Have you ever found yourself in a situation where you are the Farm administrator and you need to add a user (perhaps yourself) as a site collection administrator but you don’t want to be the site collection owner because you need a business user for that, you just want to be added as a site collection administrator? Well, if you’ve tried to use the stsadm command adduser or tried to use the browser to add yourself (or someone else) as the site collection administrator you probably quickly found out that you can’t do it.
For some reason Microsoft chose to not allow farm administrators to be able to add a user as a site administrator – now, this makes no sense because as a farm administrator I have the rights to set any user (including myself) as the site owner, at which point that user is now a site administrator who can now add other users as site administrators. So why didn’t Microsoft make it so that a farm administrator can add users as site administrators even if they themselves are not listed as site administrators?
This was really annoying to me and prevented me from being able to set the security on our site collections without having to go through a lot of hoops. So, in order to get around this issue I decided to create a new command called gl-addsiteadmin. The command is pretty simple, it just takes in a user login, user name, and email and then adds the user as a site admin to the specified site collection. If the user you are trying to add as a site admin is not yourself then I just go ahead and temporarily assign your account as a site owner, add the specified user as a site admin, and then reset the site owner (of course if you are already a site admin then I just simply set the user as a site admin – but that scenario can be handled by the adduser command that already exists).
If you are attempting to add yourself as a site admin (and you don’t want to be a site owner) then I have to use an internal method called AdministratorOperationMode which sets the SPSite object into a special mode that allows administrative functions to be performed. If you are familiar with the SPSiteAdministration object and have ever disassembled it you would see that the constructor of this object calls this internal method so that it can perform admin functions on the SPSite object. What’s really strange is that Microsoft doesn’t expose the resultant SPSite object via the SPSiteAdministration object and the AdministratorOperationMode method is not public.
I hope that one day this changes as the only way to perform admin level functions on the SPSite object is to use reflection to call the method manually (unless of course the SPSiteAdministration object already exposes the require property, which, in this case it does not). Because I’m calling an internal method directly via reflection use of this command could put your environment into an unsupported state according to Microsoft so make sure that you understand what the command is doing and what your support options with Microsoft are.
That being said, I feel that you are very safe with this command as the internal method still preserves all the security checks (it makes sure you are in fact a farm administrator) and it is exactly what the SPSiteAdministration object is doing so I can’t see the use of this as causing any issues (and the reflection call only comes into play if you are attempting to add your own account as a site admin – if you used a different account to run the command to add your account then you’ll never hit the reflection call). The code to do all this is detailed below:
The command I created is detailed below.
Using the command is reasonably similar to using the adduser command. The only real difference is that I’m not requiring a role or group name to be specified and you don’t have to specify the siteadmin switch (naturally). The syntax of the command can be seen below:
C:\>stsadm -help gl-addsiteadmin stsadm -o gl-addsiteadmin Adds a user as a site admin (must be a farm administrator or a current site admin). Parameters: -url <url of site collection> -userlogin <DOMAIN\user> -useremail <email@example.com> -username <display name> [-role <role name> / -group <group name>]
Here’s an example of how to set a user as a site administrator and put them in the "Full Control" role (note that it’s usually better to put users in groups then it is to assign roles directly to them):
stsadm –o gl-addsiteadmin -url "http://intranet/" -userlogin "domain\user" -useremail "firstname.lastname@example.org" -username "Gary Lapointe" -role "Full Control"