Поделиться через


How to enable Remote PowerShell for SharePoint 2013 for Non-Administrators

Businesses often need certain users to be able to run PowerShell cmdlets in their SharePoint farm and they don’t want those users to be part of the local administrators group for security reasons.

The following steps allow you to correctly configure your SharePoint servers to allow certain users access to run SharePoint PowerShell cmdlets.

 On the SharePoint Servers:

Log onto the SharePoint Server(s) as the SharePoint Administrator

  1. In Computer Management, under Local Users and Groups, add the user(s) to the following Groups:

    1. Remote Desktop Users
    2. WinRMRemoteWMIUsers__
    3. WSS_ADMIN_WPG
    4. Remote Management Users
  2. Still in Computer Management, under Services and Applications, select Services and start Windows Remote Management (WS-Management) if it's not started and ensure it is set to Automatic.

  3. Open the Local Group Policy Editor by typing gpedit.msc at a command prompt

    1.  Go to Computer Configuration -> Administrative Templates -> System -> Credentials Delegation and double-click "Allow delegating fresh credentials"
    2. Set this to Enabled, then click the Show button under options.
    3. In the Show Contents dialog box, add the value WSMAN/*.domain.com changing domain.com to match your domain.
    4. Click OK and OK then close the Local Group Policy Editor
  4. Run the SharePoint Management Shell as Administrator

  5. Type Enable-PSRemoting -Force

  6. Type Enable-WSManCredSSP –Role Server

  7. Type winrm set winrm/config/winrs '@{MaxShellsPerUser="25"}'

  8. Type winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="600"}'

  9. Type Get-SPShellAdmin

    1. This should only return all the users who have the SharePoint_Shell_Access role
  10. Type Add-SPShellAdmin -UserName Domain\Username -Database (Get-SPContentDatabase -Identity “ContentDatabaseName”)

    1. Replace Domain\Username with the user needing access
    2. Replace ContentDatabaseName with one of the Content Databases
      1. You will need to run this command for all content databases for the user(s) who need access

      2. NOTE-> To grant access to all content databases use the following command:

        Get-SPDatabase | Add-SPShellAdmin DOMAIN\UserName

  11. Type Get-SPShellAdmin

    1. The user you added should now be listed
  12. Type Set-PSSessionConfiguration -Name Microsoft.PowerShell32 –ShowSecurityDescriptorUI

    1. This will open up a dialog box. Add the user(s) with Read and Execute permissions then click OK
    2. Run the command again to ensure the permissions were applied correctly

 

On the Client Machine:

Log onto the client machine with the user(s) added in the SharePoint server above.

  1. Open Computer Management and select Services under Services and Applications. Set the Windows Remote Management (WS-Management) service to automatic and start the service.
  2. Open Windows PowerShell as Administrator
  3. Type Enable-WSManCredSSP -Role client -DelegateComputer “SharePointServerName” 
    1. Replace SharePointServerName with the FQDN of the SharePoint server
  4. Type $cred=get-Credential
    1. Enter the credentials of the user logged onto the client machine
  5. Type $s=new-PSsession “SharePointServerName” -authentication credssp -credential $cred
    1. Replace SharePointServerName with the FQDN of the SharePoint server
    2. NOTE: If this fails with an "access denied" error, re-run Step 10 on the server to enable configuration of the x64 PowerShell by running Set-PSSessionConfiguration -Name Microsoft.PowerShell32 –ShowSecurityDescriptorUI
  6. Type Invoke-Command -Session $s -ScriptBlock {Add-PSSnapin Microsoft.SharePoint.PowerShell;}
  7. Type Invoke-Command -Session $s -ScriptBlock {get-SPContentDatabase}
    1. This will return all the content databases in your SharePoint farm and ensure you have access
  8. Type Invoke-Command -Session $s -ScriptBlock {get-spserviceinstance}
    1. This will return the SharePoint service instances and ensure you have access
  9. Type Enter-PSSession -session $s

You will now see the servers name in [ ] PS: c:\users\someuser\documents

Example: [sp2013-app.fabrikaminc.local]: PS C:\Users\adamb\Documents>

At this point, the user can implement PowerShell scripts on the SharePoint server.

Note: Special thanks to Mark Kordelski & Samer Judeh for the assistance with this!

Updates: 10/8/2014 added information about configuring PowerShell x64

Update: 8/8/2017 adding additional clarification for services, account logins, local group policy

Comments

  • Anonymous
    January 01, 2003
    Very nice article around Non-Administrators running commands.
  • Anonymous
    September 18, 2014
    How
  • Anonymous
    December 17, 2014
    Dear Anne, Many thanks for this post from-out Belgium.
  • Anonymous
    April 09, 2015
    Thanks for this helpful information I agree with all points you have given to us. I will follow all of them.
    http://staygreenacademy.com/sharepoint-videos-training-tutorial/">sharepoint 2013 training videos
  • Anonymous
    April 30, 2015
    The comment has been removed
  • Anonymous
    June 24, 2015
    Excellent Blog Ann. Does it work in Cross domain Scenario if i am trying to run powershell remotely from a different domain having two way trust between SP and Remote domain.
  • Anonymous
    June 25, 2015
    awesome instructions. most details and easy to follow that I have found online
  • Anonymous
    July 24, 2015
    Great post but - seriously - sixteen steps on two different machines? Windows - excessively complicated, poorly designed.

    Things like this, unnecessarily complicated, are colossal time-wasters.

    TCO anybody?

    Leland
  • Anonymous
    July 28, 2015
    I have to agree with Leland about this. I have a SharePoint server, and been struggling to get WinRM to work with it for months and can't get any help anywhere (I suppose I can pay 500 dollars but I refuse)

    There's a SPN for http/server set to the app pool farm account, that seems to displease winrm. I can't change who owns the spn because then I have all sorts of problems with SharePoint. So no ones been able to tell me how to get winrm and sharepoint to get along. It's ridiculous.
  • Anonymous
    July 31, 2015
    Yes this is a total joke. Why is SharePoint so poorly configured for remote powershell access? Active Directory and Exchange "just work" yet SharePoint requires so many hoops to jump through...
  • Anonymous
    September 18, 2015
    Am I missing something? You're adding users to be remote desktop users.
  • Anonymous
    October 14, 2015
    The given information in this article is very informative
    http://www.staygreenacademy.com/sharepoint-online-training/

  • Anonymous
    October 15, 2015

    GET YOUR PROBLEM SOLVE TODAY WITH MY PROFESSION IN ANY SPIRITUAL SPELL OR ANY KIND OF PHYSICAL BATTLE THAT NEED, MY NAME IS DR SYLVESTER AND THIS IS MY EMAIL FOR CONTACT (stbenson391@gmail.com) OR YOU CAN FOLLOW HIM UP ON FACEBOOK BY MY NAME (SYLVESTER E BENSON) ON FACEBOOK OR CALL ME ON MY MOBILE NUMBER +2348136090988, AM ALWAYS AVAILABLE TO RENDER YOU HELP WITH EXPERIENCE OF 32 YEARS IN SPELL CASTING AND HERBAL MEDICURE TO CURE ANY KIND OF DISEASE THAT YOU MAY HAVE, CONTACT ME ON ANY KIND OF ISSUES.
  • Anonymous
    October 22, 2015
    We have followed all steps but still had an access denied error and have fixed it adding a remote user to the group.
    May be it will help somebody. We are running SharePoint 2013 Enterprise on Windows 2012 R2.
  • Anonymous
    October 22, 2015
    to the group
  • Anonymous
    October 22, 2015
    to the "WinRMRemoteWMIUsers__" group
  • Anonymous
    October 22, 2015
    WinRMRemoteWMIUsers__
  • Anonymous
    December 15, 2015
    Nice Blog..