Arnold Layne
asked on
SharePoint Central Admin Persmissions
Having oddities with Central Admin
SQLEXPRESS 2008 r2
SharePoint Foundation 2010
Windows Server 2008 r2
Important:
I have to install SQL and SP on the Domain Controller, as I have only on server.
Created a Domain User Account called SPAdmin
Tried to install SQLEXPRESS and SharePoint using this account while logged in locally to the DC. Could not do it. I added SPAdmin to Domain Admins group in AD, and successfully installed both. SPAdmin is the account I created to become the SQL Admin and the Farm admin for SP
Removed SPAdmin from Domain Admins, since this is in the Farm Admin group and elevated domain privileges are not recommended. SP Admin is a member of the following on AD.
Domain Users, IIS USERS\BUILT IN, Performance Monitor Users\BUILT IN, WSS_ADMIN__WPG, WSS_RESTRICTED_WPG_V4, WSS_WPG
Problems:
1) When logged into Central Admin as SPAdmin, it shows as system account as top right. That does not seem good to me.
2) When logged into Central Admin as SPAdmin, access appears to be limited in certain areas. For example, in Web Applications Management, when I select SharePoint Central Administration V4, Contribute, Security, Policy sections are disabled, and only Manage is enabled. When I select SharePoint 80, all sections are enabled EXCEPT Contribute.
Signed in to Central Admin as the Domain Administrator (domainname\administrator) , I don't know why I should even be allowed to access Central Admin with this account. It is NOT a member of any WSS AD groups listed above.
Here is what it is a member of
Administrators, Domain Admins, Domain Users, Enterprise Admins, Group Policy Creator Owners. Schema Admins, and the following BUILT In USERS, IIS_USRS, Peformance Monitor Users
Strangely, I seem to get more permissions than with SPAdmin.
When SharePoint Central Administration V4 is selected, Contribute and Manage are fully enabled. Policy is completely disabled. Under Security, authentication providers, blocked file types and web part security are enabled, with the rest being disabled. So as compared to SPAdmin Contribute is now enabled, and aspects listed above are enabled under Security, and all else is disabled.
With SharePoint 80 selected, EVERYTHING is completely enabled. Contribute was disabled for SPAdmin with all other things being enabled.
Hopefully, i have explained this with as much organization, detail and clarity as needed
SQLEXPRESS 2008 r2
SharePoint Foundation 2010
Windows Server 2008 r2
Important:
I have to install SQL and SP on the Domain Controller, as I have only on server.
Created a Domain User Account called SPAdmin
Tried to install SQLEXPRESS and SharePoint using this account while logged in locally to the DC. Could not do it. I added SPAdmin to Domain Admins group in AD, and successfully installed both. SPAdmin is the account I created to become the SQL Admin and the Farm admin for SP
Removed SPAdmin from Domain Admins, since this is in the Farm Admin group and elevated domain privileges are not recommended. SP Admin is a member of the following on AD.
Domain Users, IIS USERS\BUILT IN, Performance Monitor Users\BUILT IN, WSS_ADMIN__WPG, WSS_RESTRICTED_WPG_V4, WSS_WPG
Problems:
1) When logged into Central Admin as SPAdmin, it shows as system account as top right. That does not seem good to me.
2) When logged into Central Admin as SPAdmin, access appears to be limited in certain areas. For example, in Web Applications Management, when I select SharePoint Central Administration V4, Contribute, Security, Policy sections are disabled, and only Manage is enabled. When I select SharePoint 80, all sections are enabled EXCEPT Contribute.
Signed in to Central Admin as the Domain Administrator (domainname\administrator)
Here is what it is a member of
Administrators, Domain Admins, Domain Users, Enterprise Admins, Group Policy Creator Owners. Schema Admins, and the following BUILT In USERS, IIS_USRS, Peformance Monitor Users
Strangely, I seem to get more permissions than with SPAdmin.
When SharePoint Central Administration V4 is selected, Contribute and Manage are fully enabled. Policy is completely disabled. Under Security, authentication providers, blocked file types and web part security are enabled, with the rest being disabled. So as compared to SPAdmin Contribute is now enabled, and aspects listed above are enabled under Security, and all else is disabled.
With SharePoint 80 selected, EVERYTHING is completely enabled. Contribute was disabled for SPAdmin with all other things being enabled.
Hopefully, i have explained this with as much organization, detail and clarity as needed
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
It certainly DID help. This was PERFECT, and it turns out that I already knew a lot of this and was essentially doing the right thing, but I wanted a deeper understanding of many things and the blog article was exactly what I was looking for. The guy hit the nail on the head with the following statement:
"Microsoft describes the administrative and service accounts required for initial deployment but skims over some important details and emphases".
I may ask a more specified question next if everything still doesn't work exactly the way I want it to, but this should help me troubleshoot by myself as it gives me the more in depth and definitive understanding I was looking for and that is difficult to find any explanation for, and I have no idea why. I even took an APPDEV training course on this and the instructor never got into this, and all she did was essentially read off the instructions right from the site itself with no further in depth explanation as to the whys behind it. So she was essentially useless and so was the course. Not to down talk APPDEV, many of the development courses DO get into the whys, but their admin course was a waste of money.
So this question is definitely sufficiently answered as far as I'm concerned regardless of whether it fixes my specific problem, and I'll ask a more specific question in the future if I even need to, and hopefully I might catch you at the right time. Thanks again for your resourcefulness.
"Microsoft describes the administrative and service accounts required for initial deployment but skims over some important details and emphases".
I may ask a more specified question next if everything still doesn't work exactly the way I want it to, but this should help me troubleshoot by myself as it gives me the more in depth and definitive understanding I was looking for and that is difficult to find any explanation for, and I have no idea why. I even took an APPDEV training course on this and the instructor never got into this, and all she did was essentially read off the instructions right from the site itself with no further in depth explanation as to the whys behind it. So she was essentially useless and so was the course. Not to down talk APPDEV, many of the development courses DO get into the whys, but their admin course was a waste of money.
So this question is definitely sufficiently answered as far as I'm concerned regardless of whether it fixes my specific problem, and I'll ask a more specific question in the future if I even need to, and hopefully I might catch you at the right time. Thanks again for your resourcefulness.
ASKER
Hi rainer,
Thought I would return the favor and give you what seems to be the specific answer to my problem that I derived from your linked article. Although my Farm Admin account is not supposed to be part of the Domain Admins, to follow least privileges practices, it DOES need to be in the builtin account of local administrators on the server where Central Admin was installed. Nowhere could I find that very important detail. Now, SPAdmin has everything enabled for the SharePoint 80 web app, and has most of the things enabled for the Central Admin web app. What is still not enabled for the central admin app is the entire Policy section, and user permission and self service site creation under the security section, but I'm thinking that it is safe to assume that these functions simply do not apply the the Central Admin app, and only to SharePoint 80. But the health analyzer is telling me that everything is perfect, so I'm assuming that I have a completely correct and solid setup.
Thanks again.
Thought I would return the favor and give you what seems to be the specific answer to my problem that I derived from your linked article. Although my Farm Admin account is not supposed to be part of the Domain Admins, to follow least privileges practices, it DOES need to be in the builtin account of local administrators on the server where Central Admin was installed. Nowhere could I find that very important detail. Now, SPAdmin has everything enabled for the SharePoint 80 web app, and has most of the things enabled for the Central Admin web app. What is still not enabled for the central admin app is the entire Policy section, and user permission and self service site creation under the security section, but I'm thinking that it is safe to assume that these functions simply do not apply the the Central Admin app, and only to SharePoint 80. But the health analyzer is telling me that everything is perfect, so I'm assuming that I have a completely correct and solid setup.
Thanks again.
Hi,
and yes you are right. These couple of sections do NOT apply to central admin :-)
CU
Rainer
and yes you are right. These couple of sections do NOT apply to central admin :-)
CU
Rainer
ASKER