I am interested in creating an alternate Farm Administrator account so I don’t have to continually log in using the original farm admin account. I visited and used Todd Klindt’s blog post “How to
create a SharePoint 2010 admin account and stop using sp_farm“, however, it doesn’t talkĀ about database roles or permissions. How should my new, alternate farm admin account be configured relating to all the databases: ie. SharePoint system database, content databases, and service databases, etc..
For instance, when I log into SQL Server and view the “server roles” for the original farm admin account it lists the following: dbcreator, public, securityadmin, and sysadmin. However, when I check the “server roles” for my alternate account it only shows the role of “public”. Also, when I check the “User Mapping” forĀ the original farm admin account, there are a wide variety of roles to checkmark depending on theĀ role of the database.
What roles and permissions should I give my new alternate farm admin account so that it has equal authority and permissions with all the differentĀ databases? Is there a PowerShell script I can run to apply particular roles to different database types (SharePoint system database, content databases, and service databases, etc.) ?
Plus, if I create a second, alternate farm admin account dedicated to backup and restore operations, what additional (if any) setup should I be focused on? We run a 3rd party backup/restore application that uses the farm administrator account. My goal is to give this 3rd party application the second, alternate farm admin account and stop using the original farm account for backup and restore operations.Ā This way we can track all operations by the new account.
Thank you
Ok, so I will add the dbcreator and securityadmin roles to my new alternate farm admin accounts and runĀ the Add-SPShellAdmin cmdlet again. I already ran it once, but I had not added the database roles for these accounts yet.
I noticed on a few databases there were roles checkmarked for the original farm admin account, such as: SPDataAccess and db_accessadmin. One account in particular, the Farm Config DB,Ā had these roles and alsoĀ the WSS_Content_Application_Pools role. Should I also check these roles for my new alternate accounts?
Once that is done then my alternate farm admin accounts will have the same power/authority as the original farm admin account? Are there any gotchas under certain circumstances where the new accounts will not have the same authority as the original farm admin account? Also, following this setup, it will allow the new backup account access to backup and restore all databases regardless of type (config db, farm admin database, content database, service database, etc.)? If so, that would be great.
Thanks
