SharePoint 2010 Service Account References for Least-Privileged Installation | Nik Patel's SharePoint World

Nik Patel's SharePoint World

Home About Me Favorite SharePoint 2010 Articles Favorite SharePoint 2013 Articles

An adventure in SharePoint and Microsoft in general.

DISP_E_EXCEPTION and Disposing the SPContext.Current Objects

SharePoint 2010 Deployment Assessment Questionnaires

Search

SharePoint 2010 Service Account References for LeastPrivileged Installation

Posted on December 24, 2010

Blog Stats
448,896 hits

Recently I have spent lots of time rebuilding my SP2010 RTM VM using the leastprivileged installation and configuration to meet the real world scenarios without running the evil Farm Configuration Wizard. Many of you may ask why there is one more resource on the service account reference where there are several of TechNet and community references are out there as below. The main reason for my reference is I wanted to expand the Eric Harlans table with more clear explanation of the purpose of the service account, installation requirements for the service accounts, and what happens behind the screen when service account is configured by different pieces of the SharePoint during installation and configuration. References: http://technet.microsoft.com/en-us/library/cc678863.aspx http://www.sharepointproconnections.com/article/sharepoint/Least-PrivilegeService-Accounts-for-SharePoint-2010.aspx http://www.toddklindt.com/blog/Lists/Posts/Post.aspx?ID=237 http://www.ericharlan.com/Moss_SharePoint_2007_Blog/sharepoint-2010-serviceaccount-reference-guide-a184.html http://stsadm.blogspot.com/2010/10/service-accounts-and-managed-service.html During the Least-Privileged SharePoint 2010 RTM VM installation and Configuration, I had to switch back and forth different known blog articles with TechNet reference to verify the intricacies of the SharePoint installation and configuration process. To make sure I clearly nailed down the Service Accounts, I had to build my own table from the above reference articles. Please note that, at this moment, this article is not complete (most notably, Search) and I am planning to refine over the time. Enjoy. Account Purpose Domain Rights Required

Twitter Updates
RT @SharePointKris: Free #SharePoint Core Test Prep for #MCSE & #MCSM Certifications Tests 410, 411 & 412 bit.ly/11o0TRK @M 2 days ago Yoga X.. Pure blessing from Mr. Horton.. #p90x 3 days ago RT @modery: New #SharePoint Download: Test Lab Guide: Demonstrate profile synchronization for SharePoint Server 2013 bit.ly/148MXRw 3 days ago RT @spjeff: SharePoint 2013 for Beginners: Create PrerequisiteInstaller.Arguments.tx t dilummark2013.blogspot.com/201 3/01/create #SP2013 3 days ago RT @maryjofoley: Windows Azure, Yammer helping pilot Microsoft toward a nextgeneration Office: zdnet.com/windows-azure- #Azure #Office365 #G 4 days ago

Categories
Hyper-V (1) Office 365 (12) SP2010 Online (5) SP2013 Online (7) Planning (6) SharePoint 2007 (30)

Local Admin Rights Required

SQL Server SP2007 & SSRS (3)

SP2007 Admin (17) Required SP2007 DEV (9) SP2007 General (1) SharePoint 2010 (98)

Righ

SharePoint Installation/Setup Account(e.g. sp_install)

This account is used to perform these tasks Setup and SharePoint Products

Must be Domain User Account. Local User Accounts are

Member of SP2010 & InfoPath SQL (7)Server Log SP2010 & SSRS (6) Local database server SP2010 Admin (26) Administrators access to the SQ SP2010 Admin General (21) Group on each SP2010 Admin where SharePo PowerShell server where (5) databases will r

http://nikspatel.wordpress.com/2010/12/24/sharepoint-2010-service-account-references-for-least-privileged-installation/[4/28/2013 20:21:02]

SharePoint 2010 Service Account References for Least-Privileged Installation | Nik Patel's SharePoint World

Configuration Wizard Log in to the Server using this account for installing SharePoint binaries and running SharePoint configuration wizard. Performs postinstallation updates, patches, and installation of products such as language packs. Will provision the SharePoint Farm Account during the SharePoint product config wizard.

not supported.

SharePoint

SP2010 Architecture (10) SP2010 DEV (39)

Member of follo

Installer would SP2010 CodeSQL Server Snippets (9) Sec run (aka. WFE and Application Servers,
SP2010 DEVRoles General (23) Securit SP2010 Dev PowerShell (7) SP2010 General (16) SPD 2010 (4)

fixed server rol dbcreator fixed SharePoin

excluding SQL and psconfig.ex SP2013 DEV (3) Server or SP2013 Generalthese (10) privileges Speaking (7) SMTP Server). databases and t
SQL Server (10)

SharePoint 2013 (17) role. SP2013 Admin (4)

SQL logins for SSRS 2008 (7) SharePoint acc SSRS 2008 R2 (4) Not required du
SSRS 2005 (2)

Uncategorized (11) installation VM Scripts (5)

but

required for pa

Archives

(needs to confi Member of the March 2013 (2) February 2013 (7) fixed database January 2013 (5) are running pow December 2012 (1) cmdlets that wo
April 2013 (2) November 2012 (1) October 2012 (6) August 2012 (2) July 2012 (2) June 2012 (5) April 2012 (2)

the database. In acc requires the SharePoint_Sh database role fo that y Powe to create or mo This role is cur equivalent to d but is a separat

September 2012 (6) installation

March 2012 (3) database February 2012 (4) January 2012 (2)

December 2011 (8) Windows November 2011 (6) October 2011 (3) July 2011 (2) June 2011 (3) May 2011 (2) April 2011 (1)

SharePoint Farm Account(e.g. sp_farm)

Specify this account in farm configuration wizard while configuring SharePoint during farm creation process This account is automatically configured by SharePoint Configuration Wizard. Also known as Database Access Account for the SharePoint_Config

Can be local user account or domain user account. Must be domain account if SQL Server is hosted on another server.

Although it is None February 2011 (3) not required January 2011 (3) December 2010 (1) for full time term, farm November 2010 (7) October 2010 (3) account should September 2010 (1) be MemberAugust of 2010 (8) June 2010 (7) Local May 2010 (7) Administrators April 2010 (5) March 2010 (2) Group on each February 2010 (2) server where January 2010 (1) SharePoint December 2009 (3) November 2009 (7) Installer would October 2009 (4) run (aka. WFE September 2009 (2) and August 2009 (1) ApplicationJune 2009 (2) May 2009 (2) Servers, April 2009 (4) excluding SQL March 2009 (8) Server or February 2009 (7)

March 2011 (5)

http://nikspatel.wordpress.com/2010/12/24/sharepoint-2010-service-account-references-for-least-privileged-installation/[4/28/2013 20:21:02]

SharePoint 2010 Service Account References for Least-Privileged Installation | Nik Patel's SharePoint World

database on the SharePoint Configuration Wizard. Used for Configuring and Managing the SharePoint Farm. Becomes the owner of the farm. In other words, its configured as a dbowner of the SharePoint Config database. Using this account, you can add additional farm administrators from the central administration site.

SMTP Server). It will provide Register

Log in ease of access

Meta

for the Comments RSS SharePoint WordPress.com Admins. Must be on the Member of Local Administrators Group on the server during UPS Service provisioning process.

Entries RSS

http://nikspatel.wordpress.com/2010/12/24/sharepoint-2010-service-account-references-for-least-privileged-installation/[4/28/2013 20:21:02]

SharePoint 2010 Service Account References for Least-Privileged Installation | Nik Patel's SharePoint World

Service Application Pool Account(e.g. sp_serviceapps)

Specify this account as Service Application Pool while creating Service Applications like Managed Metadata, Search, User Profiles from Manage Service Applications page from Central Admin Application Pool identity to run the majority of the all the SharePoint 2010 Service Applications (WCF endpoint) as the IIS worker process (e.g. Managed Metadata Service and/or User Profile Service). Please note that both Service Application App Pool and Web Application App Pool Accounts behaves same. You can create more than 1 service account or group service accounts to isolate the IIS processes under services will run Log in to the SharePoint Server using farm account to configure service applications

Must be Domain User Account. Must register as SharePoint Managed Account.

None

None

Content Web

Specify this

Must be

None

None

http://nikspatel.wordpress.com/2010/12/24/sharepoint-2010-service-account-references-for-least-privileged-installation/[4/28/2013 20:21:02]

SharePoint 2010 Service Account References for Least-Privileged Installation | Nik Patel's SharePoint World

Application App Pool Account(e.g. sp_defaultwebapp)

account as Web Application Pool while creating Web Applications from Manage Web Applications page from Central Admin Application Pool identity to run the IIS Site hosting the SharePoint Content Web Applications and SharePoint Site Collections as the IIS worker process. Please note that both Service Application App Pool and Web Application App Pool accounts behaves same. It is best practice to run all the content web applications in their dedicated application pool account. Log in to the SharePoint Server using farm account to configure Content web applications

Domain User Account. Must register as SharePoint Managed Account.

UPS Sync Account(e.g. sp_ups)

Specify on the Synchronization Connection on the User Profile Service Administration

Domain User Account with Replicating Directory Changes Permission.

None

None

http://nikspatel.wordpress.com/2010/12/24/sharepoint-2010-service-account-references-for-least-privileged-installation/[4/28/2013 20:21:02]

SharePoint 2010 Service Account References for Least-Privileged Installation | Nik Patel's SharePoint World

Page. This account performs the User Profile Sync. FIM uses this account to import the AD profiles. Log in to the SharePoint Server using farm account to configure UPS Sync and ensure farm account is local admin on the server

No need to register as SharePoint Managed Account.

My Site Host Web Application App Pool Account(e.g. sp_mysiteapp)

Specify this account as Web Application Pool while creating My Site Web Application from Manage Web Applications page from Central Admin Application Pool identity to run the IIS Site hosting the My Sites Web Applications and User Personal Sites as the IIS worker process. Log in to the SharePoint Server using farm account to configure My Site Host web application

Must be Domain User Account. Must not be a member of the farm administrators group. Must register as SharePoint Managed Account

None

None

http://nikspatel.wordpress.com/2010/12/24/sharepoint-2010-service-account-references-for-least-privileged-installation/[4/28/2013 20:21:02]

SharePoint 2010 Service Account References for Least-Privileged Installation | Nik Patel's SharePoint World

Search Service Account (e.g. sp_search)

Specify this account as Search Service Account while provisioning Search Service Application from the Manage Service Application page This account runs the SharePoint Server Search Windows Service, which is used by all Search Service Applications. For any given server, there is only one instance of this service.

Domain User Account. Must not be a built-in account in order to access the database. Examples of built-in accounts are Local Service and Network Service. Must register as SharePoint Managed Account

None

None

Search Service Default Content Access Account(e.g. sp_search_content)

Crawl contents unless different authentication method is specified by a crawl rule for a URL or URL pattern

Must be a domain user account and it must have read access to external or secure content sources that you want to crawl by using this account. For SharePoint Server sites that are not

None

None

http://nikspatel.wordpress.com/2010/12/24/sharepoint-2010-service-account-references-for-least-privileged-installation/[4/28/2013 20:21:02]

SharePoint 2010 Service Account References for Least-Privileged Installation | Nik Patel's SharePoint World

part of the server farm and cross-farm scenarios, this account must be explicitly granted full read permissions to the Web applications that host the sites from the central administration. Must not be a member of the farm administrators group.

Search Service Crawl Rule Content Access Account(e.g. sp_search_crawl)

Configured to access content by using the Search administration crawl rules feature. This type of account is optional and can be configured when you create a new crawl rule to override the default content access account configured at the Service Application level

Must be a domain user account and it must have read access to external or secure content sources that you want to crawl by using this account. For SharePoint Server sites that are not part of the server farm and cross-farm scenarios, this account must be explicitly granted full read permissions to the Web applications that host the

None

None

http://nikspatel.wordpress.com/2010/12/24/sharepoint-2010-service-account-references-for-least-privileged-installation/[4/28/2013 20:21:02]

SharePoint 2010 Service Account References for Least-Privileged Installation | Nik Patel's SharePoint World

sites from the central administration. Must not be a member of the farm administrators group. No need to register as SharePoint Managed Account.

About these ads

Share this:

Twitter 6

Facebook

LinkedIn 1

Google +1

Email

Print

Like this:

This entry was posted in SP2010 Admin General. Bookmark the permalink. DISP_E_EXCEPTION and Disposing the SPContext.Current Objects SharePoint 2010 Deployment Assessment Questionnaires

6 Responses to SharePoint 2010 Service Account References for Least-Privileged Installation

Lee Dickey (@leedickey) says:
April 17, 2012 at 5:49 PM

Hi. I got your email saying to post my question here. I will copy and paste. I know this topic is old but maybe some others will find it and find it useful. Perhaps another row that states which of these accounts should be managed would add to an even already great post. Start Copy and Paste:

http://nikspatel.wordpress.com/2010/12/24/sharepoint-2010-service-account-references-for-least-privileged-installation/[4/28/2013 20:21:02]

SharePoint 2010 Service Account References for Least-Privileged Installation | Nik Patel's SharePoint World

It looks like some of the content is missing and I am wondering if you happen to have this in another format? I am asking because yours is the first bit of well laid out information that Ive seen so far regarding the configuration of the SharePoint services. I am still trying to figure out what should be their own web app and what should not be; this information is not well documented and Ive found myself to be a bit stressed trying to figure out something that should be easy to find and figure out. Our old MOSS 2007 environment is the best example of how not to set up SharePoint; no governance and the previous SharePoint admin failed to monitor the logs and realized over a week after a SAN crash that the database was corrupted. Ive kept it alive and am looking to move to 2010 with the help of a 3rd party product that ignores corrupt data and lets me move things down to the item level. So let me say that any additional information that you may have on configuring the service accounts, services, and the need of any web apps for any of these services would be great. I am not finding much with my searches that isnt overly general or lacking needed data. Also, another quick question: You use the sp_install install account and I see no reference to the sp_admin account; is this the recommended setup and configuration? Thanks!
Log in to Reply

nikspatel says:
April 17, 2012 at 6:07 PM

Thanks Lee. Here are my responses. 1) As far as web application, I would suggest this article didnt meant to provide guidelines around when to create new web application vs new site collection in same web application. Some of the reason why you would create separate web application are == if you have different authenticatio model like windows vs claims, different host headers. I would suggest search for articles on web for when to use web application vs site collection and I am sure you would find tons of info 2) As far as applicaiton pool accounts for web applicaiton, I try to use separate IIS app pool for each web application for data and process isolation. 3) I still need to update this article with search accounts. I will update as soon as possible. 4) As far as application pool account, sp_install is sharepoitn installation account. There is nothing in SharePoint called sp_admin account unless you want to make farm account as sp_admin. To keep it clear, you can have two separate install and farm accounts or have

http://nikspatel.wordpress.com/2010/12/24/sharepoint-2010-service-account-references-for-least-privileged-installation/[4/28/2013 20:21:02]

SharePoint 2010 Service Account References for Least-Privileged Installation | Nik Patel's SharePoint World

one account for both roles. Please keep in mind that these accounts are like roles, you can have separate service accoutns for each or have one single account or small set of accounts if you want to consolidate.. Hope this provides clarification you needed.
Log in to Reply

Kannan says:
May 22, 2012 at 10:53 AM

Excellent article and a very good reference material.

Log in to Reply

2abcd says:
November 28, 2012 at 6:19 AM

Hi Excellent overview. I was looking for information on which service account to use for the various windows services like the Document Conversion Load Balancer Service or Claims to Windows Token Service. The are currently running under the Local System account. Maybe you could add a row on those as well?
Log in to Reply

Nik Patel says:

December 1, 2012 at 5:11 PM

Claims to Windows Token Service needs to run under Local System.. Nice idea to add windows service references.. I will add them.. Thanks for feedback
Log in to Reply

Suresh Chowdary Pydi says:

March 20, 2013 at 5:24 PM

Nice Article. Here is one more post explaining service accounts in sharepoint http://sureshpydi.blogspot.in/2011/02/sharepoint-accounts.html
Log in to Reply

http://nikspatel.wordpress.com/2010/12/24/sharepoint-2010-service-account-references-for-least-privileged-installation/[4/28/2013 20:21:02]

SharePoint 2010 Service Account References for Least-Privileged Installation | Nik Patel's SharePoint World

Leave a Reply

Nik Patel's SharePoint World

Theme: Twenty Ten

Blog at WordPress.com.

http://nikspatel.wordpress.com/2010/12/24/sharepoint-2010-service-account-references-for-least-privileged-installation/[4/28/2013 20:21:02]