Skip Ribbon Commands
Skip to main content

Anders Rask on SharePoint

:

Anders Rask on SharePoint > Posts > How to add a user to the SharePoint_Shell_Access role on a content database
September 25
How to add a user to the SharePoint_Shell_Access role on a content database
To be allowed to execute PowerShell commands against a specific site collection, the user running the script needs certain access to both the database and every web front end in the farm.
 
Instead of setting these permissions manually you should use the Add-SPShellAdmin command. Execute the command once against each database that you need to access to gain the correct permissions across WFE.
 
The user assigned these permissions will typically be the install account used to setup the farm.
 
To execute the command and assign the right to another user, the user executing the command must have Securityadmin server role access on the SQL instance and the db_owner role on the database you assign rights to. Also the user must be local administrator in the local computer.
 
Hence the typical user used to execute these initial PowerShell commands will be the farm account.
 
Syntax calling the command:
 
1
2
3
4
5
Add-SPShellAdmin [-UserName] <String>
[-AssignmentCollection <SPAssignmentCollection>]
[-Confirm [<SwitchParameter>]]
[-database <SPDatabasePipeBind>]
[-WhatIf [<SwitchParameter>]] [<CommonParameters>]
 
SPDatabasePipeBind should be either an SPDatabase object or the name of the database (as stated in the examples) but even though SPDatabase instance works, in my testing database name does not. The database GUID works though, so I guess its a glitch in the documentation.
 
Calling this command assigns all necessary rights for the user to be able to execute PowerShell commands on the server:
 
The user is assigned db_owner and SharePoint_Shell_Access role on the database in question (if no database parameter is given, the user is granted these roles on the configuration database). In addition to this, the user is added to the security groups WSS_ADMIN_WPG giving him write access to ressources used by SharePoint on all web frontend servers.
 
Examples:
 
Add-SPShellAdmin -UserName CONTOSO\User1
 
This example adds a new user named User1 to the SharePoint_Shell_Access role in the farm configuration database only, and also ensures the user is added to the WSS_Admin_WPG local group on each server in the farm.
 
$contentDB = Get-SPDatabase | ?{$_.Name -eq "wss_content"}
Add-SPShellAdmin -UserName CONTOSO\User1 -database $contentDB
  
This example adds a new user named User1 to the SharePoint_Shell_Access role in both the specified content database and the configuration database, and also ensures the user is added to the WSS_Admin_WPG local group on each farm server.
 
In addition to Set-SPShellAdmin you can also call Get-SPShellAdmin and Remove-SPShellAdmin to administer account rights.
 
If you get errors like "You need to have machine administrator privileges to run this cmdlet", you need to run the shell as administrator or disable UAC on the server.

Comments

Central Administration

Is there a way to do this in SharePoint Central Administration?
 on 9/17/2014 2:30 PM

Re: How to add a user to the SharePoint_Shell_Access role on a content database

No the only way to do this in a supported way, is by using PowerShell
 on 9/18/2014 9:06 AM

Adding additional owner

Can you add more than one owner to the database?
 on 2/19/2016 7:22 AM

Can you add more than one owner to the database?

Yes.
 on 6/9/2016 8:41 AM

The local farm is not accessible. Cmdlets with FeatureDependencyId are not registered.

I am getting this error "The local farm is not accessible. Cmdlets with FeatureDependencyId are not registered". How do I troubleshoot this?
 on 5/11/2017 11:32 PM

Add Comment

Title


Body *


Migrated Source URL


Commentator Name


Commentator Email


BotCheck *


Are you human? What is the sum of fifty-two minus ten?

Attachments