在 SharePoint Server 中指派或移除服務應用程式的系統管理員Assign or remove administrators of service applications in SharePoint Server

摘要: 了解如何指派或移除 SharePoint Server 2016 和 SharePoint 2013 服務應用程式的服務管理員。Summary: Learn how to assign or remove service administrators to a service application in SharePoint Server 2016 and SharePoint 2013.

SharePoint Server 服務應用程式的管理員必須是伺服器陣列管理員群組的成員可指派或移除該服務應用程式的其他管理員。服務應用程式管理員會授與安全性調整 SharePoint 管理中心網站的存取及可管理相關的服務應用程式的設定,但必須是伺服器陣列管理員群組的成員可新增及移除其他服務應用程式管理員。An administrator of a SharePoint Server service application must be a member of the farm Administrators group to assign or remove additional administrators to that service application. Service application administrators are granted security-trimmed access to the SharePoint Central Administration Web site and can manage settings related to the service application but must be a member of the farm Administrators group to add and remove other service application administrators.

注意

[!附註] 根據預設,伺服器陣列管理員群組的成員具有管理所有服務應用程式的權限。By default, members of the Farm Administrators group have permissions to manage all service applications.

您可以使用 SharePoint 管理中心網站 或 Microsoft PowerShell 指派或移除服務應用程式管理員。You can assign or remove service application administrators by using the SharePoint Central Administration websiteor by using Microsoft PowerShell.

使用管理中心指派或移除服務應用程式的管理員To assign or remove administrators to a service application by using Central Administration

  1. 確認執行此程序的使用者帳戶為伺服器陣列管理員群組的成員。Verify that the user account that is performing this procedure is a member of the Farm Administrators group.

  2. 在管理中心首頁] 頁面上的 [應用程式管理] 區段中按一下 [管理服務應用程式]。On the Central Administration Home page, in the Application Management section, click Manage service applications.

  3. 在 [管理服務應用程式] 頁面上,選取包含您要新增或移除管理員的服務應用程式的列。功能區隨即變為可用。On the Manage Service Applications page, select the row that contains the service application to which you want to add or remove administrators. The ribbon becomes available.

  4. 在功能區] 上按一下 [管理員]。On the ribbon, click Administrators.

  5. 新增管理員:To add an administrator:

    • 在頁面上第一個文字方塊中,輸入使用者帳戶或您想要新增的群組。您可以按一下 [人員] 圖示來驗證名稱。您可以按一下 [搜尋要新增的使用者的通訊錄圖示。您可以將文字方塊新增多個系統管理員。In the first text box on the page, type the user accounts or groups that you want to add. You can click the People icon to validate a name. You can click the Address book icon to search for users to add. You can add multiple administrators into the text box.
    • 新增管理員之後,按一下 [確定]After you have added the administrators, click OK.
  6. 若要移除管理員:To remove an administrator:

    • 在頁面的第二個文字方塊中,選取您要刪除的管理員。請注意,該步驟不會移除系統中的使用者,其只會撤銷使用者對於選取服務應用程式的管理權限。In the second text box on the page, select the administrator whom you want to remove. Note that this step does not remove the user from the system—it merely revokes the user's administrative permissions to the selected service application.
    • 按一下 [移除]。Click Remove.
    • 移除管理員完成後,按一下 [確定]After you have finished removing administrators, click OK.

使用 PowerShell 指派或移除服務應用程式管理員To assign or remove administrators to a service application by using PowerShell

  1. 確認您是否符合下列基本需求:Verify that you meet the following minimum requirements:

    • 您必須具有 SQL Server 執行個體上 securityadmin 固定伺服器角色中的成員資格You must have membership in the securityadmin fixed server role on the SQL Server instance

    • 您必須具備所有待更新資料庫之 db_owner 固定資料庫角色中的成員資格。You must have membership in the db_owner fixed database role on all databases that are to be updated.

    • 您必須是正在執行 PowerShell Cmdlet 之伺服器上的系統管理員群組成員。You must be a member of the Administrators group on the server on which you are running the PowerShell cmdlet.

      注意

      [!附註] 如果未符合這些權限,請連絡設定管理員或 SQL Server 管理員以要求這些權限。If these permissions are not satisfied, contact your Setup administrator or SQL Server administrator to request these permissions.

      如需 PowerShell 權限的其他資訊,請參閱<權限>和<Add-SPShellAdminFor additional information about PowerShell permissions, see Permissions and Add-SPShellAdmin

  2. 啟動 SharePoint 管理命令介面。Start the SharePoint Management Shell.

  3. 若要建立宣告主體,請在 PowerShell 命令提示字元處,輸入下列命令:To create a claims principal, at the PowerShell command prompt, type the following command:

    $principal = New-SPClaimsPrincipal "<contoso\jane>" -IdentityType WindowsSamAccountName
    

    其中 <contoso\jane> 是您要指派管理權限的使用者名稱。使用者名稱應該以 jane@contoso.comcontoso\jane 格式輸入。新的宣告主體儲存在 $principal 變數。Where <contoso\jane> is the user name for which you want to assign administrative permissions. The user name should be entered in the form of jane@contoso.com or contoso\jane. The new claims principal is stored in the $principal variable.

  4. 若要擷取服務應用程式,請輸入下列命令:To retrieve the service application, type the following command:

    $spapp = Get-SPServiceApplication -Name "<ServiceApplicationDisplayName>"
    

    其中 <ServiceApplicationDisplayName> 是服務應用程式的顯示名稱。服務應用程式身分識別儲存在 $spapp 變數。Where <ServiceApplicationDisplayName> is the display name of the service application. The service application identification is stored in the $spapp variable.

    重要

    [!重要事項] 顯示名稱必須以引號括住,而且它必須完全符合服務應用程式顯示名稱。這包括大小寫。如果您有多個服務應用程式具有相同的顯示名稱 (我們不建議這麼做),您可以使用 Get-SPServiceApplication Cmdlet 檢視所有服務應用程式。接著您可以依 GUID 來識別服務應用程式。如需詳細資訊,請參閱 Get-SPServiceApplicationThe display name must be enclosed in quotation marks, and it must exactly match the service application display name. This includes capitalization. If you have more than one service application that has the identical display name (we do not recommend this), you can use the Get-SPServiceApplication cmdlet to view all service applications. You can then identify the service application by its GUID. For more information, see Get-SPServiceApplication.

  5. 若要擷取服務應用程式的管理員安全性物件,請輸入下列命令:To retrieve the administrator security object for the service application, type the following command:

    $security = Get-SPServiceApplicationSecurity $spapp -Admin
    

    擷取的管理員安全性物件儲存在 $security 變數。The retrieved administrator security object is stored in the $security variable.

    警告

    [!注意] 使用此命令時請務必附加 -Admin 引數。It is important that you append the -Admin argument when you use this command.

  6. 若要指派或撤銷以新宣告主體 $principal (在本程序第 6 步建立) 識別之使用者的管理權限,給服務應用程式管理員安全性物件 $security (在本程序第 8 步取得),請使用適當的命令,如下例所示:To assign or revoke administrative permissions for the user who is identified by the new claims principal $principal (created in step 6 of this procedure) to the service application administrator security object $security (obtained in step 8 of this procedure), use the appropriate command as shown in the following example:

    • 若要指派管理權限,請輸入下列命令:To assign administrative permissions, type the following command:
    Grant-SPObjectSecurity $security $principal "Full Control"
    
    • 若要撤銷管理權限,請輸入下列命令:To revoke administrative permissions, type the following command:
    Revoke-SPObjectSecurity $security $principal
    
  7. 若要指派更新的 $security 安全性物件給服務應用程式,請輸入下列命令:To assign the updated $security security object to the service application, type the following command:

    Set-SPServiceApplicationSecurity $spapp $security -Admin
    

    警告

    [!注意] 使用此命令時請務必附加 -Admin 引數。It is important that you append the -Admin argument when you use this command.

  8. 若要確認服務應用程式的安全性物件經過適當地更新,請輸入下列命令:To confirm that the service application's security object is updated appropriately, type the following command:

    (Get-SPServiceApplicationSecurity $spapp -Admin).AccessRules
    

範例Examples

在下列範例中,服務帳戶使用者 "contoso\jane" 已新增至名稱為 "Contoso Visio Graphics" 的服務應用程式管理安全性物件中。In the following example, the service account user "contoso\jane" is added to the administrators security object for the service application named "Contoso Visio Graphics".

$principal = New-SPClaimsPrincipal "contoso\jane" -IdentityType WindowsSamAccountName
$spapp = Get-SPServiceApplication -Name "Contoso Visio Graphics"
$security = Get-SPServiceApplicationSecurity $spapp -Admin
Grant-SPObjectSecurity $security $principal "Full Control"
Set-SPServiceApplicationSecurity $spapp $security -Admin
(Get-SPServiceApplicationSecurity $spapp -Admin).AccessRules

在下列範例中,服務帳戶使用者 "contoso\jane" 已從名稱為 "Contoso Visio Graphics" 服務應用程式管理安全性物件中移除。In the following example, the service account user "contoso\jane" is removed from the administrators security object for the service application named "Contoso Visio Graphics".

$principal = New-SPClaimsPrincipal "contoso\jane" -IdentityType WindowsSamAccountName
$spapp = Get-SPServiceApplication -Name "Contoso Visio Graphics"
$security = Get-SPServiceApplicationSecurity $spapp -Admin
Revoke-SPObjectSecurity $security $principal "Full Control"
Set-SPServiceApplicationSecurity $spapp $security -Admin
(Get-SPServiceApplicationSecurity $spapp -Admin).AccessRules

如需詳細資訊,請參閱下列 Microsoft PowerShell 文章。For more information, see the following Microsoft PowerShell articles:

注意

[!附註] 建議您在執行命令列管理工作時使用 Windows PowerShell。Stsadm 命令列工具已過時,但為與舊版產品相容,仍會隨附提供。We recommend that you use Microsoft PowerShell when performing command-line administrative tasks. The Stsadm command-line tool has been deprecated, but is included to support compatibility with previous product versions.