Assign or remove administrators to a service application (SharePoint Server 2010)
Applies to: SharePoint Server 2010, SharePoint Foundation 2010
An administrator of a Microsoft SharePoint Server 2010 service application can assign additional administrators to that service application. These users are granted security-trimmed access to the SharePoint Central Administration Web site and can manage settings related to the service application. You can similarly remove administrators from a service application.
Note
By default, members of the Farm Administrators group have permissions to manage all service applications.
You can assign or remove service application administrators by using Central Administration or by using Windows PowerShell 2.0.
To assign or remove administrators to a service application by using Central Administration
Verify that the user account that is performing this procedure is a member of the Farm Administrators group.
On the Central Administration Home page, in the Application Management section, click Manage service applications.
On the Manage Service Applications page, select the row that contains the service application to which you want to add or remove administrators. The ribbon becomes available.
On the ribbon, click Administrators.
To add an administrator:
In the first text box on the page, type the user accounts or groups that you want to add. You can click the People icon to validate a name. You can click the Address book icon to search for users to add. You can add multiple administrators into the text box.
After you have added the administrators, click OK.
To remove an administrator:
In the second text box on the page, select the administrator whom you want to remove. Note that this step does not remove the user from the system—it merely revokes the user’s administrative permissions to the selected service application.
Click Remove.
After you have finished removing administrators, click OK.
To assign or remove administrators to a service application by using Windows PowerShell
Verify that you meet the following minimum requirements: See Add-SPShellAdmin.
On the Start menu, click All Programs.
Click Microsoft SharePoint 2010 Products.
Click SharePoint 2010 Management Shell.
At the Windows PowerShell command prompt type the following commands.
To create a new claims principal, type the following command:
$principal = New-SPClaimsPrincipal "<contoso\jane>" -IdentityType WindowsSamAccountName
Where <contoso\jane> is the user name for which you want to assign administrative permissions. The user name should be entered in the form of jane@contoso.com or contoso\jane. The new claims principal is stored in the $principal variable.
To retrieve the service application, type the following command:
$spapp = Get-SPServiceApplication -Name "<ServiceApplicationDisplayName>"
Where <ServiceApplicationDisplayName> is the display name of the service application. The service application identification is stored in the $spapp variable.
Important
The display name must be enclosed in quotation marks, and it must exactly match the service application display name. This includes capitalization. If you have more than one service application that has exactly the same display name (we do not recommend this), you can use the Get-SPServiceApplication cmdlet to view all service applications. You can then identify the service application by its GUID. For more information, see Get-SPServiceApplication.
To retrieve the administrator security object for the service application, type the following command:
$security = Get-SPServiceApplicationSecurity $spapp -Admin
The retrieved administrator security object is stored in the $security variable.
Warning
It is important that you use the -Admin argument when you use this command.
To assign or revoke administrative permissions for the user who is identified by the new claims principal $principal (that was created in Step 6 of this procedure) to the service application administrator security object $security (that was obtained in Step 8 of this procedure) use the appropriate command as follows.
To assign administrative permissions, type the following command:
Grant-SPObjectSecurity $security $principal "Full Control"
To revoke administrative permissions, type the following command:
Revoke-SPObjectSecurity $security $principal
To assign the updated $security security object to the service application, type the following command:
Set-SPServiceApplicationSecurity $spapp $security -Admin
Warning
It is important that you use the -Admin argument when you use this command.
To confirm that the service application’s security object is updated appropriately, type the following command:
(Get-SPServiceApplicationSecurity $spapp -Admin).AccessRules
Examples
In the following example, the service account user "contoso\jane" is added to the administrators security object for the service application named "Contoso Visio Graphics".
$principal = New-SPClaimsPrincipal "contoso\jane" -IdentityType WindowsSamAccountName
$spapp = Get-SPServiceApplication -Name "Contoso Visio Graphics"
$security = Get-SPServiceApplicationSecurity $spapp -Admin
Grant-SPObjectSecurity $security $principal "Full Control"
Set-SPServiceApplicationSecurity $spapp $security -Admin
(Get-SPServiceApplicationSecurity $spapp -Admin).AccessRules
In the following example, the service account user "contoso\jane" is removed from the administrators security object for the service application named "Contoso Visio Graphics".
$principal = New-SPClaimsPrincipal "contoso\jane" -IdentityType WindowsSamAccountName
$spapp = Get-SPServiceApplication -Name "Contoso Visio Graphics"
$security = Get-SPServiceApplicationSecurity $spapp -Admin
Revoke-SPObjectSecurity $security $principal "Full Control"
Set-SPServiceApplicationSecurity $spapp $security -Admin
(Get-SPServiceApplicationSecurity $spapp -Admin).AccessRules
For more information, see the following Windows PowerShell articles:
Note
We recommend that you use Windows PowerShell when performing command-line administrative tasks. The Stsadm command-line tool has been deprecated, but is included to support compatibility with previous product versions.