Sharepoint 2010 Service Account References For Least-Privileged Installation

SharePoint 2010 Service Account References for Least-Privileged Installation | Nik Patel'...
Page 1 of 10
Nik Patel's SharePoint World
SharePoint 2010 Service Account References for Least-Privileged Installation

Posted on December 24, 2010
Recently I have spent lots of time rebuilding my SP2010 RTM VM using the least-privileged installation and configuration to meet the real world scenarios without running the evil Farm Configuration Wizard. Many of you may ask why there is one more resource on the service account reference where there are several of TechNet and community references are out there as below. The main reason for my reference is I wanted to expand the Eric Harlans table with more clear explanation of the purpose of the service account, installation requirements for the service accounts, and what happens behind the screen when service account is configured by different pieces of the SharePoint during installation and configuration. References: http://technet.microsoft.com/en-us/library/cc678863.aspx http://www.sharepointproconnections.com/article/sharepoint/Least-Privilege-Service-Accounts-forSharePoint-2010.aspx http://www.toddklindt.com/blog/Lists/Posts/Post.aspx?ID=237 http://www.ericharlan.com/Moss_SharePoint_2007_Blog/sharepoint-2010-service-account-reference-guide -a184.html http://stsadm.blogspot.com/2010/10/service-accounts-and-managed-service.html During the Least-Privileged SharePoint 2010 RTM VM installation and Configuration, I had to switch back and forth different known blog articles with TechNet reference to verify the intricacies of the SharePoint installation and configuration process. To make sure I clearly nailed down the Service Accounts, I had to build my own table from the above reference articles. Please note that, at this moment, this article is not complete (most notably, Search) and I am planning to refine over the time. Enjoy. Account Purpose Domain Rights Required Local Admin Rights Required SharePoint Installation/Setup Account(e.g. sp_install) This account is used to perform these tasks Setup and SharePoint Products Configuration Wizard Log in to the Server using this account for installing SharePoint binaries and running SharePoint configuration wizard. Must be Domain User Account. Local User Accounts are not supported. Member of Local Administrators Group on each server where SharePoint Installer would run (aka. WFE and Application Servers, excluding SQL Server or SMTP Server). SQL Server Log database serve access to the SQ where SharePo databases will Member of foll SQL Server Sec Roles Securit fixed server rol dbcreator fixed role. SharePoin and psconfig.ex these privilege databases and SQL logins for SharePoint acc SQL Server Righ Required
http://nikspatel.wordpress.com/2010/12/24/sharepoint-2010-service-account-references-for... 4/28/2013
SharePoint 2010 Service Account References for Least-Privileged Installation | Nik Patel'... Page 2 of 10
Will provision the SharePoint Farm Account during the SharePoint product config wizard.
SharePoint Farm Account(e.g. sp_farm)
Specify this account in farm configuration wizard while configuring SharePoint during farm creation process This account is automatically configured by SharePoint Configuration Wizard. Also known as Database Access Account for the SharePoint_Config database on the SharePoint Configuration Wizard. Used for Configuring and Managing the SharePoint Farm. Becomes the owner of the farm. In other words, its configured as a
Can be local user account or domain user account. Must be domain account if SQL Server is hosted on another server.
Although it is not required for full time term, farm account should be Member of Local Administrators Group on each server where SharePoint Installer would run (aka. WFE and Application Servers, excluding SQL Server or SMTP Server). It will provide ease of access for the SharePoint Admins. Must be on the Member of Local Administrators Group on the server during
None
dbowner of the SharePoint Config database. Using this account, you can add additional farm administrators from the central administration site.
UPS Service provisioning process.
Service Application Pool Account(e.g. sp_serviceapps)
Specify this account as Service Application Pool while creating Service Applications like Managed Metadata, Search, User Profiles from
Must be Domain User Account. Must register as SharePoint Managed Account.
None
None
Manage Service Applications page from Central Admin Application Pool identity to run the majority of the all the SharePoint 2010 Service Applications (WCF endpoint) as the IIS worker process (e.g. Managed Metadata Service and/or User Profile Service). Please note that both Service Application App Pool and Web Application App Pool Accounts behaves same. You can create more than 1 service account or group service accounts to isolate the IIS processes under services will run Log in to the SharePoint Server using farm account to configure service applications Content Web Application App Pool Account(e.g. sp_defaultwebapp) Specify this account as Web Application Pool while creating Web Applications from Manage Web Applications page from Central Admin Application Pool identity to run the IIS Site hosting the SharePoint Content Web Applications Must be Domain User Account. Must register as SharePoint Managed Account. None None
and SharePoint Site Collections as the IIS worker process. Please note that both Service Application App Pool and Web Application App Pool accounts behaves same. It is best practice to run all the content web applications in their dedicated application pool account. Log in to the SharePoint Server using farm account to configure Content web applications
UPS Sync Account (e.g. sp_ups)
Specify on the Synchronization Connection on the User Profile Service Administration Page. This account performs the User Profile Sync. FIM uses this account to import the AD profiles. Log in to the SharePoint Server using farm account to configure UPS Sync and ensure farm account is local admin on the server
Domain User Account with Replicating Directory Changes Permission. No need to register as SharePoint Managed Account.
None
None
My Site Host Web Application App Pool Account(e.g. sp_mysiteapp)
Specify this account as Web Application Pool while creating My Site Web Application from Manage Web Applications page from Central Admin Application Pool identity to run the IIS Site hosting the My Sites Web Applications and User Personal Sites as the IIS worker process. Log in to the SharePoint Server using farm account to configure My Site Host web application
Must be Domain User Account. Must not be a member of the farm administrators group. Must register as SharePoint Managed Account
None
None
Search Service Account (e.g. sp_search)
Specify this account as Search Service Account while provisioning Search Service Application from the Manage Service Application page
Domain User Account. Must not be a built-in account in order to access the database.
None
None
This account runs the SharePoint Server Search Windows Service, which is used by all Search Service Applications. For any given server, there is only one instance of this service.
Examples of built-in accounts are Local Service and Network Service. Must register as SharePoint Managed Account
Search Service Default Content Access Account(e.g. sp_search_content)
Crawl contents unless different authentication method is specified by a crawl rule for a URL or URL pattern
Must be a domain user account and it must have read access to external or secure content sources that you want to crawl by using this account. For SharePoint Server sites that are not part of the server farm and cross-farm scenarios, this account must be explicitly granted full read permissions to the Web applications that host the sites from the central administration. Must not be a member of the farm administrators group.
None
None
Search Service Crawl Rule Content Access Account(e.g. sp_search_crawl)
Configured to access content by using the Search administration crawl rules feature. This type of account is optional and can be configured when you create a new crawl rule to override the default content access account configured at the Service Application level
Must be a domain user account and it must have read access to external or secure content sources that you want to crawl by using this account. For SharePoint Server sites that are not part of the server farm and cross-farm scenarios, this account must be explicitly granted full read permissions to the Web applications that host the sites from the central administration. Must not be a member of the farm administrators group. No need to register as SharePoint Managed Account.
None
None
About these ads
Share this:
Like this: Be the first to like this. This entry was posted in SP2010 Admin General. Bookmark the permalink.
6 Responses to SharePoint 2010 Service Account References for Least-Privileged Installation

Lee Dickey (@leedickey) says:
April 17, 2012 at 5:49 PM
Hi. I got your email saying to post my question here. I will copy and paste. I know this topic is old but maybe some others will find it and find it useful. Perhaps another row that states which of these accounts should be managed would add to an even already great post. Start Copy and Paste: It looks like some of the content is missing and I am wondering if you happen to have this in another format? I am asking because yours is the first bit of well laid out information that Ive seen so far regarding the configuration of the SharePoint services. I am still trying to figure out what should be their own web app and what should not be; this information is not well documented and Ive found myself to be a bit stressed trying to figure out something that should be easy to find and figure out. Our old MOSS 2007 environment is the best example of how not to set up SharePoint; no governance and the previous SharePoint admin failed to monitor the logs and realized over a week after a SAN crash that the database was corrupted. Ive kept it alive and am looking to move to 2010 with the help of a 3rd party product that ignores corrupt data and lets me move things down to the item level. So let me say that any additional information that you may have on configuring the service accounts, services, and the need of any web apps for any of these services would be great. I am not finding much with my searches that isnt overly general or lacking needed data. Also, another quick question: You use the sp_install install account and I see no reference to the sp_admin account; is this the recommended setup and configuration? Thanks!
Log in to Reply
nikspatel says:
April 17, 2012 at 6:07 PM
Thanks Lee. Here are my responses. 1) As far as web application, I would suggest this article didnt meant to provide guidelines around when to create new web application vs new site collection in same web application. Some of the reason why you would create separate web application are == if you have different authenticatio model like windows vs claims, different host headers. I would suggest search for articles on web for when to use web application vs site collection and I am sure you would find tons of info 2) As far as applicaiton pool accounts for web applicaiton, I try to use separate IIS app pool for each web
SharePoint 2010 Service Account References for Least-Privileged Installation | Nik Pat... Page 10 of 10
application for data and process isolation. 3) I still need to update this article with search accounts. I will update as soon as possible. 4) As far as application pool account, sp_install is sharepoitn installation account. There is nothing in SharePoint called sp_admin account unless you want to make farm account as sp_admin. To keep it clear, you can have two separate install and farm accounts or have one account for both roles. Please keep in mind that these accounts are like roles, you can have separate service accoutns for each or have one single account or small set of accounts if you want to consolidate.. Hope this provides clarification you needed.
Log in to Reply
Kannan says:
May 22, 2012 at 10:53 AM
Excellent article and a very good reference material.

Log in to Reply
2abcd says:
November 28, 2012 at 6:19 AM
Hi Excellent overview. I was looking for information on which service account to use for the various windows services like the Document Conversion Load Balancer Service or Claims to Windows Token Service. The are currently running under the Local System account. Maybe you could add a row on those as well?
Log in to Reply
Nik Patel says:

December 1, 2012 at 5:11 PM
Claims to Windows Token Service needs to run under Local System.. Nice idea to add windows service references.. I will add them.. Thanks for feedback
Log in to Reply
Suresh Chowdary Pydi says:

March 20, 2013 at 5:24 PM
Nice Article. Here is one more post explaining service accounts in sharepoint http://sureshpydi.blogspot.in/2011/02/sharepoint-accounts.html
Log in to Reply
Nik Patel's SharePoint World

Theme: Twenty Ten Blog at WordPress.com.

Sharepoint 2010 Service Account References For Least-Privileged Installation

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Sharepoint 2010 Service Account References For Least-Privileged Installation

Hochgeladen von

Copyright:

Verfügbare Formate

SharePoint 2010 Service Account References for Least-Privileged Installation | Nik Patel'...

Nik Patel's SharePoint World

SharePoint 2010 Service Account References for Least-Privileged Installation

SharePoint Farm Account(e.g. sp_farm)

UPS Service provisioning process.

Service Application Pool Account(e.g. sp_serviceapps)

Must be Domain User Account. Must register as SharePoint Managed Account.

UPS Sync Account (e.g. sp_ups)

My Site Host Web Application App Pool Account(e.g. sp_mysiteapp)

Search Service Account (e.g. sp_search)

Search Service Default Content Access Account(e.g. sp_search_content)

Search Service Crawl Rule Content Access Account(e.g. sp_search_crawl)

About these ads

6 Responses to SharePoint 2010 Service Account References for Least-Privileged Installation

Excellent article and a very good reference material.

Nik Patel says:

Suresh Chowdary Pydi says:

Nik Patel's SharePoint World

Das könnte Ihnen auch gefallen