Some organizations may want tight control over who is able to run Windows PowerShell cmdlets. This post gives an overview to the permissions required to run a SharePoint 2010 Products for Windows PowerShell cmdlet or script and issues to consider before a user is granted permission by an administrator.
In SharePoint Products and Technologies, the only permission required to run the stsadm.exe command-line tool was a local administrator on the computer where SharePoint Products and Technologies were installed. However, in SharePoint 2010 Products, the permissions required to run a Windows PowerShell cmdlet in SharePoint 2010 Products are vastly different as the local administrator permission is not sufficient enough to run a Windows PowerShell cmdlet. To run a Windows PowerShell cmdlet in SharePoint 2010 Products, you need the following minimum permissions:
To add a user to the SharePoint_Shell_Access role and the WSS_ADMIN_WPG local group, the Add-SPShellAdmin cmdlet must be used. For additional information about how to use the Add-SPShellAdmin cmdlet to add a user to the SharePoint_Shell_Access role and WSS_ADMIN_WPG local group, see Add-SPShellAdmin (http://technet.microsoft.com/en-us/library/ff607596.aspx).
Questions to ask yourself before you give a user permission to use a SharePoint 2010 Products for Windows PowerShell cmdlet or script:
For additional information about Windows PowerShell, see "SharePoint 2010 Products administration by using Windows PowerShell" (http://technet.microsoft.com/en-us/library/ee806878.aspx).
We'd like to hear how you're using Windows PowerShell, and what content we can provide to help you get the most out of this powerful tool.
-- Kirk Stark, writer