Required Permissions in SharePoint Farm for executing PowerShell scripts

By

Before you execute any of the SharePoint Cmdlet you must be sure that you have necessary permissions to execute in the farm. Also you must have access to local WSS_ADMIN_WPG group where you are executing the cmdlet. Also you must be member of the SharePoint_Shell_Access SQL role within the databases your cmdlet calls in to interact with. Some commands also require you to be a member of the local administrator and farm administrator grooups. For ex. to create a web application, you must be a local administrator and farm administrator.

In Regards to adding users to the WSS_ADMIN_WPG group and SharePoint_Shell_Access SQL role, you must not be adding users directly to these groups rather you should use Add_SpShellAdmin cmdlet. This cmdlets accepts optional database name as parameter. If you do not pass this parameter it will add the user to the SharePoint_Shell_Access SQL role in the SharePoint configuration database only.










Above third line of code, it will add Add_SPShellAdmin SQL role in all the SharePoint databases including configuration database. Also you must be farm administrator and you must have securityadmin SQL role in order to execute this cmdlet.

  • Use Remove-SPShellAdmin to reveke access

When it comes to removing access you should use the above command to remove permissions, however it will not remove access to the user from WSS_ADMIN_WPG group on any server. You should remove this access manually. I recommend you should create "SharePoint Shell Access" AD group or groups if you want more fine grained control and grant these group Add-SPShellAdmin access there by avoiding the case users retaining the rights, where they shouldn't.

When we get to the point where we need to execute scripts you may have to set execution policy  to allow scripts to run. You could do this using Set-ExecutionPolicy  by passing the execution policy.

  • Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process
While setting policy for production farms I recommend using policy scope to Process so it does not persist other PowerShell instances.

Comments

Post a Comment

Popular posts from this blog

SharePoint logs and IIS logs backup/archive and Compress to a file

By
The data keeps on growing as the SharePoint Farm being adopted more into the company and customers. It brings more challenges in terms of keeping up with the pace of requests and data administration. We are going to address today one part of that problem which is managing SharePoint LOGS weather it is ULS, Diagnostic and Analytic logging. Also it includes IIS logs. To address this challenge I did wrote a small script to migrate these logs to a different directory and them zip these logs and move to a network storage or to another directory on the local hard drive. Some of the challenges to achieve this were ·         There are IIS logs with same file names in different directories (mainly IIS logs) we need to maintain the directories structure to not miss any logs. ·         The criteria to move these logs out is based on a number of day , like I need to move all the logs 15 or older away from the default logs folder or drive. ·         Then zip these logs and add to sa
Read more

PowerShell Cmdlets to Upgrade Content Databases from SP 2010 to 2013

By
Image
In this new article, I will summarize basic  Powershell  cmdelts we have available to upgrade  SharePoint 2010  content databases to  SharePoint 2013 : Before going into detail, you can list available cmdlets by executing the following PowerShell sentence in the  SharePoint 2013 Administration Console : Get-help *SPContentDatabase After executing this sentence, you will have a list with all the cmdlets available: From this list, the cmdlets we are interested in are the following:  Test-SPContentDatabse, Upgrade-SPContentDatabase and Mount-SPContentDatabase. Test-SPContentDatabase  cmdlet allows you to identify any issue or customization you could take into account when upgrading a content database to SharePoint 2013: features installed in the SharePoint 2010 environment that should be in the SharePoint 2013 ones, language packs installed, etc. Below, you can find the general syntax for Test-SPContentDatabase. Test-SPContentDatabase –Name <Co
Read more

Can you move a single large site collection into multiple content databases?

By
Although single content databases of upto 200GB is possible in Sharepoint 2010, administering and managing such a db would be a nightmare. What would you suggest for options in a case where there is one site collection and one corresponding content database. Can you have more than one content db for that one site collection? Can you expand the table to be hosted on other sql servers/machines? Does RBS help? Expert Comments: Officially there is support up to 4TBs with optimization, but realistically that is difficult to support and should only be used in extreme exceptions. Technically there were no real changes made to support the additional sizes, it was just an update to guidance. I still try and work with my customers to maintain databases no larger than 75-100GBs unless absolutely necessary. I do have customers with multi-terabyte farms. A single site collection can only use 1 Content DB. It is possible though to create solutions that use a single site collection that
Read more