Assign administration of user profiles (SharePoint Server 2010)
Applies to: SharePoint Server 2010
Farm administrators or service application administrators of a User Profile service application can delegate administration of user profiles to a feature administrator. A feature administrator can manage all settings for user profiles, but a feature administrator cannot manage settings for other features or for the entire User Profile service application. A feature administrator can be either a user or a group. For more information, see User Profile service application overview (SharePoint Server 2010).
Note
Farm administrators can use Windows PowerShell to manage services. However, feature administrators cannot use Windows PowerShell for this purpose. Feature administrators must use Central Administration to manage features of the User Profile service.
Before you perform this procedure, confirm the following:
A User Profile Service application is running in the farm. For more information, see Create, edit, or delete a User Profile service application (SharePoint Server 2010).
An instance of the Managed Metadata service exists. For more information, see Create, update, publish, or delete a managed metadata service application (SharePoint Server 2010).
The user or group that you want to manage the feature of the User Profile service is stored in the profile database.
In this article:
Delegate administration of user profiles by using Central Administration
Delegate administration of user profiles by using Windows PowerShell
Delegate administration of user profiles by using Central Administration
You typically use the Central Administration Web site to delegate administration of user profiles in a stand-alone deployment.
To delegate administration of user profiles by using Central Administration
Verify that you have the following administrative credentials:
- To delegate administration of user profiles, you must be either a member of the Farm Administrators group, or you must have been delegated permission to administer the User Profile service application that is running in the farm. For more information, see Assign administration of a User Profile service application (SharePoint Server 2010).
On the Central Administration Web site, in the Application Management section, click Manage service applications.
In the list of service applications, click User Profile Service Application.
On the Service Applications tab, in the Operations section, click Administrators.
On the Administrators for User Profile Service Application page, type or select a user or group account and then click Add.
In the Permissions for Administrator: box, check the Manage Profiles permission level, and then click OK.
Delegate administration of user profiles by using Windows PowerShell
You typically use Windows PowerShell to delegate administration of user profiles when you want to automate the task, which is common in enterprises.
Note
Feature administrators cannot use Windows PowerShell to manage features of the User Profile service. Only Farm Administrators can use Windows PowerShell to manage features.
To delegate administration of user profiles by using Windows PowerShell
Verify that you meet the following minimum requirements:
- See Add-SPShellAdmin.
On the Start menu, click Administrative Tools.
Click SharePoint 2010 Management Shell.
From the Windows PowerShell command prompt (that is, PS C:\>), type the following commands:
To display a list of all service applications and their GUIDs, type the following command:
Get-SPServiceApplication
To create a variable that contains the GUID for the User Profile service application, type the following command:
$serviceapp = Get-SPServiceApplication <guid>
Where <guid> is the GUID for the User Profile service application.
To create a variable that contains the list of administrators for the service application, type the following command:
$security = Get-SPServiceApplicationSecurity $serviceapp -Admin
To create a variable that contains the claims principal for a user account, type the following command:
$principalUser1 = New-SPClaimsPrincipal -Identity "<domain\user>" -IdentityType WindowsSamAccountName
Where <domain\user> is the user whom you want to make an Administrator for the Manage Profiles feature of the User Profile service application.
To give Manage Profiles permissions to the claims principal you just created, type the following command:
Grant-SPObjectSecurity $security -Principal $principalUser1 -Rights "Manage Profiles"
To apply the changes to the User Profile service application, type the following command:
Set-SPServiceApplicationSecurity $serviceapp -ObjectSecurity $security -Admin
For more information, see New-SPClaimsPrincipal, Get-SPServiceApplicationSecurity, New-SPClaimsPrincipal, Get-SPProfileServiceApplicationSecurity, Set-SPProfileServiceApplicationSecurity, and Grant-SPObjectSecurity.
See Also
Concepts
User Profile Service administration (SharePoint Server 2010)
Assign administration of a User Profile service application (SharePoint Server 2010)
User Profile service application overview (SharePoint Server 2010)
Plan for profile synchronization (SharePoint Server 2010)