In this post, we will be fixing the “local administrator privilege is required to update the farm administrators’ group” error that you may face when adding a user to Farm Administrator Group in SharePoint 2016 and SharePoint 2019.
- 1 Local administrator privilege is required to update the Farm Administrators’ group
You might also like to read SharePoint 2019: Service Accounts Recommendations
Local administrator privilege is required to update the Farm Administrators’ group
In SharePoint 2016/2019, I have tried to add a user to Farm Administrator Group using the farm account within the Central Administration. but, I got the following error:
Sorry, something went wrong, An unexpected error has occurred.
In my case, the farm account is not allowed to log in or connect remotely to the server based on my company policy, so I tried to log to the Sharepoint server via a specific domain user then I did the following to open the center administrator using Farm account.
- I opened Internet Explorer as a different user,
- I provided the credentials of the farm account.
- I navigated to the Central Administration URL.
- Security > Manage the farm administrators group.
- Click Add new user.
I provided a specific user then I clicked Share.
Once, I clicked Share button, I go this error
I checked the Event Viewer, and I had noticed that the root cause of this issue is
Local administrator privilege is required to update the Farm Administrators’ group.
This problem “local administrator privilege is required to update the farm administrators’ group” usually occurs if the current login account doesn’t have sufficient privileges to manage the farm administrators group.
If you have already logged into your machine with the user account that is configured as the application pool identity for Central Administration (Eg. farm account that has been provided to configure SharePoint).
In this case, you only need to run the Central Administration link as Administrator or Open the web browser as administrator then navigate to the central administration URL.
You will also get “local administrator privilege is required to update the farm administrators’ group“. If you can’t use farm account to login into your current server, and you have tried to open the Central Administration using the browser as a different user, not using the Central Administration Link on Start Menu as shown bleow.
Note: the different users should be a farm account or a domain user that is a member of the local administrator group and farm administrator group to can Manage the farm administrators group.
The farm account is a domain user account, also referred to as a database access account.
The farm account should only used to run the below services and pools:
- SharePoint Timer service.
- IIS Application Pools for Central Administration.
- SharePoint Web Services System used for the topology service.
- Security Token Service Application Pool.
The farm account is the windows account that used to connect to the configuration database during configuring the configuration database settings in the SharePoint configuration wizard.
Required Permission for Farm Account
- It must be a domain user account.
- It must not be a member of the Local Administrators Group on SharePoint servers within the farm except for some cases like starting User Profile Synchronization Service.
- After running the SharePoint Configuration Wizard, the account added automatically to
- WSS_ADMIN_WPG Windows security group for the SharePoint Timer Service.
- WSS_RESTRICTED_WPG for the Central Administration and Timer service application pools.
- WSS_WPG for the Central Administration application pool.
- By default, it’s added to the SharePoint Farm Administrator Group.
- In the Local Security Policy\User Rights Assignment, it should have
- Allow log on locally. (Optional if it will not conflict with your organization security policies)
- Log on as a batch job.
- Log on as a service.
- It must have the below server roles:
- It must have a db_owner database role on all SharePoint databases.
- It must have a SharePoint_Shell_Access role on SharePoint Configuration Database and SharePoint Admin Content Database.
- After running the SharePoint Configuration Wizard, the WSS_CONTENT_APPLICATION_POOLS role assigned automatically for this account to the SharePoint Configuration database and SharePoint Central Administration content database.
The SharePoint Farm Administrator Account is a domain account which is a member of the Farm Administrators Group.
- By default, the Members of the Local Administrator Group added to the Farm Administrators Group (BUILTIN\Administrators).
- Once you add an account to the SharePoint Administrators Group will be added to the local WSS_ADMIN_WPG security group on each server in the SharePoint farm.
- You should add an account to the Farm Administrators Group when you want to allow this account to manage the farm with lower privilege than the Farm Account.
- Members of the Farm Administrators Group don’t have the same privilege as the Farm Account.
- Members of the Farm Administrators Group have full access to all settings on the farm. however, they can’t perform all operations which require access to the SharePoint Server’s Infrastructure like Farm Account.
- To allow an account in SharePoint Administrators Group control and do all operational tasks from central administration as well as from the PowerShell, you will need to add it also to:
- Local Administrator Group.
- Grant SharePoint_Shell_Access database role on the SharePoint configuration database and SharePoint Admin Content Database.
- Grant db_owner database role on all content databases that hold the resources that you want to manage.
For more details, Please check SharePoint 2019: Service Accounts Recommendations
Solving Local administrator privilege is required to update the Farm Administrators’ group
In a case, you have already logged to your machine via a farm account, you only need to do the following:
- Run the Central Administration Link as Administrator.
- Or Run the web Browser as administrator and then navigate to the Central Administration URL.
In a case, you are trying to manage Farm administrator group using a farm administrator user, so that you should ensure that
- This user is a member of the local administrator group.
- Run the central administration link as a different user and then provide the correct credentials.
- SharePoint 2019.
- SharePoint 2016.
- SharePoint 2013.