Adding Additional Farm Admins to an Existing Farm
Scenario: You have installed a SharePoint farm and life is great in your company with you being the only person who looks after that farm! Your employer is kind enough to hire a new resource to help you out. You have been asked to make the new hire a farm admin too.
Problem: Adding additional farm administrators is not a straight forward process as the SharePoint central administration site makes it look like! Just by adding the new user to the the farm administrators group in central administration, it means pretty much nothing! Unless you remember to update different security groups here and there, you could be left wasting hours on troubleshooting. To hopefully save you some time and headaches, here is a process to give a user farm admin privileges.
Solution:
1. To start off, create an AD Group for SharePoint administrators. We’ll use “SharePoint Server Admins” as the name.
2. Add the “SharePoint Server Admins” AD Group to the BuiltIn\administrators group on each server in the farm.
Note: the (BUILTIN\Administrators) group is already referenced in both the Farm Administrators group in Central Administration and the local WSS_Admin_WPG group as shown in the following two figures:
Central Administration Site > Security > Manage the farm administrators group
WSS_Admin_WPG group
3. Open SQL Management Studio and add the “SharePoint Server Admins” group as a server login with dbcreator, public, and sysadmin server roles as documented here.
4. In the properties of the new SQL login created, go to he User Mappings section. In the mapped databases select the central administration and config databases and ensure that public and db_owner role memberships are checked. For the config database you will also want to select the SharePoint_Shell_Access role membership to give farm administrators the access to execute PowerShell against the farm.
5. Add the new farm admins to the “SharePoint Server Admins” AD Group.
6. Additionally, if you want to give administrator access to the site collections created, add the “SharePoint Server Admins” group to the Site collection administrators of each site collection. Note that to add a domain security group in the site collection administration group in SharePoint Foundation 2010 you need to apply KB 2597136 which was just released today.
[Update 03/16/2012] As per Marco’s comment below, you can also add a user policy (Full Control) for each Web application if you want your SharePoint Server Admins group to access all site collections with the same set of permissions. See the instructions here.
Now we have successfully added a new AD Group to the SharePoint Farm Administrators, which this will allow us to add new users through one centralized location (AD). This makes adding users simpler by not having to add users individually to each of the places described above. Nice, easy, and centrally managed. Enjoy!
P.S. Below you will find some other related issues and workarounds:
http://sensoft2000-sharepoint.blogspot.com/2010/06/new-ribbon-icon-disabled-in-central.htmlhttp://spdeveloper.net/2010/06/you-cant-create-web-applications-in-central-admin-even-if-youre-farm-admin/
http://social.msdn.microsoft.com/Forums/en-US/sharepoint2010general/thread/e1f3deee-75c1-402a-8e9f-6c5ff15796b7/
Topic 6.)
I would recommend to add a user policy (Full Control) for each web application.
http://technet.microsoft.com/en-us/library/ff608071.aspx#section1
This won’t rely on the “latest” CU (Feb 2011) and is working for every new site collection out of the box.
@Marco Scheel
That’s a valid point. Updated the post with your comment. Thanks!