Have you ever been tasked to do a certain job, but were restricted or prevented from doing it because of the lack of tools or authorization? Many IT administrators who consult or attend training have stories to share about the impediments to using the full power of Windows PowerShell for automating system tasks. There are some ways around this. Although there are many options, we’ll focus on one technique for opening up the use of PowerShell for certain kinds of SharePoint administration.
Your Permissions Depend on Your Role
“How do I love thee? Let me count the ways.” In Elizabeth Barrett Browning’s “Sonnet 43,” the poet muses over those things in life which are innumerable, and that which can be honored by its immeasurability. How many kinds of kinds of SharePoint administrators are there? Perhaps as many as there are SharePoint administrators. Yet like Browning’s poem, we may categorize. For simplicity, let’s just look at four. They are:
- SharePoint Server 2013 farm administrators
- SharePoint site collection administrators
- SharePoint site administrators
- SharePoint library/list administrators
Farm administrators can use either the SharePoint Central Administration site or the Windows PowerShell extensions that form the SharePoint Management Shell. Other types of administrators can use either the regular SharePoint site or the SharePoint Management Shell. Within the SharePoint site, the Web interface can be used to access the properties and actions on the desired site collection, site, library or list.
For farm administrators, infrastructure and application administration can also be delegated. This also applies to SharePoint Server 2010 and the upcoming SharePoint Server 2016 release. SharePoint Online administrators have a different set of cmdlets for site collection plus tenant management.
Managing Remote Access
One of the biggest problems for SharePoint administrators who are delegated access for managing lists, libraries, sites, or even site collections — is that such administrators do not have access to the SharePoint Management Shell. This is because SharePoint Management Shell cmdlets do not have remote access built in. In order to be able to use the shell, you would normally need to be logged into a SharePoint Server in the farm.
There are two ways around this. The first is to allow Remote Desktop access to the delegated administrators. Once connected, an administrator can simply launch PowerShell or the PowerShell ISE and load the SharePoint tools using “Add-PSSnapin Microsoft.SharePoint.PowerShell” within the shell. Most farm administrators do not prefer this method. They fear that with Remote Desktop access, the delegated administrators would be granted too much access to the servers, when all they need is access to a site or list. Another technique is to use PowerShell remoting to allow off-site administrators access to the SharePoint Management Shell tools.
Using PowerShell Remoting
In order to use PowerShell remoting, you will need to complete several steps.
- First, you need a SharePoint farm administrator on one of the SharePoint servers and a delegated administrator at their own workstation or server. The farm administrator can grant complete access to a particular SharePoint database or Web application if needed for site collection administration. This can be accomplished by the farm administrator using the Add-SPShellAdmin cmdlet:
???Add-SPShellAdmin -User CONTOSOsam.spade -Database (Get-SPContentDatabase -WebApplication http://intranet.contoso.com)
- Note that the username must be in the sAMAccountName form (e.g., DOMAINuser) rather than UserPrincipalName form (e.g., user@domain-fqdn) for Add-SPShellAdmin. The Get-SPContentDatabase could be given a –DatabaseName parameter rather than the –WebApplication parameter, depending on the needed delegation.
- The farm administrator (or any administrator of one of the SharePoint servers in the farm) will need to grant access to the delegated administrators. You can do this by setting up a specific PowerShell remoting endpoint — also called a PSSessionConfiguration — that the delegated admins can remote into. This must be configured on a SharePoint server.
???Register-PSSessionConfiguration -Name DelegatedSPAdmin -AccessMode Remote -Force -ShowSecurityDescriptorUI
- Within the permissions list in the security descriptor user interface dialog, the SharePoint Server administrator would add the user or users with Full Control permission and complete execution of the Register-PSSessionConfiguration cmdlet. The Set-PSSessionConfiguration cmdlet could be used to later modify the permissions.
- Instead of using the graphical permissions dialog, the user permissions could be added using the –SecurityDescriptorSddl parameter rather than the interactive –ShowSecurityDescriptorUI. This would involve several steps to formulate an appropriate security descriptor definition language (SDDL) permissions entry.
Workstations vs. Servers
The remainder of the process to allow SharePoint Management Shell access on the delegated administrators’ workstations is done on those workstations, and not on the SharePoint servers. Note that the PowerShell execution policy on the delegated administrator’s workstation must be set to either RemoteSigned or another execution policy level that allows for script executions.
The following steps could be placed in a script file, function, script module, or profile on the each delegated administrator’s workstation.
- Assuming that there is a SharePoint server named “PHX-WFE1.contoso.com” and that the PSSessionConfiguration that had been registered on that server was called “DelegatedSPAdmin”, then the following command could be used to connect to the SharePoint server.
???$spms = New-PSSession -ComputerName PHX-WFE1.contoso.com -ConfigurationName DelegatedSPAdmin
- Once the PowerShell remoting connection has been established to the SharePoint server, the SharePoint Management Shell commands need to be included in that shell session.
???Invoke-Command -Session $spms -ScriptBlock { Add-PSSnapin Microsoft.SharePoint.PowerShell }
- At this point, after the New-PSSession and Add-PSSnapin within that session, the delegated administrator could use SharePoint Management Shell commands, however they would need to explicitly issue each SharePoint command into the session. For example:
???Invoke-Command -Session $spms { Get-SPSite }
- In order to simplify access to the SharePoint commands, the SharePoint Management Shell commands and data types can be imported through the remote session for local use on the delegated administrator’s workstation.
???Import-PSSession -Session $spms -Module Microsoft.SharePoint.PowerShell -FormatTypeName Microsoft.SharePoint.* -DisableNameChecking
Import Session Commands
The above Import-PSSession command will report a Name property of the imported script module with implicit remoting. For example, assume that the name reported is “tmp_c3jyjcas.4v5.” This name could be used in either of the following two ways to find the available SharePoint management commands that are now accessible implicitly from your local computer:
- Get-Command –Module mp_c3jyjcas.4v5
- Click the Refresh button near the upper-right corner of the Commands pane in the PowerShell ISE. Then choose the module mp_c3jyjcas.4v5 from the Modules menu to the left of that Refresh button.
Now, rather than using Invoke-Command for each and every SharePoint command, such as:
???Invoke-Command -Session $spms { Get-SPSite }
you can also simply use:
???Get-SPSite
This is one technique for allowing SharePoint administrators access to SharePoint Management Shell commands without needing physical access to a SharePoint Server. This is especially important for list, library, site and site collection administrators who do not have physical access to the console of SharePoint servers as farm administrators typically do. By giving site administrators the power of the SharePoint Management Shell, you should never face the “restricted access” problem again, allowing you to automate tasks with ease.
Related Courses
SharePoint 2013 Site Collection and Site Administration (M55033)
Core Solutions of Microsoft SharePoint Server 2013 (M20331)
Advanced Solutions of Microsoft SharePoint Server 2013 (M20332)