How to enable Remote PowerShell for SharePoint 2013 for Non-Administrators

Businesses often need certain users to be able to run PowerShell cmdlets in their SharePoint farm and they don’t want those users to be part of the local administrators group for security reasons.

The following steps allow you to correctly configure your SharePoint servers to allow certain users access to run SharePoint PowerShell cmdlets.

 On the SharePoint Servers:

Log onto the SharePoint Server(s) as the SharePoint Administrator

  1. In Computer Management, under Local Users and Groups, add the user(s) to the following Groups:

    1. Remote Desktop Users
    2. WinRMRemoteWMIUsers__
    3. WSS_ADMIN_WPG
    4. Remote Management Users
  2. Still in Computer Management, under Services and Applications, select Services and start Windows Remote Management (WS-Management) if it's not started and ensure it is set to Automatic.

  3. Open the Local Group Policy Editor by typing gpedit.msc at a command prompt

    1.  Go to Computer Configuration -> Administrative Templates -> System -> Credentials Delegation and double-click "Allow delegating fresh credentials"
    2. Set this to Enabled, then click the Show button under options.
    3. In the Show Contents dialog box, add the value WSMAN/*.domain.com changing domain.com to match your domain.
    4. Click OK and OK then close the Local Group Policy Editor
  4. Run the SharePoint Management Shell as Administrator

  5. Type Enable-PSRemoting -Force

  6. Type Enable-WSManCredSSP –Role Server

  7. Type winrm set winrm/config/winrs '@{MaxShellsPerUser="25"}'

  8. Type winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="600"}'

  9. Type Get-SPShellAdmin

    1. This should only return all the users who have the SharePoint_Shell_Access role
  10. Type Add-SPShellAdmin -UserName Domain\Username -Database (Get-SPContentDatabase -Identity “ContentDatabaseName”)

    1. Replace Domain\Username with the user needing access
    2. Replace ContentDatabaseName with one of the Content Databases
      1. You will need to run this command for all content databases for the user(s) who need access

      2. NOTE-> To grant access to all content databases use the following command:

        Get-SPDatabase | Add-SPShellAdmin DOMAIN\UserName

  11. Type Get-SPShellAdmin

    1. The user you added should now be listed
  12. Type Set-PSSessionConfiguration -Name Microsoft.PowerShell32 –ShowSecurityDescriptorUI

    1. This will open up a dialog box. Add the user(s) with Read and Execute permissions then click OK
    2. Run the command again to ensure the permissions were applied correctly

 

On the Client Machine:

Log onto the client machine with the user(s) added in the SharePoint server above.

  1. Open Computer Management and select Services under Services and Applications. Set the Windows Remote Management (WS-Management) service to automatic and start the service.
  2. Open Windows PowerShell as Administrator
  3. Type Enable-WSManCredSSP -Role client -DelegateComputer “SharePointServerName” 
    1. Replace SharePointServerName with the FQDN of the SharePoint server
  4. Type $cred=get-Credential
    1. Enter the credentials of the user logged onto the client machine
  5. Type $s=new-PSsession “SharePointServerName” -authentication credssp -credential $cred
    1. Replace SharePointServerName with the FQDN of the SharePoint server
    2. NOTE: If this fails with an "access denied" error, re-run Step 10 on the server to enable configuration of the x64 PowerShell by running Set-PSSessionConfiguration -Name Microsoft.PowerShell32 –ShowSecurityDescriptorUI
  6. Type Invoke-Command -Session $s -ScriptBlock {Add-PSSnapin Microsoft.SharePoint.PowerShell;}
  7. Type Invoke-Command -Session $s -ScriptBlock {get-SPContentDatabase}
    1. This will return all the content databases in your SharePoint farm and ensure you have access
  8. Type Invoke-Command -Session $s -ScriptBlock {get-spserviceinstance}
    1. This will return the SharePoint service instances and ensure you have access
  9. Type Enter-PSSession -session $s

You will now see the servers name in [ ] PS: c:\users\someuser\documents

Example: [sp2013-app.fabrikaminc.local]: PS C:\Users\adamb\Documents>

At this point, the user can implement PowerShell scripts on the SharePoint server.

Note: Special thanks to Mark Kordelski & Samer Judeh for the assistance with this!

Updates: 10/8/2014 added information about configuring PowerShell x64

Update: 8/8/2017 adding additional clarification for services, account logins, local group policy