Plan Windows PowerShell permissions
Some organizations may want tight control over who is able to run Windows PowerShell cmdlets. This post gives an overview to the permissions required to run a SharePoint 2010 Products for Windows PowerShell cmdlet or script and issues to consider before a user is granted permission by an administrator.
In SharePoint Products and Technologies, the only permission required to run the stsadm.exe command-line tool was a local administrator on the computer where SharePoint Products and Technologies were installed. However, in SharePoint 2010 Products, the permissions required to run a Windows PowerShell cmdlet in SharePoint 2010 Products are vastly different as the local administrator permission is not sufficient enough to run a Windows PowerShell cmdlet. To run a Windows PowerShell cmdlet in SharePoint 2010 Products, you need the following minimum permissions:
- Member of the SharePoint_Shell_Access role on the configuration database AND
- Member of the WSS_ADMIN_WPG local group on the computer where SharePoint 2010 Products is installed.
To add a user to the SharePoint_Shell_Access role and the WSS_ADMIN_WPG local group, the Add-SPShellAdmin cmdlet must be used. For additional information about how to use the Add-SPShellAdmin cmdlet to add a user to the SharePoint_Shell_Access role and WSS_ADMIN_WPG local group, see Add-SPShellAdmin (https://technet.microsoft.com/en-us/library/ff607596.aspx).
Questions to ask yourself before you give a user permission to use a SharePoint 2010 Products for Windows PowerShell cmdlet or script:
- How are you using Windows PowerShell in your environment?
- Are you comfortable giving a user dbo_owner permission to SQL databases (see the Add-SPShellAdmin topic for more information)?
- What IT governance controls are in place to ensure that users to whom delegated administration has been granted are performing appropriate tasks?
- Is there a process in place for delegating administration?
- For common tasks, does adequate procedural documentation (including checklists or worksheets) exist?
- Is there a process in place for rolling back changes?
For additional information about Windows PowerShell, see "SharePoint 2010 Products administration by using Windows PowerShell" (https://technet.microsoft.com/en-us/library/ee806878.aspx).
We'd like to hear how you're using Windows PowerShell, and what content we can provide to help you get the most out of this powerful tool.
-- Kirk Stark, writer