Skip Ribbon Commands
Skip to main content

Quick Launch

Todd Klindt's home page > Todd Klindt's Office 365 Admin Blog > Posts > Service Account Suggestions for SharePoint 2010
October 23
Service Account Suggestions for SharePoint 2010

During our daylong Admin session at SPTechCon, the question came up about what service accounts we thought people should be using with SharePoint 2010. I promised I’d blog the recommendations that we made. Here is the table I put up.

Account name

Role

Domain rights

Local SharePoint Server rights needed

SQL rights needed

sp_install

Used to install SharePoint binaries.

Domain User

Local administrator on all SharePoint boxes

dbcreator and securityadmin SQL roles

sp_farm

Farm account. Used for Windows Timer Service, Central Admin and User Profile service

Domain User

Local Admin during UPS provisioning, log on locally right

None

sp_webapp

App pool id for content web apps

Domain User

None

None

sp_serviceapps

Service app pool id

Domain User

None

None, unless using Office Web Apps. Them must give access to content databases manually

sp_search

Search process id

Domain User

None

None

sp_content 

Account used to crawl content

Domain User

None

None

sp_userprofile1

Account used by the User Profile services to access Active Directory

Must have Replicating Change permissions to AD. Must be given in BOTH ADUC and ADSIEDIT. If domain is Windows 2003 or early, must also be a member of the "Pre-Windows 2000" built-in group.

None

None

sp_superuser2

Cache account

Domain User

Web application Policy Full Control

Web application super account setting

None

sp_superreader2

Cache account

Domain User

Web application Policy Full read

Web application super reader account setting

None

 

1) See http://technet.microsoft.com/en-us/library/ee721049.aspx and http://www.harbar.net/articles/sp2010ups.aspx

2) http://www.sharepointchick.com/archive/2010/10/06/resolving-the-super-user-account-utilized-by-the-cache-is.aspx

 

Again, these are just recommendations. You may end up using more accounts if you have multiple application pools, for instance. Your particular farm may require different accounts.

tk

Comments

Re: Service Account Suggestions for SharePoint 2010

Why not just consolidate these to avoid confusion?
 on 10/23/2010 10:23 PM

Re: Service Account Suggestions for SharePoint 2010

That's a really good question, and I wish I had have addressed it in my blog post. Where were you an hour ago? :)

The reason to separate these accounts is simple, security. You don't want an app pool account (like sp_wepappapp) that is exposed and could be compromised to also be a local admin on all your boxes, or have the ability to write information to Active Directory. This is one example. By breaknig out the accounts and their permissions it is easier to keep your farm safe.

tk
Todd O. KlindtNo presence information on 10/23/2010 10:39 PM

Re: Service Account Suggestions for SharePoint 2010

Hello Todd,

Thank you for the post on service account. In regard to sp_farm, please clarify if the "log on locally" right will be retained even though local admin right was removed after provision of UPS.

-HN
 on 10/24/2010 8:04 AM

Re: Service Account Suggestions for SharePoint 2010

HN,
You have to add both manually. You have to make sp_farm a local admin AND make give it the log on locally right separately. If you just make it a local admin, everything will work until you remove sp_farm from the local admin group it won't have log on locally anymore and you'll see failures.

tk
Todd O. KlindtNo presence information on 10/24/2010 9:01 AM

Correction for sp_superuser

Todd,

A small mistake but sp_superuser needs to have Full Control - not Full Read

AndrewWoody
 on 10/24/2010 2:23 PM

Re: Correction for sp_superuser

AndrewWoody,
Whoops. You're right. I changed the blog post to reflect the SuperUser account needs Full _Control_ not just Full Read.

tk
Todd O. KlindtNo presence information on 10/24/2010 2:32 PM

sp_serviceapps

Todd, can you elaborate on db permission needed for sp_serviceapps. Thanks.

-Hien Nguyen
 on 11/5/2010 4:05 AM

Search Accounts

Todd - I have a question about using the search accounts.

When you setup the search service application for the search service account do you use sp_search, because this account choice is setup by SharePoint as the content access account by default which you have a content access account also.

Do you suggest still using sp_serviceapps for both app pools for search?
 on 11/14/2010 8:07 PM

Re: Search Accounts

Hi Chris,
You could use the sp_serviceapps account instead of sp_search and you'd be fine. I break it out mainly out of habit from SharePoint 2007. If you put my feet to the fire and made me justify why I break out sp_search I'm not sure I could do it. Since I use sp_content for the default content crawl I can't even use that as a reason. :)

tk
Todd O. KlindtNo presence information on 11/14/2010 8:20 PM

Secure Store Service Best practice

Hi Todd,

Microsoft states that this is the best practice for Secure Store Service:
• Run the Secure Store Service in a separate application pool that is not used for any other service.
• Run the Secure Store Service on a separate application server that is not used for any other service.
• Create the secure store database on a separate application server running SQL Server. Do not use the same SQL Server installation that contains content databases.
In your practice did you find this necessary?
Microsoft did not give a very clear reason as to why.
http://technet.microsoft.com/en-us/library/ee806889.aspx

Thank you in advance,

 JCP

 on 12/25/2010 8:34 PM
1 - 10Next

Add Comment

Items on this list require content approval. Your submission will not appear in public views until approved by someone with proper rights. More information on content approval.

Title


Body *


Today's date *

Select a date from the calendar.
Please enter today's date so I know you are a real person

Twitter


Want a message when I reply to your comment? Put your Twitter handle here.

Attachments

 

 SysKit