SharePoint Permissions needed to make myself "all powerful"
-
Saturday, May 05, 2012 11:56 PM
We setup Sharepoint 2010 using the account "SSetup". Then I created my account (UserA) and made it a member of Farm Administrator group. When UserA drills down into some screens in Central Admin he gets "Access Denied' but SSetup has no permission issue at all. How can I make my account equivalent to SSetup?(BTW: when SSetup logs into the SharePoint server, Central Admin displays "System Account" in the upper right hand; when I log in "UserA" is displayed.)
TIA,
Barkingdog
All Replies
-
Sunday, May 06, 2012 3:24 AM
For a detailed explanation of the difference between the farm service account (UserA in your example) and the Setup User Administration Account (SSetup in your example) see this document:
http://technet.microsoft.com/en-us/library/cc678863.aspx
The permissions, by default are slightly different. You can manually add the permissions you need for UserA, though.
Doug Hemminger http://www.sharepointdoug.com
- Proposed As Answer by CoreyRoth [MVP]MVP Tuesday, May 08, 2012 1:10 PM
- Marked As Answer by edm2 Wednesday, May 09, 2012 2:06 AM
- Unmarked As Answer by edm2 Wednesday, May 30, 2012 6:42 AM
- Unproposed As Answer by Steven AndrewsEditor Wednesday, May 30, 2012 3:18 PM
-
Wednesday, May 30, 2012 6:51 AM
I tried to setup a user admin account, following the URL, but did not succeed. We have a single server Windows 2008 R2, SharePoint 2010 install. I created a Domain Account, made it a member of the Domain Admins group (which makes it a local admin on the SharePoint box), made it "sa" on the sql server, added it to the WSS_ADMIN_WPG windows security group (but could not locate the IIS_WPG role mentioned in the URL.)
I fired up an existing site as the new user -- first thing it showed the user name not "System Account", so something was not setup properly. Finally, the new account tried to drill down to access a web page but got "access denied".
What is the next step?
Barkingdog
P.S. Found this URL that seems somewhat helpful:
http://www.toddklindt.com/blog/Lists/Posts/Post.aspx?ID=259
http://blog.octavie.nl/index.php/2011/11/07/creating-additional-sharepoint-2010-farm-administrators/
- Edited by edm2 Wednesday, May 30, 2012 7:02 AM edit
-
Wednesday, May 30, 2012 7:03 AMCheck out the TN Wiki SharePoint 2010 Best Practices page at http://social.technet.microsoft.com/wiki/contents/articles/8666.sharepoint-2010-best-practices-en-us.aspx#Installation_Configuration_and_Operation , the last part of the section contains several links about setting least privileges for administrative and service accounts (yes, the exact opposite of "all powerful" and ultimately what you should strive for).
Kind regards,
Margriet BruggemanLois & Clark IT Services
web site: http://www.loisandclark.eu
blog: http://www.sharepointdragons.com
-
Wednesday, May 30, 2012 1:26 PM
The URLs cited are a bit too general to be helpful. For example, the URL http://technet.microsoft.com/en-us/library/cc678863.aspx mentions that the setup user administrator account must belong to the IIS_WPG role. I was unable to locate that group and according to a URL (for Commerce Server) that role exists only for Windows 2003 (anyone installing SharePoint 2010 on Win 2k 03?) but for Win 2k08 the "replacement" group is called IIS_IUSRS. So I added my setup-user wannabe to that role but he still gets "access denied" when trying to open a test site. I will continue working on this one.
Barkingdog
P.S. The setup-user wannabe is also "sa" on the sql server on the SharePoint box. Why the excessive permissions and not least privileges? Until I can get the account to work as expected I don't want to be restricted by privileges. The existing documentation is either not complete, not totally accurate, or unclear at best. Once I resolve this issue, not before, I'll explore least privileges.
-
Wednesday, May 30, 2012 1:41 PM
I will walk you through what you want, but honestly, I don't think you are going about this the right way. Based on what you have said, you are kind of making a mess of the permissions and you are not following least privilege guidelines, which are extremely important for the security of your farm.
- Make your account a farm administrator and give them access to run PowerShell commands. This post will show you how to do that: https://www.nothingbutsharepoint.com/sites/itpro/Pages/Creating-Additional-SharePoint-2010-Farm-Administrators.aspx
- Next, give your account "full control" policy access to each web application. You can follow this post here to do that: http://technet.microsoft.com/en-us/library/cc262617(v=office.12).aspx
Since I assume your account already has SQL dbowner rights on the config database, you don't need to do anything there.
Doug Hemminger http://www.sharepointdoug.com
-
Wednesday, May 30, 2012 2:05 PM
Doug,
I had already implemented step 1 but to no avail. Step 2 was the "kicker" and now the account works as expected (except the account name, not "System Account", appears in the browser. One can't have everything);
Do you know of a URL indicating the best practice way to implement this functionality? (The previous URLs, describing minimum privileges, didn't work for me, so I can't rely on them. Yet I don't want to assign the account full control either. There must be a happier middle ground.)
Thanks for your help.
BD
P.S. If the account could create\manage all SharePoint sites, add\remove users, assign user permissions, etc (daily administrative type stuff) that is all that would be needed of that account.
- Edited by edm2 Wednesday, May 30, 2012 2:41 PM update
-
Wednesday, May 30, 2012 2:59 PM
I can't easily find a link for you with instructions, but you can make your account a system account through central administration. There should have been a little checkbox in my previous link about giving "full control" policy access to each web application that allowed you to "run as System Account".
The best source for implementing least privileges when setting up a new farm is Todd Klindt's post on the subject (which you already linked). I use that regularly as a reference when setting up a new farm. It is normal practice to NOT have a single account that has all powerful access. By design, accounts have different privileges assigned to them.
For example, you use the install account to install things (service packs, upgrades, etc...) This account runs as system account and does not have access to the content on the various site collections.
You use the farm administrator account to go into Central Administration and administer various aspects of the farm. This account also does not have access to the content on the various site collections, by design.
You use the site collection administrator accounts to manage specific site collections. This account has access to the content on the site collection for which it is an administrator.
Doug Hemminger http://www.sharepointdoug.com
