How to manage SharePoint as a non-administror

Companies lately have become more security conscience.  While as a whole this is a good thing, sometimes this will make it more difficult to manage the services that IT provides.  One of the questions I was recently asked was how can we manage SharePoint as a  non-administrator.  Please note that I do not think this is a good idea and that it may actually harm the ability to restore services and increase the time to restore services.

Looking at the daily tasks a SharePoint Admin must perform I have come up with this list.  It is not meant to be all inclusive.  See this link for more detailed  information on Operations Framework and Checklists 

  • Review Logs.

    • IIS Logs
    • ULS - Diagnostics logs
    • Usage logs
    • Event log
  • Review Timer jobs

  • Review Health Analyzer

  • Review Performance Metric

    • CPU
    • Memory
    • Disk Space
  • Review, Apply Hotfixes, Roll UPs, Security Updates, Service Packs

  • Analyze and respond to any issues

Q: So how do we do these tasks as a non-administrator?

A; very Carefully.

Review Logs and analyze and respond to any issues

Reviewing and analyzing logs simply requires NTFS permissions on the folders where the logs are stored. This is pretty easy to configure.  Responding to issues may require the use of the SharePoint PowerShell Management Shell.  This requires that you be a member of SPShellAdmin, which depending on how tight security is you may or may not have this right.  Even if you do, you will find that some commands that write to directories or files will require you to be an admin on the box and will fail if the correct permissions are not in place.  

Review Timer jobs

Log into central admin and verify in Monitoring  --> Check Job Status that there are no "Stuck" jobs.  If you find jobs are stuck you find that you need to clear the Timer Cache.  In order to do this you must stop the SharePoint Timer service but as a non admin on the server you probably can't do that.  So you will need to Delegate the ability to manage windows services.  You also might find that you need to manage IIS or Reset Application Pools both of which typically require Admin rights. 

 Review Health Analyzer

Log into Central Admin review in Monitoring --> Review Problems and solution what issues SharePoint has identified.  Some health issues will have a Repair Automatically button that will attempt to resolve the issue. If this does not work, you may find you need to review logs, stop/start services, reset IIS , or engage an administrator on the server. 

Review Performance Metrics

In order to review performance metrics you will need to be part of the local computer group Performance Monitor Users.  

Review, Apply Hotfixes, Roll UPs, Security Updates, Service Packs

This task should be performed with the Install Account. The install account must be an administrator on the local servers.  You can disable this account when not patching to achieve the hardening of the server.

How to enable Remote PowerShell for SharePoint 2013 for Non-Administrators

My Article is primarily focused on SharePoint 2010 but I have a college that has an article for SharePoint 2013 about running PowerShell remotely as a Non-Administer.  

Conclusion

As you can see there is a lot of extra configuration that needs to be done to achieve partial ability to manage SharePoint as a non Administrator.  Deep debugging will almost always require admin access in order to dump or trace processes, so my advice is please do not attempt to run SharePoint servers as a non administrator.