none
Serviceaccount powershell cmdlets permissions RRS feed

  • Question

  • Hi,

    I am wondering about what the best practise for this scenario is.

    We have created a serviceaccount in our AD. It is supposed to run a scheduled task on a sharepoint server where it executes some sharepoint powershell cmdlets like get-spsite and stuff.

    Is there a way to only give this service account access to simple GET cmdlets in sharepoint management shell and not the entire farm through add-spshelladmin ?

    /Daniel

    Tuesday, December 3, 2019 10:06 AM

Answers

  • Hi,

    I’m afraid it is not possible.

    “Add-SPShellAdmin -UserName domain\user” adds the user to the SharePoint_Shell_Access role in the farm configuration database only, as well as adding it to the WSS_Admin_WPG local group on each server in the farm, which gives the user the least permission to run SharePoint PowerShell.

    If you need to execute PowerShell commands against any database, for example GET cmdlets, the service account must be a member of the db_owner role.

    Here’s your reference.

    Account permissions and security settings in SharePoint Servers 2016 and 2019.

    https://docs.microsoft.com/en-us/sharepoint/install/account-permissions-and-security-settings-in-sharepoint-server-2016

    Best regards,

    Chelsea Wu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    SharePoint Server 2019 has been released, you can click here to download it.
    Click here to learn new features. Visit the dedicated forum to share, explore and talk to experts about SharePoint Server 2019.

    Wednesday, December 4, 2019 6:12 AM