Plan for administrative and service accounts (SharePoint Server 2010)

  • Article

 

Applies to: SharePoint Server 2010, SharePoint Foundation 2010

This article describes the accounts that that you must plan for and describes the deployment scenarios that affect account requirements.

In this article:

  • About administrative and service accounts

  • Single server standard requirements

  • Server farm standard requirements

Use this article along with the following deployment article: Initial deployment administrative and service accounts (SharePoint Server 2010).

The initial deployment administrative and service accounts article describes the specific account and permissions that you need to grant prior to running Setup.

This article does not describe the account requirements for using Secure Store service in Microsoft SharePoint Server 2010. For more information, see Plan the Secure Store Service (SharePoint Server 2010).

This article does not describe security roles and permissions required to administer in SharePoint Server 2010.

About administrative and service accounts

This section lists and describes the accounts that you must plan for. The accounts are grouped according to scope.

After you complete installation and configuration of accounts, ensure that you do not use the Local System account to perform administration tasks or to browse sites.

Server farm-level accounts

The following table describes the accounts that are used to configure Microsoft SQL Server database software and to install SharePoint Server 2010.

Account Purpose

SQL Server service account

SQL Server prompts for this account during SQL Server Setup. This account is used as the service account for the following SQL Server services:

  • MSSQLSERVER

  • SQLSERVERAGENT

If you are not using the default instance, these services will be shown as:

  • MSSQL$InstanceName

  • SQLAgent$InstanceName

Setup user account

The user account that is used to run:

If you run Windows PowerShell cmdlets that affect a database, this account must be a member of the db_owner fixed database role for the database.

  • Setup on each server computer

  • SharePoint Products Configuration Wizard

  • The Psconfig command-line tool

  • The Stsadm command-line tool

Server farm account

This account is also referred to as the database access account.

This account is:

  • The application pool identity for the SharePoint Central Administration Web site.

  • The process account for the Windows SharePoint Services Timer service.

Service application accounts

The following table describes the accounts that are used to set up and configure a service application. Plan one set of an application pool and proxy group for each service application you plan to implement.

For additional information about service application endpoints, see Using Service Endpoints (https://go.microsoft.com/fwlink/p/?LinkId=227293).

Account Service Purpose Requirements

Service Application Endpoint

Access Services

Business Data Connectivity Service

Secure Store Service

Usage and Health Data Collection Service

User Profile Service

Visio Graphics Service

Web Analytics Service application

Word Automation services

This account is used as the identity for the service application endpoint application pool. Unless there are specific isolation requirements, the application pool can be used to host multiple service application endpoints.

Must be a member of the Farm Administrators group.

Service Application Endpoint

Excel Services

Managed Metadata Service

PerformancePoint Service

Search Service

This account is used as the identity for the service endpoint application pool. Unless there are specific isolation requirements, the application pool can be used to host multiple service application endpoints.

Must be a domain user account.

Service Application Endpoint

Security Token Service

Application Discovery and Load Balancer Service

This account is used as the identity for the service application endpoint application pool. This account must be the Farm Account and the application pool is created automatically by the SharePoint Products Configuration Wizard.

Must be a member of the Farm Administrators group.

Unattended Service

Excel Services

Used with workbooks to refresh data. It is required when workbook connections specify "None" for authentication, or when any non-Windows credentials are used to refresh data.

Must be a domain user account.

Unattended Service

PerformancePoint Service

Used for authenticating with data sources.

Must be a domain user account.

Unattended Service

Visio Graphics Service

Used with documents to refresh data. It is required when connecting to data sources external to SharePoint Server 2010, such as SQL Server.

Must be a member of the Farm Administrators group.

Default Content Access

Search Service

The default account when crawling content. Note that additional accounts can be specified per crawl rule.

Must have Read Access to the content being crawled.

Full Read permissions must be granted explicitly to content that is outside the local farm.

Full Read permissions are automatically configured for content databases in the local farm.

Search Service

Search Service

This is the Windows Service account for the SharePoint Server Search Service. This setting affects all Search service applications in the farm.

Must be a domain user account.

User Profile Synchronization Service

User Profile Synchronization Service

This is the Windows Service account for the User Profile Synchronization Service.

Must be a member in the Farm Administrators group.

Requires Log on Locally permission on the computer running the User Profile Synchronization Service instance.

Requires Local Administrator permissions on the machine running the User Profile Synchronization Service instance.

Synchronization Connection

User Profile Service

This is the account used to perform synchronization with the remote directory service. There can be one account per synchronization connection.

Replicating Directory Changes permissions on the domain(s) being synchronized.

Replicating Directory Changes permissions on the configuration partition of the domain(s) being synchronized if the NetBIOS and fully qualified domain name (FQDN) names do not match.

Microsoft SharePoint Foundation 2010 search service accounts

The following table describes the accounts that are used for the SharePoint Foundation 2010 Search Service account.SharePoint Server 2010 uses these accounts only for searching Help content in response to user search queries. There is only one instance of the SharePoint Foundation 2010 Search Service in a farm.

Account Purpose

SharePoint Foundation 2010 Search Service

Used as the service account for the SharePoint Foundation 2010 Search Service. This account cannot be a built-in account, such as Local Service or Network Service.

SharePoint Foundation 2010 Search Content Access

Used to crawl Help content. For proper search functionality and information security, do not use an administrator account or an account that can modify content.

Additional application pool identity accounts

If you create additional application pools to host sites, plan for additional application pool identity accounts. The following table describes the application pool identity account. Plan one application pool account for each application pool you plan to implement.

Account Purpose

Application pool identity

The user account that the worker processes that service the application pool use as their process identity. This account is used to access content databases associated with the Web applications that reside in the application pool.

Single server standard requirements

If you are deploying to a single server computer, account requirements are greatly reduced. In an evaluation environment, you can use a single account for all of the account purposes. In a production environment, ensure that the accounts you create have the appropriate permissions for their purposes.

For a list of account permissions for single server environments, see Initial deployment administrative and service accounts (SharePoint Server 2010).

Server farm requirements

If you are deploying to more than one server computer, use the server farm standard requirements to ensure that accounts have the appropriate permissions to perform their processes across multiple computers. The server farm standard requirements detail the minimum configuration that is necessary to operate in a server farm environment.

For a more secure environment, see Plan administrative tasks in a least-privilege environment (SharePoint Server 2010)

For a list of standard requirements for server farm environments, see the requirements listed in the Technical reference: Account requirements by scenario section of this article.

For some accounts, additional permissions or access to databases are configured when you run Setup. These are noted in the accounts planning tool. An important configuration for database administrators to be aware of is the addition of the WSS_Content_Application_Pools database role. Setup adds this role to the following databases:

  • SharePoint_Config database (configuration database)

  • SharePoint_AdminContent database

Members of the WSS_Content_Application_Pools database role are granted the Execute permission to a subset of the stored procedures for the database. Additionally, members of this role are granted the Select permission to the Versions table (dbo.Versions) in the SharePoint_AdminContent database.

For other databases, the accounts planning tool indicates that access to read from these databases is automatically configured. In some cases, limited access to write to a database is also automatically configured. To provide this access, permissions to stored procedures are configured. For the SharePoint_Config database, for example, access to the following stored procedures is automatically configured:

  • proc_dropEmailEnabledList

  • proc_dropEmailEnabledListsByWeb

  • proc_dropSiteMap

  • proc_markForDeletionEmailEnabledList

  • proc_markForDeletionEmailEnabledListsBySite

  • proc_markForDeletionEmailEnabledListsByWeb

  • proc_putDistributionListToDelete

  • proc_putEmailEnabledList

  • proc_putSiteMap

Technical reference: Account requirements by scenario

This section lists account requirements by scenario:

  • Single server standard requirements

  • Server farm standard requirements

Single server standard requirements

Server farm-level accounts

Account Requirements

SQL Server service

Local System account (default)

Setup user

Member of the Administrators group on the local computer

Server farm

Network Service (default)

No manual configuration is necessary.

Service application accounts

Account Requirements

SharePoint Server Search Service

By default, this account runs as the Local System account.

If you want to crawl remote content by changing the default content access account or by using crawl rules, change this to a domain user account. If you do not change this account to a domain user account, you cannot change the default content access account to a domain user account or add crawl rules to crawl this content. This restriction is designed to prevent elevation of privilege for any other process running as the Local System account.

Default Content Access

No manual configuration is necessary if this account is only crawling local farm content. If you want to crawl remote content by using crawl rules, change this to a domain user account, and apply the requirements listed for a server farm.

Content Access

Same requirement as the default content access account.

Profile import Default Access

Same requirements as server farm.

Excel Services Unattended Service

Must be a domain user account.

Microsoft SharePoint Foundation 2010 Search service accounts

Account Requirements

SharePoint Foundation 2010 Search Service

Must not be a built-in account, such as Local Service or Network Service.

SharePoint Foundation 2010 Search Service Content Access

For proper search functionality and information security, do not use an administrator account or an account that can modify content. This account is automatically added to the Full Read policy, giving it read-only access to all Help content.

Additional application pool identity accounts

Account Requirements

Application pool identity

No manual configuration is necessary.

The Network Service account is used for the default Web site that is created during Setup and configuration.

Server farm standard requirements

Server farm-level accounts

Account Requirements

SQL Server service account

Use either a Local System account or a domain user account.

If a domain user account is used, this account uses Kerberos authentication by default, which requires additional configuration in your network environment. If SQL Server uses a service principal name (SPN) that is not valid (that is, that does not exist in the Active Directory service environment), Kerberos authentication fails, and then NTLM is used. If SQL Server uses an SPN that is valid but is not assigned to the appropriate container in Active Directory, authentication fails. Authentication will always try to use the first SPN it finds, so ensure that there are no SPNs assigned to inappropriate containers in Active Directory.

If you plan to back up to or restore from an external resource, permissions to the external resource must be granted to the appropriate account. If you use a domain user account for the SQL Server service account, grant permissions to that domain user account. However, if you use the Network Service or the Local System account, grant permissions to the external resource to the machine account (domain_name\SQL_hostname$).

Setup user account

  • Domain user account.

  • Member of the Administrators group on each server on which Setup is run.

  • SQL Server login on the computer running SQL Server.

  • Member of the following SQL Server security roles:

    • securityadmin fixed server role

    • dbcreator fixed server role

If you run Stsadm commands that affect a database, this account must be a member of the db_owner fixed database role for the database.

Server farm account

  • Domain user account.

  • If the server farm is a child farm with Web applications that consume shared services from a parent farm, this account must be a member of the db_owner fixed database role on the configuration database of the parent farm.

Additional permissions are automatically granted for this account on Web servers and application servers that are joined to a server farm.

This account is automatically added as a SQL Server login on the computer running SQL Server and added to the following SQL Server security roles:

  • dbcreator fixed server role

  • securityadmin fixed server role

  • db_owner fixed database role for all databases in the server farm

Note   if you configure the Secure Store Service, the server farm account will not automatically be given db_owner access to the Secure Store Service database.

Service application service accounts

Account Requirements

SharePoint Server Search service account

  • Must be a domain user account.

  • Must not be a member of the Farm Administrators group.

The following are automatically configured:

  • Access to read from the configuration database, administration content database, the search administration database, crawl databases, and property databases.

  • Full control access to the index partitions on the query servers.

Default content access account

  • Must be a domain user account.

  • Must not be a member of the Farm Administrators group.

  • Read access to external or secure content sources that you want to crawl by using this account.

  • For sites that are not a part of the server farm, this account must explicitly be granted Full Read permissions on the Web applications that host the sites.

The following are automatically configured:

  • Full Read permissions are automatically granted to content databases hosted by the server farm.

Content access account

  • Read access to external or secure content sources that this account is configured to access.

  • For Web sites that are not a part of the server farm, this account must explicitly be granted Full Read permissions on the Web applications that host the sites.

Profile import default access account

  • Read access to the directory service.

  • The account must have the Replicate Changes permission in Active Directory.

  • Manage User Profiles personalization services permission.

  • View permissions on entities used in Business Data Catalog import connections.

Excel Services unattended service account

Must be a domain user account.

Microsoft SharePoint Foundation 2010 Search accounts

Account Requirements

Microsoft SharePoint Foundation 2010 Search service account

  • Must be a domain user account.

  • Must not be a member of the Farm Administrators group.

The following are automatically configured:

  • Access to read from the configuration database and the SharePoint_Admin content database.

  • Membership in the db_owner role for the WSS_ Search database.

Microsoft SharePoint Foundation 2010 Search content access account

  • Same requirements as the SharePoint Foundation Search Service account.

  • Automatically added to the Web application Full Read policy for the farm.

Additional application pool identity accounts

Account Requirements

Application pool identity

No manual configuration is necessary.

The following are automatically configured:

  • Membership in the db_owner role for content databases and search databases associated with the Web application.

  • Membership in specific application pool roles for the configuration and the SharePoint_AdminContent databases.

  • Additional permissions for this account to front-end Web servers and application servers are automatically granted.

See Also

Concepts

Configure Web Analytics service application (SharePoint Server 2010)