Skip Ribbon Commands
Skip to main content

Quick Launch

Todd Klindt's home page > Todd Klindt's Office 365 Admin Blog > Posts > Service Account Suggestions for SharePoint 2010
October 23
Service Account Suggestions for SharePoint 2010

During our daylong Admin session at SPTechCon, the question came up about what service accounts we thought people should be using with SharePoint 2010. I promised I’d blog the recommendations that we made. Here is the table I put up.

Account name


Domain rights

Local SharePoint Server rights needed

SQL rights needed


Used to install SharePoint binaries.

Domain User

Local administrator on all SharePoint boxes

dbcreator and securityadmin SQL roles


Farm account. Used for Windows Timer Service, Central Admin and User Profile service

Domain User

Local Admin during UPS provisioning, log on locally right



App pool id for content web apps

Domain User




Service app pool id

Domain User


None, unless using Office Web Apps. Them must give access to content databases manually


Search process id

Domain User




Account used to crawl content

Domain User




Account used by the User Profile services to access Active Directory

Must have Replicating Change permissions to AD. Must be given in BOTH ADUC and ADSIEDIT. If domain is Windows 2003 or early, must also be a member of the "Pre-Windows 2000" built-in group.




Cache account

Domain User

Web application Policy Full Control

Web application super account setting



Cache account

Domain User

Web application Policy Full read

Web application super reader account setting



1) See and



Again, these are just recommendations. You may end up using more accounts if you have multiple application pools, for instance. Your particular farm may require different accounts.



Re: Service Account Suggestions for SharePoint 2010

Why not just consolidate these to avoid confusion?
 on 10/23/2010 10:23 PM

Re: Service Account Suggestions for SharePoint 2010

That's a really good question, and I wish I had have addressed it in my blog post. Where were you an hour ago? :)

The reason to separate these accounts is simple, security. You don't want an app pool account (like sp_wepappapp) that is exposed and could be compromised to also be a local admin on all your boxes, or have the ability to write information to Active Directory. This is one example. By breaknig out the accounts and their permissions it is easier to keep your farm safe.

Todd O. KlindtNo presence information on 10/23/2010 10:39 PM

Re: Service Account Suggestions for SharePoint 2010

Hello Todd,

Thank you for the post on service account. In regard to sp_farm, please clarify if the "log on locally" right will be retained even though local admin right was removed after provision of UPS.

 on 10/24/2010 8:04 AM

Re: Service Account Suggestions for SharePoint 2010

You have to add both manually. You have to make sp_farm a local admin AND make give it the log on locally right separately. If you just make it a local admin, everything will work until you remove sp_farm from the local admin group it won't have log on locally anymore and you'll see failures.

Todd O. KlindtNo presence information on 10/24/2010 9:01 AM

Correction for sp_superuser


A small mistake but sp_superuser needs to have Full Control - not Full Read

 on 10/24/2010 2:23 PM

Re: Correction for sp_superuser

Whoops. You're right. I changed the blog post to reflect the SuperUser account needs Full _Control_ not just Full Read.

Todd O. KlindtNo presence information on 10/24/2010 2:32 PM


Todd, can you elaborate on db permission needed for sp_serviceapps. Thanks.

-Hien Nguyen
 on 11/5/2010 4:05 AM

Search Accounts

Todd - I have a question about using the search accounts.

When you setup the search service application for the search service account do you use sp_search, because this account choice is setup by SharePoint as the content access account by default which you have a content access account also.

Do you suggest still using sp_serviceapps for both app pools for search?
 on 11/14/2010 8:07 PM

Re: Search Accounts

Hi Chris,
You could use the sp_serviceapps account instead of sp_search and you'd be fine. I break it out mainly out of habit from SharePoint 2007. If you put my feet to the fire and made me justify why I break out sp_search I'm not sure I could do it. Since I use sp_content for the default content crawl I can't even use that as a reason. :)

Todd O. KlindtNo presence information on 11/14/2010 8:20 PM

Secure Store Service Best practice

Hi Todd,

Microsoft states that this is the best practice for Secure Store Service:
• Run the Secure Store Service in a separate application pool that is not used for any other service.
• Run the Secure Store Service on a separate application server that is not used for any other service.
• Create the secure store database on a separate application server running SQL Server. Do not use the same SQL Server installation that contains content databases.
In your practice did you find this necessary?
Microsoft did not give a very clear reason as to why.

Thank you in advance,


 on 12/25/2010 8:34 PM
1 - 10Next

Add Comment

Items on this list require content approval. Your submission will not appear in public views until approved by someone with proper rights. More information on content approval.


Body *

Today's date *

Select a date from the calendar.
Please enter today's date so I know you are a real person


Want a message when I reply to your comment? Put your Twitter handle here.