Plan Windows PowerShell permissions

  • Article

Some organizations may want tight control over who is able to run Windows PowerShell cmdlets. This post gives an overview to the permissions required to run a SharePoint 2010 Products for Windows PowerShell cmdlet or script and issues to consider before a user is granted permission by an administrator.

In SharePoint Products and Technologies, the only permission required to run the stsadm.exe command-line tool was a local administrator on the computer where SharePoint Products and Technologies were installed. However, in SharePoint 2010 Products, the permissions required to run a Windows PowerShell cmdlet in SharePoint 2010 Products are vastly different as the local administrator permission is not sufficient enough to run a Windows PowerShell cmdlet. To run a Windows PowerShell cmdlet in SharePoint 2010 Products, you need the following minimum permissions:

  • Member of the SharePoint_Shell_Access role on the configuration database AND
  • Member of the WSS_ADMIN_WPG local group on the computer where SharePoint 2010 Products is installed.

To add a user to the SharePoint_Shell_Access role and the WSS_ADMIN_WPG local group, the Add-SPShellAdmin cmdlet must be used. For additional information about how to use the Add-SPShellAdmin cmdlet to add a user to the SharePoint_Shell_Access role and WSS_ADMIN_WPG local group, see Add-SPShellAdmin (https://technet.microsoft.com/en-us/library/ff607596.aspx).

Questions to ask yourself before you give a user permission to use a SharePoint 2010 Products for Windows PowerShell cmdlet or script:

  • How are you using Windows PowerShell in your environment?
  • Are you comfortable giving a user dbo_owner permission to SQL databases (see the Add-SPShellAdmin topic for more information)?
  • What IT governance controls are in place to ensure that users to whom delegated administration has been granted are performing appropriate tasks?
  •  Is there a process in place for delegating administration?
  •  For common tasks, does adequate procedural documentation (including checklists or worksheets) exist?
  •  Is there a process in place for rolling back changes?

For additional information about Windows PowerShell, see "SharePoint 2010 Products administration by using Windows PowerShell"  (https://technet.microsoft.com/en-us/library/ee806878.aspx).

We'd like to hear how you're using Windows PowerShell, and what content we can provide to help you get the most out of this powerful tool.

-- Kirk Stark, writer