SharePoint 2010 Service Account References for Least-Privileged Installation

Recently I have spent lots of time rebuilding my SP2010 RTM VM using the least-privileged installation and configuration to meet the real world scenarios without running the evil Farm Configuration Wizard. Many of you may ask why there is one more resource on the service account reference where there are several of TechNet and community references are out there as below. The main reason for my reference is I wanted to expand the Eric Harlan’s table with more clear explanation of the purpose of the service account, installation requirements for the service accounts, and what happens behind the screen when service account is configured by different pieces of the SharePoint during installation and configuration.

References:

During the Least-Privileged SharePoint 2010 RTM VM installation and Configuration, I had to switch back and forth different known blog articles with TechNet reference to verify the intricacies of the SharePoint installation and configuration process. To make sure I clearly nailed down the Service Accounts, I had to build my own table from the above reference articles. Please note that, at this moment, this article is not complete (most notably, Search) and I am planning to refine over the time. Enjoy.

Account Purpose Domain Rights Required Local Admin Rights Required SQL Server Rights Required What Happens behind the screen?
SharePoint Installation/Setup Account(e.g. sp_install)
  • This account is used to perform these tasks – Setup and SharePoint Products Configuration Wizard
  • Log in to the Server using this account for installing SharePoint binaries and running SharePoint configuration wizard.
  • Performs post-installation updates, patches, and installation of products such as language packs.
  • Will provision the SharePoint Farm Account during the SharePoint product config wizard.
  • Must be Domain User Account.
  • Local User Accounts are not supported.
  • Member of Local Administrators Group on each server where SharePoint Installer would run (aka. WFE and Application Servers, excluding SQL Server or SMTP Server).
  • SQL Server Login on the database server. Needs access to the SQL Server where SharePoint 2010 databases will run.
  • Member of following SQL Server Security Roles – SecurityAdmin fixed server role and dbcreator fixed server role. SharePoint setup and psconfig.exe requires these privileges to create databases and to create SQL logins for SharePoint accounts.
  • Not required during installation but may be required for patching (needs to confirm!!) – Member of the db_owner fixed database role, if you are running powershell cmdlets that would affect the database. In reality, installation account requires the SharePoint_Shell_Access database role for any database that you want to create or modify using Windows PowerShell.  This role is currently equivalent to dbowner, but is a separate role.
AD Group Membership Changes – After you run the configuration wizards, machine-level permissions for this account are added:

  • Membership in the WSS_ADMIN_WPG Windows security group.

SQL Database Changes – After you run the configuration wizards, database permissions are added:

  • DB_OWNER on the SharePoint Server 2010 server farm configuration database.
  • DB_OWNER on the SharePoint Server 2010 Central Administration content database.
  • Never have access to the Service Application Databases or Web Application Content Databases

Windows Services Changes

  • Configures the SharePoint 2010 Timer Service (SPTimerV4) to run under farm (sp_farm) account
  • Configures the SharePoint Admin Windows Service (SPAdminV4) to run under Local System user
  • Configures the SharePoint VSS Writer (SPWriterV4) to run under Local System user
  • Configures the SharePoint Tracing Service (SPTraceV4) under Local Service user
SharePoint Farm Account(e.g. sp_farm)
  • Specify this account in farm configuration wizard while configuring SharePoint during farm creation process
  • This account is automatically configured by SharePoint Configuration Wizard.
  • Also known as Database Access Account for the SharePoint_Config  database on the SharePoint Configuration Wizard.
  • Used for Configuring and Managing the SharePoint Farm. Becomes the owner of the farm. In other words, its configured as a dbowner of the SharePoint Config database.
  • Using this account, you can add additional farm administrators from the central administration site.
  • Can be local user account or domain user account.
  • Must be domain account if SQL Server is hosted on another server.
  • Although it is not required for full time term, farm account should be Member of Local Administrators Group on each server where SharePoint Installer would run (aka. WFE and Application Servers, excluding SQL Server or SMTP Server). It will provide ease of access for the SharePoint Admins.
  • Must be on the Member of Local Administrators Group on the server during UPS Service provisioning process.
  •  None
IIS Application Pool Identity Changes – Act as an application pool identity for the SharePoint Central Admin.

Windows Services Changes – Runs the SharePoint Foundation Timer Service (SPTimerV4)

Managed Accounts in Central Admin Changes – This account will be registered as Managed Service Account in the Configure Managed Accounts page

Service Accounts in Central Admin Changes – This account is added as Farm Account in the Configure Service Accounts page.

AD Group Membership Changes – After you run the configuration wizards, Additional permissions are automatically granted to the server farm account on Web servers and application servers that are joined to a server farm.

  • Membership in the WSS_ADMIN_WPG Windows security group for the SharePoint Foundation 2010 Timer service.
  • Membership in WSS_RESTRICTED_WPG for the Central Administration and Timer service application pools.
  • Membership in WSS_WPG for the Central Administration application pool.
  • Member in the built-in IIS_IUSRS on IIS 7 (Windows Server 2008) and IIS 7.5 (Windows Server 2008 R2), IIS_IUSRs replaces earlier version IIS_WPG built-in group

SQL Database Changes – After you run the configuration wizards, SQL Server and database permissions for sp_farm includes:

  • Added as SQL Server Login to DB Server
  • Added as DBCREATOR fixed server role because when you create new web applications and content databases, Central Administration’s application pool identity (sp_farm) has to be able to create those databases on the SQL server.
  • Added as SECURITYADMIN fixed server role because Central Admin can create SQL Server logins when you create managed accounts or modify app pool identities.  Each web application pool’s identity must have a login for that web application’s content databases.
  • Added as a DB_OWNER fixed database role for all the SharePoint databases (e.g. configuration databases, service application databases, or content databases) on the farm.
  • Added as a WSS_CONTENT_APPLICATION_POOLS and SHAREPOINT_SHELL_ACCESS fixed database roles for the SharePoint Server 2010 server SharePoint_Config and SharePoint_AdminContent databases.
Service Application Pool Account(e.g. sp_serviceapps)
  • Specify this account as Service Application Pool while creating Service Applications like Managed Metadata, Search, User Profiles from Manage Service Applications page from Central Admin
  • Application Pool identity to run the majority of the all the SharePoint 2010 Service Applications (WCF endpoint) as the IIS  worker process (e.g. Managed Metadata Service and/or User Profile Service).
  • Please note that both Service Application App Pool and Web Application App Pool Accounts behaves same.
  • You can create more than 1 service account or group service accounts to isolate the IIS processes under services will run
  • Log in to the SharePoint Server using farm account to configure service applications
  • Must be Domain User Account.
  • Must register as SharePoint Managed Account.
  • None
  • None
Service Accounts in Central Admin Changes – This account is added as Service Application Pool Account for Service Applications in the Configure Service Accounts page.

AD Group Membership Changes – After you create the SharePoint Service Application, following machine-level permission is configured automatically:

  • Member in the WSS_WPG
  • Member in the built-in IIS_IUSRS on IIS 7 (Windows Server 2008) and IIS 7.5 (Windows Server 2008 R2), IIS_IUSRs replaces earlier version built-in group, IIS_WPG

SQL Database Changes – After you create the SharePoint Service Application, following SQL Server and database permissions for this account are configured automatically:

  • Since this account is used as Service Application Pool for all service applications, it will be assigned to the db_owner role for the service application content databases (e.g. Managed Metadata, User Profile, Search DBs etc.)
  • Never have access to the associated web application content databases.
  • This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the farm configuration database.
  • This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the SharePoint_Admin content database.
Content Web Application App Pool Account(e.g. sp_defaultwebapp)
  • Specify this account as Web Application Pool while creating Web Applications from Manage Web Applications page from Central Admin
  • Application Pool identity to run the IIS Site hosting the SharePoint Content Web Applications and SharePoint Site Collections as the IIS  worker process.
  • Please note that both Service Application App Pool and Web Application App Pool accounts behaves same.
  • It is best practice to run all the content web applications in their dedicated application pool account.
  • Log in to the SharePoint Server using farm account to configure Content web applications
  • Must be Domain User Account.
  • Must register as SharePoint Managed Account.
  •  None
  •  None
Service Accounts in Central Admin Changes – This account is added as Web Application Pool Account for Content Web Applications in the Configure Service Accounts page.

AD Group Membership Changes – After you create the SharePoint Web Application, following machine-level permission is configured automatically:

  • Member in the WSS_WPG
  • Member in the built-in IIS_IUSRS on IIS 7 (Windows Server 2008) and IIS 7.5 (Windows Server 2008 R2), IIS_IUSRs replaces earlier version built-in group, IIS_WPG

SQL Database Changes – After you create the SharePoint Web Application, following SQL Server and database permissions for this account are configured automatically:

  • This account is assigned to the db_owner role for the Web application content databases.
  • This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the farm configuration database.
  • This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the SharePoint_Admin content database.
  • This account will be assigned to the db_owner role for the associated user profile service application databases (e.g. Profile DB, Sync DB, and Social DB)
  • It is important to note that this account doesn’t have access to the other service application databases like Managed Metadata or Search Service Application DBs
UPS Sync Account(e.g. sp_ups)
  • Specify on the      Synchronization Connection on the User Profile Service Administration      Page.
  • This account performs the User Profile Sync. FIM uses this account to import the AD profiles.
  • Log in to the SharePoint Server using farm account to configure UPS Sync and ensure farm account is local admin on the server
  • Domain User Account with Replicating Directory Changes Permission.
  • No need to register as SharePoint Managed Account.
  • None
  • None
 None
My Site Host Web Application App Pool Account(e.g. sp_mysiteapp)
  • Specify this account as Web Application Pool while creating My Site Web Application from Manage Web Applications page from Central Admin
  • Application Pool identity to run the IIS Site hosting the My Sites Web Applications and User Personal Sites as the IIS  worker process.
  • Log in to the SharePoint Server using farm account to configure My Site Host web application
  • Must be Domain User Account.
  • Must not be a member of the farm administrators group.
  • Must register as SharePoint Managed Account
  •  None
  •  None
Service Accounts in Central Admin Changes – This account is added as Web Application Pool Account for My Site Host Web Application in the Configure Service Accounts page.

AD Group Membership Changes – After you create the My Site Host, machine-level permission is configured automatically

  • Member in the WSS_WPG
  • Member in the built-in IIS_IUSRS on IIS 7 (Windows Server 2008) and IIS 7.5 (Windows Server 2008 R2), IIS_IUSRs replaces earlier version built-in group, IIS_WPG

SQL Database Changes – After you create the My Site Host, SQL Server and database permissions are configured automatically:

  • This account is assigned to the db_owner role for the My Site Host Web application content databases.
  • App Pool account is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the farm configuration database.
  • App Pool account is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the SharePoint_Admin content database.
  • This account will be assigned to the db_owner role for the associated user profile service application databases (e.g. Profile DB, Sync DB, and Social DB)
  • It is important to note that this account doesn’t have access to the other service application databases like Managed Metadata or Search Service Application DBs
Search Service Account (e.g. sp_search)
  • Specify this account as Search Service Account while provisioning Search Service Application from the Manage Service Application page
  • This account runs the SharePoint Server Search Windows Service, which is used by all Search Service Applications. For any given server, there is only one instance of this service.
  • Domain User Account.
  • Must not be a built-in      account in order to access the database. Examples of built-in accounts are Local Service and Network Service.
  • Must register as SharePoint Managed Account
  • None
  • None
AD Group Membership Changes – After you provision Search Service, machine-level permission is configured automatically:

  • Member in the WSS_WPG.

SQL Database Changes – After you provision Search Service, SQL Server and database permissions are configured automatically:

  • This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the farm configuration database.
  • This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the SharePoint_Admin content database.

After you provision Search Service, service account is granted access to the propagation location share (or shares) on all search query servers in a farm.

Search Service Default Content Access Account(e.g. sp_search_content)
  • Crawl contents unless different authentication method is specified by a crawl rule for a URL or URL pattern
  • Must be a domain user account and it must have read access to external or secure content sources that you want to crawl by using this account.
  • For SharePoint Server sites that are not part of the server farm and cross-farm scenarios, this account must be explicitly granted full read permissions to the Web      applications that host the sites from the central administration.
  • Must not be a member of the farm administrators group.
  • None
  • None
  • Account will be added to the Full Read policy *, giving it read-only access to all content web applications
  • This account will be assigned to the db_owner role for the associated search service application databases (e.g. Search DB, Crawl DB, and Property DB) during search crawl
Search Service Crawl Rule Content Access Account(e.g. sp_search_crawl)
  • Configured to access content by using the Search administration crawl rules feature.
  • This type of account is      optional and can be configured when you create a new crawl rule to override the default content access account configured at the Service Application level
  • Must be a domain user account and it must have read access to external or secure content sources that you want to crawl by using this account.
  • For SharePoint Server sites that are not part of the server farm and cross-farm scenarios, this account must be explicitly granted full read permissions to the Web      applications that host the sites from the central administration.
  • Must not be a member of the farm administrators group.
  • No need to register as      SharePoint Managed Account.
  • None
  • None
  • This account will be assigned to the db_owner role for the associated search service application databases (e.g. Search DB, Crawl DB, and Property DB) during search crawl
About these ads
This entry was posted in SP2010 Admin General. Bookmark the permalink.

6 Responses to SharePoint 2010 Service Account References for Least-Privileged Installation

  1. Hi. I got your email saying to post my question here. I will copy and paste. I know this topic is old but maybe some others will find it and find it useful. Perhaps another row that states which of these accounts should be managed would add to an even already great post.

    Start Copy and Paste:

    It looks like some of the content is missing and I am wondering if you happen to have this in another format?

    I am asking because yours is the first bit of well laid out information that I’ve seen so far regarding the configuration of the SharePoint services. I am still trying to figure out what should be their own web app and what should not be; this information is not well documented and I’ve found myself to be a bit stressed trying to figure out something that should be easy to find and figure out. Our old MOSS 2007 environment is the best example of how not to set up SharePoint; no governance and the previous SharePoint admin failed to monitor the logs and realized over a week after a SAN crash that the database was corrupted. I’ve kept it alive and am looking to move to 2010 with the help of a 3rd party product that ignores corrupt data and lets me move things down to the item level.

    So let me say that any additional information that you may have on configuring the service accounts, services, and the need of any web apps for any of these services would be great. I am not finding much with my searches that isn’t overly general or lacking needed data.

    Also, another quick question: You use the sp_install install account and I see no reference to the sp_admin account; is this the recommended setup and configuration?

    Thanks!

    • nikspatel says:

      Thanks Lee. Here are my responses.

      1) As far as web application, I would suggest this article didn’t meant to provide guidelines around when to create new web application vs new site collection in same web application. Some of the reason why you would create separate web application are == if you have different authenticatio model like windows vs claims, different host headers. I would suggest search for articles on web for when to use web application vs site collection and I am sure you would find tons of info…
      2) As far as applicaiton pool accounts for web applicaiton, I try to use separate IIS app pool for each web application for data and process isolation.
      3) I still need to update this article with search accounts. I will update as soon as possible.
      4) As far as application pool account, sp_install is sharepoitn installation account. There is nothing in SharePoint called sp_admin account unless you want to make farm account as sp_admin. To keep it clear, you can have two separate install and farm accounts or have one account for both roles.

      Please keep in mind that these accounts are like roles, you can have separate service accoutns for each or have one single account or small set of accounts if you want to consolidate..

      Hope this provides clarification you needed….

  2. Kannan says:

    Excellent article and a very good reference material.

  3. 2abcd says:

    Hi Excellent overview.

    I was looking for information on which service account to use for the various windows services like the “Document Conversion Load Balancer Service” or “Claims to Windows Token Service”.
    The are currently running under the “Local System” account.

    Maybe you could add a row on those as well?

  4. Nice Article. Here is one more post explaining service accounts in sharepoint http://sureshpydi.blogspot.in/2011/02/sharepoint-accounts.html

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s