none
Can't add User with Administrator, Domain Admin rights to Farm Administrator group

    Question

  • I have  SharePoint 2007 SP2 installed on Windows Server 2008 R2 Enterprise.

    I am logging onto the server through RDP as a user who is a member is a member of the BUILTIN/Administrators , Domain Admins and Enterprise Admins Groups. However, I get a login box when I try to use Central Administration (BUILTIN\Administrators is a member of the Farm Administrator's group so I should be able to use Central Administration) I get this error:

    Error message 401.2.: Unauthorized: Logon failed due to server configuration.  Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server.  Contact the Web server's administrator for additional assistance.

    Thinking that somehow SharePoint is not honoring the BUILTIN\Administrators group, I tried to add the username to the Farm Administrators group directly and get this error:

    Local administrator privilege is required to update the Farm Administrators' group.

    My only clue as to what is wrong is that since this machine is a Domain Controller (you cannot see Local Users and Groups in the Computer Management snap-in) the BUILTIN\Administrators group has less rights than it does on a normal server. On other farms I have built with users having BUILTIN\Admnistrators rights I have never had a problem adding them to the Farm Administrator's group.

    Does anybody have a clue what is going on?

    Thanks. . .

    Kathryn

    Friday, October 02, 2009 8:39 PM

Answers

  • Hi Kathryn,

     

    In MOSS farm, the builtin/administrators exist in the domain and by default they are in the “farm administrators” group. For other servers excluding DC in MOSS farm, they may have local administrators which are not domain account. Although they have full control to the server, they cannot access SharePoint and of course not member of “farm administrators” group.

     

    For your problem, you can try to update your Application pool account for SharePoint Central Administration according to the article below:

    http://weblogs.asp.net/erobillard/archive/2007/07/06/how-to-change-service-accounts-and-their-passwords-in-moss-and-wss-3-0.aspx

    http://support.microsoft.com/kb/934838

     

    After update go to IIS manager and check the property of central administration v3 application pool to see if the identity is the same as you updated before. You can also run post configuration wizard to see if it can complete successfully.

     

    Hope this helps.

     

    Lu Zou

    • Marked as answer by Lu Zou-MSFT Thursday, October 15, 2009 8:53 AM
    Thursday, October 08, 2009 7:30 AM

All replies

  • It is a misconception to think that a administrator (local / domain or enterprise) has access to sharepoint because he is administrator.

    That is NOT correct.
    During the installation of sharepoint and sites you have to tell which account is Fams administrator.
    Only this (or these) account(s) can add users , especially to the famr administrators accounts.

    Howeverm as you havethe option to add users you also have the option to see who is member of the farnadministrators group (within sharepoint)
    Login as THAT user and then you can change the group memberships



    Kind regards,
    Eric van Glabbeek
    Willing to learn everything about Sharepoint there is to learn. My blog : sharepoint.vanglabbeek.nl
    Sunday, October 04, 2009 7:56 PM
  • Second that! Local Admin or Domain admin does not mean you will have access to SharePoint CA. Use the account that was used at the time of setup (config wizard).

    If you did not set up the servers, etc and if you don't know the farm account, I would recommend you to use SPM from codeplex to get the account details.


    Alpesh Nakar Blog: http://alpesh.nakars.com/blog | Twitter: @alpesh SharePoint Resources: http://www.justsharepoint.com | Twitter @justsharepoint
    Sunday, October 04, 2009 10:49 PM
  • I am using the original farm account to try to add a new farm administrator. I setup the farm AND the Sql Server backend on one box with this account. So it's a mystery why this account can't add another user in the Administrator, Domain Admins and Enterprise Admins as Farm Administrator.

    I'm afraid it has something to do with the fact that I upgraded the box from Windows Server 2008 64-bit Standard SP1 to Windows Server 2008 64-bit Enterprise R2 and there is some new R2 feature that is impacting SharePoint 2007, especially since SharePoint SP2 MUST be installed BEFORE upgrading to R2. That means SharePoint is very sensitive to the operating system changes in R2.

    Aside from this issue, though, what does the default "BUILTIN/Administrators" in the default "Farm Administrators" group mean when you build a farm? How it one to interpret this except that local administrator is by default a "Farm Administrator"?
    Monday, October 05, 2009 2:54 PM
  • Hi Kathryn,

     

    In MOSS farm, the builtin/administrators exist in the domain and by default they are in the “farm administrators” group. For other servers excluding DC in MOSS farm, they may have local administrators which are not domain account. Although they have full control to the server, they cannot access SharePoint and of course not member of “farm administrators” group.

     

    For your problem, you can try to update your Application pool account for SharePoint Central Administration according to the article below:

    http://weblogs.asp.net/erobillard/archive/2007/07/06/how-to-change-service-accounts-and-their-passwords-in-moss-and-wss-3-0.aspx

    http://support.microsoft.com/kb/934838

     

    After update go to IIS manager and check the property of central administration v3 application pool to see if the identity is the same as you updated before. You can also run post configuration wizard to see if it can complete successfully.

     

    Hope this helps.

     

    Lu Zou

    • Marked as answer by Lu Zou-MSFT Thursday, October 15, 2009 8:53 AM
    Thursday, October 08, 2009 7:30 AM
  • Running the SharePoint products configuration wizard as the service account that is specified as the farm account seemed to resolve the issue.
    Monday, November 08, 2010 5:45 PM
  • I had this issue and it was because I was trying to run the central admin from the browser and not through the central admin link on the start menu. Going directly to the browser forced me to accept that I was an admnistrator (the Access Control Levels check) after that it worked without issue.

    Hope this helps out,

    Michael

    • Proposed as answer by RobertRFreeman Thursday, August 16, 2012 9:52 PM
    Friday, July 20, 2012 3:57 PM