Wednesday, October 10, 2012

Administrative and Service Accounts for SharePoint Foundation 2010

Given below is a consolidated list of all accounts required for administrative deployments and services for SharePoint Foundation 2010.

Server farm-level accounts:

1. SP_SQLService (local account can be used so not required)

This account should be:
  • Either a Local System account or 
  • Domain user account
Purpose: The SQL Server service account is used to run SQL Server. SQL Server prompts for this account during SQL Server Setup. It is the service account for the following SQL Server services:

2. SP_Install

This account should be:
  • Domain user account.
  • Member of the Administrators group on each server on which Setup is run.
  • SQL Server login on the computer that runs SQL Server.
  • Member of the following SQL Server security roles:
    • securityadmin fixed server role
    • dbcreator fixed server role
Purpose: This is Setup user account and is used to run the following:
  • Setup on each server computer
  • SharePoint Products Configuration Wizard
      If you run Windows PowerShell cmdlets that affect a database, this account must be a member of the db_ownerfixed database role for the database.

3. SP_Farm

This account should be:
  • Domain user account.
Purpose: This is server farm account (referred as database access account) and is used to perform the following tasks:
  • Configure and manage the server farm.
  • Act as the application pool identity for the SharePoint Central Administration Web site.
  • Run the Microsoft SharePoint Foundation Workflow Timer Service.
      Additional permissions are automatically granted for the server farm account on Web servers and application servers that are joined to a server farm.
        The server farm account is automatically added as a SQL Server login on the computer that runs SQL Server. The account is added to the following SQL Server security roles:
  • dbcreator fixed server role
  • securityadmin fixed server role
  • db_owner fixed database role for all SharePoint databases in the server farm

Service application accounts

4. SP_ServiceApp
This Account: 
  • Must be a member of the Farm Administrators group.
NoteFor following service applications:
  • Business Data Connectivity Service
  • Search Service
  • Usage and Health Data Collection Service
  • Application Discovery and Load Balancer Service Application (Must be farm account)
Used as the identity for the service application endpoint application pool. Unless there are specific isolation requirements, the application pool can be used to host multiple service application endpoints.

Microsoft SharePoint Foundation 2010 Search accounts

5. SP_SearchService
This account:

  • Must be a domain user account.
  • Must not be a member of the Farm Administrators group.

Note: The following are automatically configured:
  • Access to read from the configuration database and the SharePoint_Admin content database.
  • Membership in the db_owner role for the WSS_ Search database

6. SP_ContentAccess

This account:
  • Same requirements as the SharePoint Foundation Search Service account.
  • For proper search functionality and information security, do not use an administrator account or an account that can modify content. 

Note: Automatically added to the Web application Full Read policy for the farm.
This account is automatically added to the Full Read policy, giving it read-only access to all Help content.

Additional application pool identity accounts

7. SP_WebApp

No manual configuration is necessary.
Note: The following are automatically configured:
  • Membership in the db_owner role for content databases and search databases associated with the Web application.
  • Membership in specific application pool roles for the configuration and the SharePoint_AdminContent databases.
  • Additional permissions for this account to front-end Web servers and application servers are automatically granted.

Also consider following important points:

1.) After you complete installation and configuration of accounts, ensure that you do not use the Local System account to perform administration tasks or to browse sites.

2.) A user account that is used by application pools or services must have permissions of a domain user account and must not be a member of the Farm Administrators group or a member of the Administrators group on the local computer. Using highly privileged accounts for application pools or services poses a security risk to the farm, and could allow malicious code to execute.

3.) Using built-in accounts as application pool identities or as service identities is not supported in a farm configuration. Built-in accounts include Network Service, Local Service, and Local System.

4.) The Farm Account, which is used for the SharePoint 2010 Timer service and the Central Administration site, is highly privileged and should not be used for other services on any computers in the server farm.

Technical Reference:

(1-3) Deployment administrative and service accounts

(4-7) Plan for administrative and service accounts