has helped many organizations to implement and optimize SharePoint solutions. Known for his deep technical expertise, He's passionate about sharing the knowledge and insights to help others, through the real-world articles!

2 thoughts on “How to Add User to Farm Administrator Group in SharePoint?

  • #Get All Content Databases and Add user into Shell Admin access
    Get-SPDatabase | Add-SPShellAdmin -Username $UserID

    This should be Get-SPContentDatabase I guess

    Reply
    • In fact, the Add-ShellAdmin should be run on both SharePoint content database and the configuration database!

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *