Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

Delegate administration of SharePoint Server 2013 user profiles

Published: July 16, 2012

Summary: Learn how to delegate administration of user profiles to a feature administrator in SharePoint Server 2013.

Applies to:  SharePoint Server 2013 Standard | SharePoint Server 2013 Enterprise 

Farm administrators or service application administrators of a User Profile service application can delegate administration of user profiles to a feature administrator. A feature administrator can manage all settings for user profiles. A feature administrator cannot manage settings for other features or for the whole User Profile service application. A feature administrator can be either a user or a group. For more information, see Overview of the User Profile service application in SharePoint Server 2013.

note Note:

Farm administrators can use Windows PowerShell to manage services. However, feature administrators cannot use Windows PowerShell for this purpose. Feature administrators must use Central Administration to manage features of the User Profile service.

Important Important:

This article applies to only SharePoint Server 2013.

In this article:

Before you begin

Before you begin this operation, review the following information about prerequisites:

note Note:

Because SharePoint 2013 runs as websites in Internet Information Services (IIS), administrators and users depend on the accessibility features that browsers provide. SharePoint 2013 supports the accessibility features of supported browsers. For more information, see the following resources:

Delegate administration of user profiles by using Central Administration

You typically use the SharePoint Central Administration website to delegate administration of user profiles in a stand-alone deployment.

To delegate administration of user profiles by using Central Administration

  1. Verify that the user account that completes this procedure has the following credentials:

    • The user account that performs this procedure is a member of the Farm Administrators SharePoint group or has been delegated permission to administer the User Profile service application that is running in the farm.

  2. Start SharePoint 2013 Central Administration.

    • For Windows Server 2008 R2:

      • Click Start, click Microsoft SharePoint 2013 Products, and then click SharePoint 2013 Central Administration.

    • For Windows Server 2012:

      • On the Start screen, click SharePoint 2013 Central Administration.

        If SharePoint 2013 Central Administration is not on the Start screen:

      • Right-click Computer, click All apps, and then click SharePoint 2013 Central Administration.

    For more information about how to interact with Windows Server 2012, see Common Management Tasks and Navigation in Windows Server 2012.

  3. On the SharePoint Central Administration website, in the Application Management section, click Manage service applications.

  4. In the list of service applications, click User Profile Service Application.

  5. On the Service Applications tab, in the Operations section, click Administrators.

  6. On the Administrators for User Profile Service Application page, type or select a user or group account and then click Add.

  7. In the Permissions for Administrator: box, check the Manage Profiles permission level, and then click OK.

Delegate administration of user profiles by using Windows PowerShell

You typically use Windows PowerShell to delegate administration of user profiles when you want to automate the task, which is common in enterprises.

note Note:

Feature administrators cannot use Windows PowerShell to manage features of the User Profile service. Only Farm Administrators can use Windows PowerShell to manage features.

To delegate administration of user profiles by using Windows PowerShell

  1. Verify that you have the following memberships:

    • securityadmin fixed server role on the SQL Server instance.

    • db_owner fixed database role on all databases that are to be updated.

    • Administrators group on the server on which you are running the Windows PowerShell cmdlets.

    An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint 2013 cmdlets.

    note Note:

    If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about Windows PowerShell permissions, see Add-SPShellAdmin.

  2. Start the SharePoint 2013 Management Shell.

    • For Windows Server 2008 R2:

      • On the Start menu, click All Programs, click Microsoft SharePoint 2013 Products, and then click SharePoint 2013 Management Shell.

    • For Windows Server 2012:

      • On the Start screen, click SharePoint 2013 Management Shell.

        If SharePoint 2013 Management Shell is not on the Start screen:

      • Right-click Computer, click All apps, and then click SharePoint 2013 Management Shell.

    For more information about how to interact with Windows Server 2012, see Common Management Tasks and Navigation in Windows Server 2012.

  3. At the Windows PowerShell command prompt, do the following:

    1. To display a list of all service applications and their GUIDs, type the following command:

      Get-SPServiceApplication
      
    2. To create a variable that contains the GUID for the User Profile service application, type the following command:

      $serviceapp = Get-SPServiceApplication <guid>
      

      Where <guid> is the GUID for the User Profile service application.

    3. To create a variable that contains the list of administrators for the service application, type the following command:

      $security = Get-SPServiceApplicationSecurity $serviceapp -Admin
      
    4. To create a variable that contains the claims principal for a user account, type the following command:

      $principalUser1 = New-SPClaimsPrincipal -Identity "<domain\user>" -IdentityType WindowsSamAccountName
      

      Where <domain\user> is the user to which you want to delegate administration for the Manage Profiles feature of the User Profile service application.

    5. To give Manage Profiles permissions to the claims principal that you just created, type the following command:

      Grant-SPObjectSecurity $security -Principal $principalUser1 -Rights "Manage Profiles"
      
    6. To apply the changes to the User Profile service application, type the following command:

      Set-SPServiceApplicationSecurity $serviceapp -ObjectSecurity $security -Admin
      

    For more information, see New-SPClaimsPrincipal, Get-SPServiceApplicationSecurity, New-SPClaimsPrincipal, Get-SPProfileServiceApplicationSecurity, Set-SPProfileServiceApplicationSecurity, and Grant-SPObjectSecurity.

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.