Export (0) Print
Expand All

Assign or remove administrators to a service application (SharePoint 2013)

Published: November 6, 2012

Summary: Learn how to assign or remove service administrators to a service application in SharePoint 2013.

Applies to:  SharePoint Server 2013 | SharePoint Foundation 2013 

An administrator of a SharePoint 2013 service application can assign additional administrators to that service application. These users are granted security-trimmed access to the SharePoint Central Administration Web site and can manage settings related to the service application. An administrator of a SharePoint 2013 service application can also remove administrators from a service application.

note Note:

By default, members of the Farm Administrators group have permissions to manage all service applications.

You can assign or remove service application administrators by using Central Administration or by using Windows PowerShell 3.0.

note Note:

Because SharePoint 2013 runs as websites in Internet Information Services (IIS), administrators and users depend on the accessibility features that browsers provide. SharePoint 2013 supports the accessibility features of supported browsers. For more information, see the following resources:

To assign or remove administrators to a service application by using Central Administration

  1. Verify that the user account that is performing this procedure is a member of the Farm Administrators group.

  2. On the Central Administration Home page, in the Application Management section, click Manage service applications.

  3. On the Manage Service Applications page, select the row that contains the service application to which you want to add or remove administrators. The ribbon becomes available.

  4. On the ribbon, click Administrators.

  5. To add an administrator:

    1. In the first text box on the page, type the user accounts or groups that you want to add. You can click the People icon to validate a name. You can click the Address book icon to search for users to add. You can add multiple administrators into the text box.

    2. After you have added the administrators, click OK.

  6. To remove an administrator:

    1. In the second text box on the page, select the administrator whom you want to remove. Note that this step does not remove the user from the system—it merely revokes the user’s administrative permissions to the selected service application.

    2. Click Remove.

    3. After you have finished removing administrators, click OK.

To assign or remove administrators to a service application by using Windows PowerShell

  1. Verify that you meet the following minimum requirements:

    • You must have membership in the securityadmin fixed server role on the SQL Server instance

    • You must have membership in the db_owner fixed database role on all databases that are to be updated.

    • You must be a member of the Administrators group on the server on which you are running the Windows PowerShell cmdlet.

    note Note:

    If these permissions are not satisfied, contact your Setup administrator or SQL Server administrator to request these permissions.

    For additional information about Windows PowerShell permissions, see Permissions and Add-SPShellAdmin

  2. Start the SharePoint 2013 Management Shell.

    • For Windows Server 2008 R2:

      • On the Start menu, click All Programs, click Microsoft SharePoint 2013 Products, and then click SharePoint 2013 Management Shell.

    • For Windows Server 2012:

      • On the Start screen, click SharePoint 2013 Management Shell.If SharePoint 2013 Management Shell

        is not on the Start screen:

      • Right-click Computer, click All apps, and then click SharePoint 2013 Management Shell.

    For more information about how to interact with Windows Server 2012, see Common Management Tasks and Navigation in Windows Server 2012.

  3. To create a claims principal, at the Windows PowerShell command prompt, type the following command:

    $principal = New-SPClaimsPrincipal "<contoso\jane>" -IdentityType WindowsSamAccountName
    
    

    Where <contoso\jane> is the user name for which you want to assign administrative permissions. The user name should be entered in the form of jane@contoso.com or contoso\jane. The new claims principal is stored in the $principal variable.

  4. To retrieve the service application, type the following command:

    $spapp = Get-SPServiceApplication –Name "<ServiceApplicationDisplayName>"
    

    Where <ServiceApplicationDisplayName> is the display name of the service application. The service application identification is stored in the $spapp variable.

    ImportantImportant:

    The display name must be enclosed in quotation marks, and it must exactly match the service application display name. This includes capitalization. If you have more than one service application that has the identical display name (we do not recommend this), you can use the Get-SPServiceApplication cmdlet to view all service applications. You can then identify the service application by its GUID. For more information, see Get-SPServiceApplication.

  5. To retrieve the administrator security object for the service application, type the following command:

    $security = Get-SPServiceApplicationSecurity $spapp –Admin
    

    The retrieved administrator security object is stored in the $security variable.

    WarningWarning:

    It is important that you append the -Admin argument when you use this command.

  6. To assign or revoke administrative permissions for the user who is identified by the new claims principal $principal (created in step 6 of this procedure) to the service application administrator security object $security (obtained in step 8 of this procedure), use the appropriate command as shown in the following example:

    1. To assign administrative permissions, type the following command:

      Grant-SPObjectSecurity $security $principal "Full Control"
      
      
    2. To revoke administrative permissions, type the following command:

      Revoke-SPObjectSecurity $security $principal
      
  7. To assign the updated $security security object to the service application, type the following command:

    Set-SPServiceApplicationSecurity $spapp $security –Admin
    
    WarningWarning:

    It is important that you append the -Admin argument when you use this command.

  8. To confirm that the service application’s security object is updated appropriately, type the following command:

    (Get-SPServiceApplicationSecurity $spapp -Admin).AccessRules
    
    

Examples

In the following example, the service account user "contoso\jane" is added to the administrators security object for the service application named "Contoso Visio Graphics".


$principal = New-SPClaimsPrincipal "contoso\jane" -IdentityType WindowsSamAccountName
$spapp = Get-SPServiceApplication –Name "Contoso Visio Graphics"
$security = Get-SPServiceApplicationSecurity $spapp –Admin
Grant-SPObjectSecurity $security $principal "Full Control"
Set-SPServiceApplicationSecurity $spapp $security –Admin
(Get-SPServiceApplicationSecurity $spapp -Admin).AccessRules

In the following example, the service account user "contoso\jane" is removed from the administrators security object for the service application named "Contoso Visio Graphics".

$principal = New-SPClaimsPrincipal "contoso\jane" -IdentityType WindowsSamAccountName
$spapp = Get-SPServiceApplication –Name "Contoso Visio Graphics"
$security = Get-SPServiceApplicationSecurity $spapp –Admin
Revoke-SPObjectSecurity $security $principal "Full Control"
Set-SPServiceApplicationSecurity $spapp $security –Admin
(Get-SPServiceApplicationSecurity $spapp -Admin).AccessRules

For more information, see the following Windows PowerShell articles:

noteNote:

We recommend that you use Windows PowerShell when performing command-line administrative tasks. The Stsadm command-line tool has been deprecated, but is included to support compatibility with previous product versions.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft