How to enable Remote PowerShell for SharePoint 2013 for Non-Administrators
Businesses often need certain users to be able to run PowerShell cmdlets in their SharePoint farm and they don’t want those users to be part of the local administrators group for security reasons.
The following steps allow you to correctly configure your SharePoint servers to allow certain users access to run SharePoint PowerShell cmdlets.
On the SharePoint Servers:
Log onto the SharePoint Server(s) as the SharePoint Administrator
In Computer Management, under Local Users and Groups, add the user(s) to the following Groups:
- Remote Desktop Users
- WinRMRemoteWMIUsers__
- WSS_ADMIN_WPG
- Remote Management Users
Still in Computer Management, under Services and Applications, select Services and start Windows Remote Management (WS-Management) if it's not started and ensure it is set to Automatic.
Open the Local Group Policy Editor by typing gpedit.msc at a command prompt
- Go to Computer Configuration -> Administrative Templates -> System -> Credentials Delegation and double-click "Allow delegating fresh credentials"
- Set this to Enabled, then click the Show button under options.
- In the Show Contents dialog box, add the value WSMAN/*.domain.com changing domain.com to match your domain.
- Click OK and OK then close the Local Group Policy Editor
Run the SharePoint Management Shell as Administrator
Type Enable-PSRemoting -Force
Type Enable-WSManCredSSP –Role Server
Type winrm set winrm/config/winrs '@{MaxShellsPerUser="25"}'
Type winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="600"}'
Type Get-SPShellAdmin
- This should only return all the users who have the SharePoint_Shell_Access role
Type Add-SPShellAdmin -UserName Domain\Username -Database (Get-SPContentDatabase -Identity “ContentDatabaseName”)
- Replace Domain\Username with the user needing access
- Replace ContentDatabaseName with one of the Content Databases
You will need to run this command for all content databases for the user(s) who need access
NOTE-> To grant access to all content databases use the following command:
Get-SPDatabase | Add-SPShellAdmin DOMAIN\UserName
Type Get-SPShellAdmin
- The user you added should now be listed
Type Set-PSSessionConfiguration -Name Microsoft.PowerShell32 –ShowSecurityDescriptorUI
- This will open up a dialog box. Add the user(s) with Read and Execute permissions then click OK
- Run the command again to ensure the permissions were applied correctly
On the Client Machine:
Log onto the client machine with the user(s) added in the SharePoint server above.
- Open Computer Management and select Services under Services and Applications. Set the Windows Remote Management (WS-Management) service to automatic and start the service.
- Open Windows PowerShell as Administrator
- Type Enable-WSManCredSSP -Role client -DelegateComputer “SharePointServerName”
- Replace SharePointServerName with the FQDN of the SharePoint server
- Type $cred=get-Credential
- Enter the credentials of the user logged onto the client machine
- Type $s=new-PSsession “SharePointServerName” -authentication credssp -credential $cred
- Replace SharePointServerName with the FQDN of the SharePoint server
- NOTE: If this fails with an "access denied" error, re-run Step 10 on the server to enable configuration of the x64 PowerShell by running Set-PSSessionConfiguration -Name Microsoft.PowerShell32 –ShowSecurityDescriptorUI
- Type Invoke-Command -Session $s -ScriptBlock {Add-PSSnapin Microsoft.SharePoint.PowerShell;}
- Type Invoke-Command -Session $s -ScriptBlock {get-SPContentDatabase}
- This will return all the content databases in your SharePoint farm and ensure you have access
- Type Invoke-Command -Session $s -ScriptBlock {get-spserviceinstance}
- This will return the SharePoint service instances and ensure you have access
- Type Enter-PSSession -session $s
You will now see the servers name in [ ] PS: c:\users\someuser\documents
Example: [sp2013-app.fabrikaminc.local]: PS C:\Users\adamb\Documents>
At this point, the user can implement PowerShell scripts on the SharePoint server.
Note: Special thanks to Mark Kordelski & Samer Judeh for the assistance with this!
Updates: 10/8/2014 added information about configuring PowerShell x64
Update: 8/8/2017 adding additional clarification for services, account logins, local group policy