Rights required for SP Farm account to change search topology

Question

While I was trying to change the search topology with an active index on my SharePoint farm, I encountered some issues my the rights required.

I thought I could use my farm admin account to change the search topology but when I try to start the Windows search service on some SharePoint servers I'm unable to do it because the account is not a local administrator.

Start-SPEnterpriseSearchServiceInstance -Identity $server
Start-SPEnterpriseSearchServiceInstance : Access denied.  Only machine administrators are allowed to create administration service job definitions of type: Microsoft.SharePoint.Administration.SPServiceInstanceJobDefinition, Microsoft.SharePoint,... 

So my question is do I need to temporarily grant my farm account the local administrator permissions or am I missing something here ?

Because according to Microsoft, the farm account only needs to be a domain user : Server farm-level accounts

Answer 1

One shouldn't use the Farm Admin (or any service accounts) to perform interactive actions. Instead, set up a secondary farm administrator that has local administrator, shell administrator, and depending on policy, the sysadmin fixed role on SQL. For accountability purposes, I would typically set this up for my own account (or an "alt" account that is assigned to me).

This way you can perform administrative operations while maintaining accountability for those actions.