none
BUILTIN\Administrators in Farm admin group

    Întrebare

  • Is this necessary? This farm currently has them included but none of the domain admins want/know/could do any farm admin "stuff"
    This may have been inherited from an upgrade from 2007. Is there are tech reason to remove them?
    The app pools and services run as domain accounts and the "humans" that should admin the farm are listed in the farm admin group
    13 iunie 2012 23:50

Răspunsuri

  • By default in both SharePoint 2007 and SharePoint 2010, the local Administrators machine group is a member of the farm administrators group. You may remove the group if you wish.

    The only reason to remove it would be for security concerns. If there is content in the farm that you do not want your domain admins to see (salary information, a discussion about which domain admin is going to get fired, etc) then perhaps they should not be a member of the farm administrators group.

    Having the local administrators group a member of the farm administrators group simplifies management. You could easily create a domain security group for your farm administrators and assign this group to the farm administrators group instead (though in this case it is trivial for a domain administrator to add themselves to this list).

    Remember that farm administrators still need to be local administrators of the server so if you do remove the group, make sure your farm administrators are also local administrators so they can install updates and use PowerShell to manage the farm.


    Jason Warren
    Infrastructure Specialist



    14 iunie 2012 01:42

Toate mesajele

  • By default in both SharePoint 2007 and SharePoint 2010, the local Administrators machine group is a member of the farm administrators group. You may remove the group if you wish.

    The only reason to remove it would be for security concerns. If there is content in the farm that you do not want your domain admins to see (salary information, a discussion about which domain admin is going to get fired, etc) then perhaps they should not be a member of the farm administrators group.

    Having the local administrators group a member of the farm administrators group simplifies management. You could easily create a domain security group for your farm administrators and assign this group to the farm administrators group instead (though in this case it is trivial for a domain administrator to add themselves to this list).

    Remember that farm administrators still need to be local administrators of the server so if you do remove the group, make sure your farm administrators are also local administrators so they can install updates and use PowerShell to manage the farm.


    Jason Warren
    Infrastructure Specialist



    14 iunie 2012 01:42
  • Thanks. It's more the integrity of the structure than the security of the data.
    The administrators (network engineers) have no SP knowledge other than that of an end user... add item/document etc.

    For that reason I don't see any point in having them as farm admins. The few people who need to update/powershell/central admin are local admins on the sharepoint servers and SAs in the SQL Server so we're all covered in that respect.

    Just wanted to make sure that removing this group wouldn't break anything.

    14 iunie 2012 02:04