Assign or remove administrators of service applications in SharePoint Server
APPLIES TO: 
2013 2016 2019 Subscription Edition 
SharePoint in Microsoft 365
An administrator of a SharePoint Server service application must be a member of the Farm Administrators group to assign or remove additional administrators to that service application. Service application administrators are granted security-trimmed access to the SharePoint Central Administration Web site and can manage settings related to the service application but must be a member of the Farm Administrators group to add and remove other service application administrators.
Note
By default, members of the Farm Administrators group have permissions to manage all service applications.
You can assign or remove service application administrators by using the SharePoint Central Administration websiteor by using Microsoft PowerShell.
To assign or remove administrators to a service application by using Central Administration
Verify that the user account that is performing this procedure is a member of the Farm Administrators group.
On the Central Administration Home page, in the Application Management section, click Manage service applications.
On the Manage Service Applications page, select the row that contains the service application to which you want to add or remove administrators. The ribbon becomes available.
On the ribbon, click Administrators.
To add an administrator:
- In the first text box on the page, type the user accounts or groups that you want to add. You can click the People icon to validate a name. You can click the Address book icon to search for users to add. You can add multiple administrators into the text box.
- After you have added the administrators, click OK.
To remove an administrator:
- In the second text box on the page, select the administrator whom you want to remove. Note that this step does not remove the user from the system—it merely revokes the user's administrative permissions to the selected service application.
- Click Remove.
- After you have finished removing administrators, click OK.
To assign or remove administrators to a service application by using PowerShell
Verify that you meet the following minimum requirements:
You must have membership in the securityadmin fixed server role on the SQL Server instance
You must have membership in the db_owner fixed database role on all databases that are to be updated.
You must be a member of the Administrators group on the server on which you are running the PowerShell cmdlet.
Note
If these permissions are not satisfied, contact your Setup administrator or SQL Server administrator to request these permissions.
For additional information about PowerShell permissions, see Permissions and Add-SPShellAdmin
Start the SharePoint Management Shell.
To create a claims principal, at the PowerShell command prompt, type the following command:
$principal = New-SPClaimsPrincipal "<contoso\jane>" -IdentityType WindowsSamAccountNameWhere contoso\jane is the user name for which you want to assign administrative permissions. The user name should be entered in the form of jane@contoso.com or contoso\jane. The new claims principal is stored in the $principal variable.
To retrieve the service application, type the following command:
$spapp = Get-SPServiceApplication -Name "<ServiceApplicationDisplayName>"Where ServiceApplicationDisplayName is the display name of the service application. The service application identification is stored in the $spapp variable.
Important
The display name must be enclosed in quotation marks, and it must exactly match the service application display name. This includes capitalization. If you have more than one service application that has the identical display name (we do not recommend this), you can use the Get-SPServiceApplication cmdlet to view all service applications. You can then identify the service application by its GUID. For more information, see Get-SPServiceApplication.
To retrieve the administrator security object for the service application, type the following command:
$security = Get-SPServiceApplicationSecurity $spapp -AdminThe retrieved administrator security object is stored in the $security variable.
Caution
It is important that you append the -Admin argument when you use this command.
To assign or revoke administrative permissions for the user who is identified by the new claims principal $principal (created in step 6 of this procedure) to the service application administrator security object $security (obtained in step 8 of this procedure), use the appropriate command as shown in the following example:
- To assign administrative permissions, type the following command:
Grant-SPObjectSecurity $security $principal "Full Control"- To revoke administrative permissions, type the following command:
Revoke-SPObjectSecurity $security $principalTo assign the updated $security security object to the service application, type the following command:
Set-SPServiceApplicationSecurity $spapp $security -AdminCaution
It is important that you append the -Admin argument when you use this command.
To confirm that the service application's security object is updated appropriately, type the following command:
(Get-SPServiceApplicationSecurity $spapp -Admin).AccessRules
Examples
In the following example, the service account user "contoso\jane" is added to the administrators security object for the service application named "Contoso Visio Graphics".
$principal = New-SPClaimsPrincipal "contoso\jane" -IdentityType WindowsSamAccountName
$spapp = Get-SPServiceApplication -Name "Contoso Visio Graphics"
$security = Get-SPServiceApplicationSecurity $spapp -Admin
Grant-SPObjectSecurity $security $principal "Full Control"
Set-SPServiceApplicationSecurity $spapp $security -Admin
(Get-SPServiceApplicationSecurity $spapp -Admin).AccessRules
In the following example, the service account user "contoso\jane" is removed from the administrators security object for the service application named "Contoso Visio Graphics".
$principal = New-SPClaimsPrincipal "contoso\jane" -IdentityType WindowsSamAccountName
$spapp = Get-SPServiceApplication -Name "Contoso Visio Graphics"
$security = Get-SPServiceApplicationSecurity $spapp -Admin
Revoke-SPObjectSecurity $security $principal "Full Control"
Set-SPServiceApplicationSecurity $spapp $security -Admin
(Get-SPServiceApplicationSecurity $spapp -Admin).AccessRules
For more information, see the following Microsoft PowerShell articles:
Note
We recommend that you use Microsoft PowerShell when performing command-line administrative tasks. The Stsadm command-line tool has been deprecated, but is included to support compatibility with previous product versions.