SharePoint 2016 Farm Admin account vs. Farm Administrator Group in Central Admin
It is a common understanding that when you add a user into Farm Administrator group via Central admin, then it can access everything in the Central Admin and perform all operations. If you are thinking the same way then it is not correct. As a member of Farm Administrator group, you can perform only certain operations which don’t require access to the SharePoint Server’s Infrastructure. You can view a lot of things but still not completely.
As an example, if you want to create the Web Application (this is required to create Site & App Pool in IIS, Create a Content Database, Update the Config Database, Create A Couple of Timer Jobs and Reset IIS) with the Farm Administrator account then either you will get an Access Denied or Prompt you for the SharePoint Farm Admin Credential. There are many options which you can't do.
In order to get full control on the Central Admin and PowerShell, your user account requires the following permissions:
- - Part of Local Administrator group on all servers in the farm.
- - Farm Administration SharePoint Group.
- - SharePoint_Shell_Access to run the SharePoint PowerShell.
Here is a table which will tell you what you can do and can’t as a member of SharePoint Farm Administrator Group Only.
| Central Admin Category | Sub-Category | Component | Member of Administrators group on the local computer | Member of Farm Administrators SharePoint group |
| Application Management | Web applications | Manage web applications | Full Control | Manage Features, managed Paths, Service Connections, Self-Service Site Creation, Blocked File Types, User Permissions, Web part Security, User Policy, Anonymous Policy, Permission Policy |
| Configure alternate access mappings | Full Control | Edit Public URLs, Map to External Resource, Add Internal URLs | ||
| Site Collections | Site Collections | Full Control | Create site collections, Delete a site collection, Confirm site use and deletion, Specify quota templates, Configure quotas and locks, Change site collection administrators, View all site collections, Configure self-service site creation | |
| Service Applications | Manage service applications | Full Control | Connect, Manage, Publish, Permissions, Administrator | |
| Service Application Associations | Full Control | Edit, Change | ||
| Databases | Manage content databases | Full Control | Add, Delete, Edit | |
| Specify the default database server | Full Control | Edit | ||
| Configure the data retrieval service | Full Control | Can change | ||
| System Settings | Servers | Manage servers in this farm | Full Control | View |
| Manage services in this farm | Full Control | View | ||
| Manage services on server | Full Control | View | ||
| Convert server role in this farm | Full Control | View | ||
| E-Mail and Text Messages (SMS) | Configure outgoing e-mail settings | Full Control | Yes | |
| Configure mobile account | Full Control | Yes | ||
| Farm Management | Configure alternate access mappings | Full Control | Edit, Change | |
| Manage farm features | Full Control | Activate, Deactivate | ||
| Manage farm solutions | Full Control | View | ||
| Manage user solutions | Full Control | Yes | ||
| Configure privacy options | Full Control | Yes | ||
| Configure cross-firewall access zone | Full Control | Yes | ||
| Monitoring | Health Analyzer | Review problems and solutions | Full Control | View, Edit, Delete, Set the alerts, Reanalyze |
| Review rule definitions | Full Control | Yes | ||
| Timer Jobs | Review job definitions | Full Control | Timer Job Status, Scheduled Jobs, Running Jobs, Job History, Job Definitions | |
| Check job status | Full Control | Yes | ||
| Reporting | View administrative reports | Full Control | Yes | |
| Configure diagnostic logging | Full Control | Enable, Disable, Full Control | ||
| View health reports | Full Control | Yes | ||
| Backup and Restore | Farm Backup and Restore | Perform a backup | Full Control | No |
| Restore from a backup | Full Control | No | ||
| Configure backup settings | Full Control | No | ||
| View backup and restore history | Full Control | Yes | ||
| Check backup and restore job status | Full Control | Yes | ||
| Granular Backup | Perform a site collection backup | Full Control | Yes | |
| Export a site or list | Full Control | Yes | ||
| Recover data from an unattached content database | Full Control | Yes | ||
| Check granular backup job status | Full Control | Yes | ||
| Security | Users | Manage the farm administrators group | Full Control | View Only |
| Approve or reject distribution groups | Full Control | Yes | ||
| Specify web application user policy | Full Control | Yes | ||
| General Security | Configure managed accounts | Full Control | Yes | |
| Configure service accounts | Full Control | No | ||
| Configure password change settings | Full Control | Yes | ||
| Specify authentication providers | Full Control | View Only | ||
| Manage trust | Full Control | Yes | ||
| Manage antivirus settings | Full Control | Yes | ||
| Define blocked file types | Full Control | Yes | ||
| Manage web part security | Full Control | Yes | ||
| Configure self-service site creation | Full Control | Yes | ||
| Information policy | Configure information rights management | Full Control | Yes | |
| Configure Information Management Policy | Full Control | Yes | ||
| Upgrade and Migration | Upgrade and Patch Management | Convert farm license type | Full Control | No |
| Enable Enterprise Features | Full Control | Yes | ||
| Enable Features on Existing Sites | Full Control | Yes | ||
| Check product and patch installation status | Full Control | Yes | ||
| Review database status | Full Control | Yes | ||
| Check upgrade status | Full Control | Yes | ||
| General Application Settings | External Service Connections | Configure send to connections | Full Control | Yes |
| Configure document conversions | Full Control | Yes | ||
| InfoPath Forms Services | Manage form templates | Full Control | Yes | |
| Configure InfoPath Forms Services | Full Control | Yes | ||
| Upload form template | Full Control | No | ||
| Manage data connection files | Full Control | Yes | ||
| Configure InfoPath Forms Services Web Service Proxy | Full Control | Yes | ||
| SharePoint Designer | Configure SharePoint Designer settings | Full Control | Yes | |
| Search | Farm Search Administration | Full Control | Yes | |
| Crawler Impact Rules | Full Control | Yes | ||
| Content Deployment | Configure content deployment paths and jobs | Full Control | Yes | |
| Configure content deployment | Full Control | Yes | ||
| Check deployment of specific content | Full Control | Yes | ||
| PWA Settings | Manage | Full Control | Yes | |
| Apps | SharePoint and Office Store | Purchase Apps | Full Control | Yes |
| Manage App Licenses | Full Control | Yes | ||
| Configure Store Settings | Full Control | Yes | ||
| App Management | Manage App Catalog | Full Control | Yes | |
| Monitor Apps | Full Control | Yes | ||
| Configure App URLs | Full Control | Yes | ||
| App Permissions- | Full Control | Yes | ||
| Office 365 | Office 365 | Configure Yammer | Full Control | Yes |
| How to configure SharePoint Insights | Full Control | Yes | ||
| Configure hybrid OneDrive and Sites features | Full Control | Yes | ||
| Configuration Wizards | Farm Configuration | Launch the Farm Configuration Wizard | Full Control | No |
This applies to almost all versions of SharePoint (specifically 2007, 2010, 2013, 2016).