How to enable Remote PowerShell for SharePoint 2013 for Non-Administrators


Businesses often need certain users to be able to run PowerShell cmdlets in their SharePoint farm and they don’t want those users to be part of the local administrators group for security reasons.

The following steps allow you to correctly configure your SharePoint servers to allow certain users access to run SharePoint PowerShell cmdlets.

 On the SharePoint Servers:

  1. In Server Manager, add the user(s) to the following Groups:

    1. Remote Desktop Users

    2. WinRMRemoteWMIUsers__

    3. WSS_ADMIN_WPG

  2.  Run the SharePoint Management Shell as Administrator

  3. Type Enable-PSRemoting -Force

  4. Type Enable-WSManCredSSP –Role Server

  5. Type winrm set winrm/config/winrs '@{MaxShellsPerUser="25"}'

  6. Type winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="600"}'

  7. Type Get-SPShellAdmin

    1. This should only return all the users who have the SharePoint_Shell_Access role

  8. Type Add-SPShellAdmin -UserName Domain\Username -Database (Get-SPContentDatabase -Identity “ContentDatabaseName”)

    1. Replace Domain\Username with the user needing access

    2. Replace ContentDatabaseName with one of the Content Databases

      1. You will need to run this command for all content databases for the user(s) who need access

      2. NOTE-> To grant access to all content databases use the following command:

        Get-SPDatabase | Add-SPShellAdmin DOMAIN\UserName

  9. Type Get-SPShellAdmin

    1. The user you added should now be listed

  10. Type Set-PSSessionConfiguration -Name Microsoft.PowerShell32 –ShowSecurityDescriptorUI

    1. This will open up a dialog box. Add the user(s) with Read and Execute permissions then click OK

    2. Run the command again to ensure the permissions were applied correctly

 

On the Client Machine:

  1. Open Windows PowerShell as Administrator

  2. Type Enable-WSManCredSSP -Role client -DelegateComputer “SharePointServerName”            

    1. Replace SharePointServerName with the FQDN of the SharePoint server

  3. Type $cred=get-Credential

  4. Type $s=new-PSsession “SharePointServerName” -authentication credssp -credential $cred

    1. Replace SharePointServerName with the FQDN of the SharePoint server

    2. NOTE: If this fails with an "access denied" error, re-run Step 10 on the server to enable configuration of the x64 PowerShell by running Set-PSSessionConfiguration -Name Microsoft.PowerShell32 –ShowSecurityDescriptorUI
  5. Type Invoke-Command -Session $s -ScriptBlock {Add-PSSnapin Microsoft.SharePoint.PowerShell;}

  6. Type Invoke-Command -Session $s -ScriptBlock {get-SPContentDatabase}

    1. This will return all the content databases in your SharePoint farm and ensure you have access

  7. Type Invoke-Command -Session $s -ScriptBlock {get-spserviceinstance}

    1. This will return the SharePoint service instances and ensure you have access

  8. Type Enter-PSSession -session $s

You will now see the servers name in [ ] PS: c:\users\someuser\documents

Example: [sp2013-app.fabrikaminc.local]: PS C:\Users\adamb\Documents>

 At this point, the user can implement PowerShell scripts on the SharePoint server.

Note: Special thanks to Mark Kordelski & Samer Judeh for the assistance with this!

 

Updates: 10/8/2014 added information about configuring PowerShell x64

Comments (18)

  1. LeesaB says:

    Very nice article around Non-Administrators running commands.

  2. B. says:

    Dear Anne, Many thanks for this post from-out Belgium.

  3. sharepoint 2013 training videos says:

    Thanks for this helpful information I agree with all points you have given to us. I will follow all of them.
    http://staygreenacademy.com/sharepoint-videos-training-tutorial/">sharepoint 2013 training videos

  4. Joe says:

    Hi,

    Having followed the above guide to the tee, we are receiving the following errors when invoking the Microsoft.SharePoint.Powershell snap in:

    The following error occurred while loading the extended type data file: Microsoft.SharePoint.Powershell, C:Program FilesCommon FilesMicrosoft SharedWeb Server Extensions15CONFIGPowerShelltypesSharepointPowershell.Types.ps1xml: The file was skipped
    because of the following validation exception: AuthorizationManager check failed..
    The following error occurred while loading the extended type data file: Microsoft.SharePoint.Powershell, C:Program FilesCommon FilesMicrosoft SharedWeb Server Extensions15CONFIGPowerShelltypesSPEnterpriseSearch.types.ps1xml: The file was skipped because
    of the following validation exception: AuthorizationManager check failed..
    The following error occurred while loading the extended type data file: Microsoft.SharePoint.Powershell, C:Program FilesCommon FilesMicrosoft SharedWeb Server Extensions15CONFIGPowerShelltypesWSSSearchPowerShell.types.ps1xml: The file was skipped because
    of the following validation exception: AuthorizationManager check failed..

    This error is not encountered when the remote user executing the script is a local administrator on the SharePoint server. Execution policy is unrestricted.

    Have you any ideas why these errors are occurring?

    Thanks

  5. Shadab Ansari says:

    Excellent Blog Ann. Does it work in Cross domain Scenario if i am trying to run powershell remotely from a different domain having two way trust between SP and Remote domain.

  6. Chris says:

    awesome instructions. most details and easy to follow that I have found online

  7. leland says:

    Great post but - seriously - sixteen steps on two different machines? Windows - excessively complicated, poorly designed.

    Things like this, unnecessarily complicated, are colossal time-wasters.

    TCO anybody?

    Leland

  8. VinceP1974 says:

    I have to agree with Leland about this. I have a SharePoint server, and been struggling to get WinRM to work with it for months and can't get any help anywhere (I suppose I can pay 500 dollars but I refuse)

    There's a SPN for http/server set to the app pool farm account, that seems to displease winrm. I can't change who owns the spn because then I have all sorts of problems with SharePoint. So no ones been able to tell me how to get winrm and sharepoint to get
    along. It's ridiculous.

  9. Greg B says:

    Yes this is a total joke. Why is SharePoint so poorly configured for remote powershell access? Active Directory and Exchange "just work" yet SharePoint requires so many hoops to jump through...

  10. Vishal says:

    Am I missing something? You're adding users to be remote desktop users.

  11. sharepoint online training says:

    The given information in this article is very informative
    http://www.staygreenacademy.com/sharepoint-online-training/

  12. Dr Sylvester Benson says:

    GET YOUR PROBLEM SOLVE TODAY WITH MY PROFESSION IN ANY SPIRITUAL SPELL OR ANY KIND OF PHYSICAL BATTLE THAT NEED, MY NAME IS DR SYLVESTER AND THIS IS MY EMAIL FOR CONTACT (stbenson391@gmail.com) OR YOU CAN FOLLOW HIM UP ON FACEBOOK BY MY NAME (SYLVESTER E BENSON)
    ON FACEBOOK OR CALL ME ON MY MOBILE NUMBER +2348136090988, AM ALWAYS AVAILABLE TO RENDER YOU HELP WITH EXPERIENCE OF 32 YEARS IN SPELL CASTING AND HERBAL MEDICURE TO CURE ANY KIND OF DISEASE THAT YOU MAY HAVE, CONTACT ME ON ANY KIND OF ISSUES.

  13. Anna Khloudeneva says:

    We have followed all steps but still had an access denied error and have fixed it adding a remote user to the group.

    May be it will help somebody. We are running SharePoint 2013 Enterprise on Windows 2012 R2.

  14. Anna Khloudeneva says:

    to the group

  15. Anna Khloudneva says:

    to the "WinRMRemoteWMIUsers__" group

  16. Anna Khloudeneva says:

    WinRMRemoteWMIUsers__

Skip to main content