Managing the SharePoint Administration Group

Two sets of users are allowed to perform administrative functions for Microsoft Windows SharePoint Services: members of the administrators group for the local server computer and members of the SharePoint administration group. The SharePoint administration group is a Microsoft Windows domain group that is registered with Windows SharePoint Services. Members of this domain group can perform Central Administration tasks without having to be given administrator rights (rights: File-level and folder-level permissions that allow access to a Web site.) to the local server computer. This is particularly useful in a server farm (server farm: A centralized grouping of network servers maintained by an enterprise or, often, an Internet service provider (ISP). A server farm provides a network with load balancing, scalability, and fault tolerance.), because you can grant rights across the server farm, rather than individually for each computer in the server farm. This is also useful for applications that call into the administrative object model for Windows SharePoint Services. If the application process can be configured to run as a member of the SharePoint administration group, it can create new sites, modify quota values for sites, and so on.

Members of the Administrators group on the local server computer have full control of all applications running on that server, including Internet Information Services (IIS) (Internet Information Services (IIS): Software services from Microsoft that support Web site creation, configuration, and management, along with other Internet functions.), Microsoft SQL Server, Microsoft ASP.NET, and Windows SharePoint Services. These administrators can perform any task on that server, including all administration tasks for Windows SharePoint Services, such as controlling administrative functions, configuring settings at the server or virtual server level, and creating or changing sites and lists.

Members of the SharePoint administration group can perform SharePoint Central Administration tasks, but do not have access to the file system of the server or the IIS metabase, so they cannot perform actions on other applications running on the server, such as IIS, Microsoft SQL Server, ASP.NET, and so on. Specifically, members of the SharePoint administration group cannot perform the following actions for Windows SharePoint Services:

Members of the SharePoint administration group can perform any other administrative action using the HTML Administration pages or object model for Windows SharePoint Services. For example, members of the group can view and manage all sites created on their servers. This means that a member of the SharePoint administration group can read documents or list items, change survey settings, delete a site, or perform any action on a site that the site administrator can perform.

 Note   To manage the SharePoint administration group, you must be a member of the Administrators group of the local server computer.

Specify the SharePoint administration group

  1. Click Start, point to All Programs, point to Administrative Tools, and then click SharePoint Central Administration.
  2. Under Security Configuration, click Set SharePoint administration group.
  3. In the Group account name box, type the domain group you want to allow to administer Windows SharePoint Services.
  4. Click OK.

Changing the Group or Changing Group Membership

You can only register one domain group as the SharePoint administration group, so if you want to include other members, you must add them to the group using the user and group management tools for your domain. If you want to change which group is registered, you can follow the steps to specify a group and specify a different domain group. When you specify a new group, the old group's rights are removed, and the members of that group can no longer manage the servers running Windows SharePoint Services.