Managing the Windows SharePoint Services 2.0 Administration Group

Two sets of users are allowed to perform administrative functions for Microsoft Windows SharePoint Services: members of the administrators group for the local server computer and members of the SharePoint administration group. The SharePoint administration group is a Microsoft Windows domain group that is registered with Windows SharePoint Services. This domain group must be created in the domain prior to configuring it for Windows SharePoint Services. After the domain group has been created, you must specify it as the Windows SharePoint Services administration group using the Central Administration pages in Windows SharePoint Services. Members of this domain group can perform Central Administration tasks without having to be given administrator rights to the local server computer. This is particularly useful in a server farm because you can grant rights across the server farm, rather than individually for each computer in the server farm. This is also useful for applications that call into the administrative object model for Windows SharePoint Services. If the application process can be configured to run as a member of the SharePoint administration group, it can create new sites, modify quota values for sites, and so on.

Members of the Administrators group on the local server computer have full control of all applications running on that server, including Internet Information Services (IIS), Microsoft SQL Server, Microsoft ASP.NET, and Windows SharePoint Services. These administrators can perform any task on that server, including all administration tasks for Windows SharePoint Services, such as controlling administrative functions, configuring settings at the server or virtual server level, and creating or changing sites and lists.

Members of the SharePoint administration group can perform SharePoint Central Administration tasks, but do not have access to the file system of the server or the IIS metabase, so they cannot perform actions on other applications running on the server, such as IIS, Microsoft SQL Server, ASP.NET, and so on. Specifically, members of the SharePoint administration group cannot perform the following actions for Windows SharePoint Services:

  • Extend virtual servers (they can, however, create top-level Web sites or change settings for a virtual server).

  • Remove Windows SharePoint Services from a virtual server.

  • Manage paths.

  • Change the SharePoint administration group.

  • Change the configuration database settings.

  • Set the default content database server or manage the content databases.

  • Enable full-text searching.

  • Configure the SharePoint Central Administration virtual server.

  • Use the Stsadm.exe command-line tool.

Members of the SharePoint administration group can perform any other administrative action using the HTML Administration pages or object model for Windows SharePoint Services. For example, members of the group can view and manage all sites created on their servers. This means that a member of the SharePoint administration group can read documents or list items, change survey settings, delete a site, or perform any action on a site that the site administrator can perform.

Note

To manage the SharePoint administration group, you must be a member of the Administrators group of the local server computer.

Specify the SharePoint administration group

  1. Click Start, point to All Programs, point to Administrative Tools, and then click SharePoint Central Administration.

  2. Under Security Configuration, click Set SharePoint administration group.

  3. In the Group account name box, type the domain group you want to allow to administer Windows SharePoint Services.

  4. Click OK.

Changing the Group or Changing Group Membership

You can only register one domain group as the SharePoint administration group, so if you want to include other members, you must add them to the group using the user and group management tools for your domain. If you want to change which group is registered, you can follow the steps to specify a group and specify a different domain group. When you specify a new group, the old group's rights are removed, and the members of that group can no longer manage the servers running Windows SharePoint Services.