Turning a domain user into a full MOSS2007 farm administrator
Imagine you have a farm administrator. He’s just on his own, because MOSS is so easy to manage that you don’t need more people. He does it all: Creating web applications, site collection, manages the Business Data Catalog, Search, Shared Services, you name it, he does it. And then it happens: He leaves for a better job. I agree, that will not happen very fast and often because, well, SharePoint just rocks, but it happens. So after your done crying and sobbing, you find someone who will and can take his place. This person is now a hero and can’t wait to get started. So the leaving farm administrator needs to grant him the necessary permissions to become a full blown farm administrator. What does he need to do?
Well that’s easy you think. Just make the user a member of the SharePoint Group “Farm Administrators” and your done. Well not quite, there is a bit more to it. Yes, you can do a lot of things in the Central Administration, but not everything. You need to set permissions at more locations in the Central Administration and Shared Services Provider to make someone a full blown farm administrator. To get a better idea of the levels of administration in MOSS, read this article from Technet.
To grant someone permissions to the Central Administration so that he can perform the necessary administrative tasks there you need to do the following:
• Add the user to the Farm Administrators group in the Central Administration. This will grant permissions for performing most of the administrative tasks in the Central Administration.
• Add the user to the Site Collection Owners of the Central Administration. This is needed for site collection management tasks within the Central Administration.
• Make the user a member of the Administrators group of the server. Because adding a user to the Farm Administrators group does not give full administrative rights in the Central Administration, you also need to add the user to the Administrators group of the server. The extra tasks that can performed then are:
o From the SharePoint Web Application Management, the option “Create of extend Web application”. This option is security trimmed, where the other options that are not available to you in this tab are not. To be able to perform this operation, you need to be a local administrator.
o From the InfoPath Forms Services section, the option “Upload form template”. To be able to use this, you need to be a local administrator.
o From the Office SharePoint Shared Services section, the option “Create of configure this farm’s shared services”. You need to be a local administrator for this.
Note: You need to be a local administrator to be able to add a user to the Farm Administrators group!
Shared Services Provider Administration
When the user also need to perform SSP administrative tasks (And he does, because you want him to be a full blown farm administrator right?) you need set some additional permissions. And as you have read in the Technet article, there is also something like Services administration. You need to set permissions on those explicitly. These services are:
• Personalization services
• Search settings
• Usage reporting
• Business data catalog
So you start by making the user a Site Collection Owner for the Shared Services Provider site. The user is then able to perform the following administrative tasks:
• User Profiles and My Sites:
o Trusted My Site Host Locations
o Published links to Office client applications
o Personalization site links
o Personalization services permissions
• All of the administrative tasks under Search
• All of the administrative tasks under Office SharePoint Usage Reporting
• All of the administrative tasks under Excel Services Settings
• Business Data Catalog
o Business Data Catalog permissions
Note: It is possible that you see a login box when you want to see the Search usage reports page. This is caused by a bug in the
.NET Framework 2.0. Read my previous blog post for more information.
Next thing you need to do is set the Personalization services permissions and Business Data Catalog Permissions. For the Personalization services permissions is the minimum that you need the “Manage permissions” permission. For the Business Data Catalog permissions is the minimum that you need the “Set permissions” permission. But since we want a full blown farm administrator just check all checkboxes.
Note: Because you are the site collection administrator you are able to set those permissions yourself!
Once you done this, you have created a full blown farm administrator.
Summarizing is this what you need:
• Member of the Administrators group on the server. Doing this makes you a local administrator.
• Site Collection Owner of the Central Administration site
• Member of the Farm Administrator group in the Central Administration
• Site Collection Owner of the Shared Services site
• Granted all permissions for the Personalization services
• Granted all permissions for the Business Data Catalog
Disclaimer . . .
We DO NOT host or upload any of the videos or any other content that are available on this Weblog. We merely search on INTERNET and index popular files/links to other blogs /videos openly available to anyone. The most popular websites are YOUTUBE videos. These videos and other content are uploaded to the respective websites by their User Communities from all over the World and NOT by us. Please Contact Us through E-Mail, if you feel that any Content including Videos on this Weblog are objectionable or violating your copyrights. The objectionable content shall be promptly removed from our Weblog.