Skip Ribbon Commands
Skip to main content
Sign In
Zach Rosenfield
SharePoint Program Manager, Infrastructure
 RSS Feed
Zach Rosenfield's SharePoint Blog > Posts > SharePoint 2010 PowerShell Permissions Explained
December 28
SharePoint 2010 PowerShell Permissions Explained
by  
  on 12/28/2009 1:46 PM

SharePoint 2010 has increased flexibility for administrative privileges of command line operations.  The end result is that there is a bit more complexity in setting up your administrative privileges, so I wanted to create a post to try and clear up administration permissions for SharePoint 2010. 

Foremost, please keep in mind that I’m going to discuss the minimum required privileges for each role—so there are lots of additional configurations; this is the just bare requirements.

First we need to talk about Central Administration, as the different permissions often lead to confusion.  To access Central Administration, you need to be a Farm Administration—aka, a member of the “Farm Administrators Group”.  This is really a UI only permission (I recommend you think of “Farm Adminstration Privs” as “The ability to use Central Admin”.  The reason for this is that Farm Administrators have the ability to run operations via-the Central Administation Web Application; keep in mind that no operation actually runs against the Configuration Database as the user but rather as the App Pool account for the Web App.

With STSADM and PowerShell, all commands are run as the user who executes the command (not through the Central Admin Web Application).  The good part about this is that any command can be run from any machine (no CA required), but this means that the user themselves needs the proper permissions.  With STSADM, the user required Box, Farm, and SQL permissions—way too much to run a truly “Least Privs” environment.  With 2010 there is the flexibility to only require PowerShell & SQL permissions*. 

                *Note: Box permissions are required for a small subset of commands that touch the Windows filesystem or registry.  Also, Box and SQL are required for all “setup” operations.

On that note, there are only two requirements for most commands.  The user must be:

·         A member of the WSS_ADMIN_WGP group (this is a Windows Group on the machine the user is executing commands on)

·         A member of the “SharePoint_Shell_Access” role on the configuration database (this is a SQL Role)

To simplify the management of these roles we have created a set of PowerShell commands (noun is “SPShellAdmin”) to add and remove Shell Administrators.  You’ll notice that the commands allow you to designate a specific database, this is because the “Shell Admin” role by default only gives the user access to the Configuration Database; the shell admin must be given access to each individual service and content database they are “allowed to manipulate” (i.e.: to delete a content database, the user must be a shell admin on that database).

                *IMPORTANT: The Shell Admin commands in SharePoint 2010 Beta do not fully setup these roles; you need to add the WSS_ADMIN_WGP role manually.

Please keep in mind that each command is just running object model, so additional permissions may be required for specific commands.  For example, you may need Service Application permissions to run commands against a certain service application.

Hopefully I’ve made permissions a little easier to understand—but if you’ve still got questions, put them in the comments section below.

Thanks,
Zach

Permanent Link to Post | Email Post Link | Number of Comments 7 Comment(s)

Comments

Good stuff

Thanks for the information Zach.

tk
 on 12/30/2009 1:56 PM

nice post

 on 1/10/2010 11:04 PM

Is this possible?

Is it possible to check the following through PS:

- if the current server is the central admin server

- if the sp admin service is running on all servers in the farm (to prevent issues with farm deployments)

- if the sp version is in sync on all servers in the farm
(to prevent issues with farm deployments)

Thanks

Donal

 on 3/30/2010 8:46 AM

Great Information

Thnks for sharing such informations, its really very helpful.
 on 5/12/2010 9:46 PM

PowerShell assigning ACL's during migration

Hi Zach,

  I am following your SP blogs and would like to thank you very much for this great information.

I have a question. I am working on a team who is migrating from MOSS 2007 to SP 2010. We have to move all the permissions on the site, object, alerts or whatever a user has to the SP 2010 environment.

  In MOSS, all the permissions, groups or any of those infrormation is stored in an AD Directory and in SP 2010 everything will be moved to a Global LDAP directory. So, is there a way we can use PowerShell to do the ReACLing(RePermissioning) to SP2010?

Thank you for your time.

Regards
Shawn
 on 6/21/2010 5:13 AM

Least Privilege Rights and Shell_Admin_Access

Hi Zach,

I'm stuck with a weird problem (from my point of view). I tried to install my SP2010 farm from scratch using the best practice of least privilege accounts.
I created an account called SPInstall that is in the local Administrors group of the SharePoint Server, and has SecurityAdmin and DBCreator right on the SQL Server (like in MOSS2007), the install was successfull. I also have a SPSystem account used for the CA Pool (Database access account as called by SharePoint).
So, this is my problem, when I create a new WebApplication, the SPInstall doesn't have any access to the Content database, and if i wan't to run a powershell command (GrantAccessToProcessIdentity) the command doesn't throw an error but nothing is done.
If as SPInstall I try to run
Add-SPShellAdmin -UserName SPInstall -database GUID
It throws an error saying the SPInstall doesn't have right to access the database.
When I give SPInstall a DBOwner right on the Content Database, GrantAccessToProcessIdentity works as expected.

First, Is this a normal behavior ? If yes, what can we do to avoid giving rights directly on the database ?

Thank you for any help !
 on 10/12/2010 8:02 AM

PS - DB Owner

This is normal. When running PS scripts On the server, db_owner right is required.
 on 4/10/2012 9:48 PM

Add Comment

Items on this list require content approval. Your submission will not appear in public views until approved by someone with proper rights. More information on content approval.

Title


Comments *


Name (required) *


Human Test


Checking if you're human: enter "1234" (no quotes)

Attachments