Todd Klindt's Office 365 Admin Blog

Quick Launch

All Site Content

Todd Klindt's home page > Todd Klindt's Office 365 Admin Blog > Posts > Service Account Suggestions for SharePoint 2010

October 23

Service Account Suggestions for SharePoint 2010

by Todd O. Klindt

on 10/23/2010 9:31 PM

Category: SharePoint 2010; User Profile Service

During our daylong Admin session at SPTechCon, the question came up about what service accounts we thought people should be using with SharePoint 2010. I promised I’d blog the recommendations that we made. Here is the table I put up.

Account name	Role	Domain rights	Local SharePoint Server rights needed	SQL rights needed
sp_install	Used to install SharePoint binaries.	Domain User	Local administrator on all SharePoint boxes	dbcreator and securityadmin SQL roles
sp_farm	Farm account. Used for Windows Timer Service, Central Admin and User Profile service	Domain User	Local Admin during UPS provisioning, log on locally right	None
sp_webapp	App pool id for content web apps	Domain User	None	None
sp_serviceapps	Service app pool id	Domain User	None	None, unless using Office Web Apps. Them must give access to content databases manually
sp_search	Search process id	Domain User	None	None
sp_content	Account used to crawl content	Domain User	None	None
sp_userprofile¹	Account used by the User Profile services to access Active Directory	Must have Replicating Change permissions to AD. Must be given in BOTH ADUC and ADSIEDIT. If domain is Windows 2003 or early, must also be a member of the "Pre-Windows 2000" built-in group.	None	None
sp_superuser²	Cache account	Domain User	Web application Policy Full Control Web application super account setting	None
sp_superreader²	Cache account	Domain User	Web application Policy Full read Web application super reader account setting	None

1) See http://technet.microsoft.com/en-us/library/ee721049.aspx and http://www.harbar.net/articles/sp2010ups.aspx

2) http://www.sharepointchick.com/archive/2010/10/06/resolving-the-super-user-account-utilized-by-the-cache-is.aspx

Again, these are just recommendations. You may end up using more accounts if you have multiple application pools, for instance. Your particular farm may require different accounts.

47 Comment(s)

Comments

Re: Service Account Suggestions for SharePoint 2010

Why not just consolidate these to avoid confusion?

on 10/23/2010 10:23 PM

Re: Service Account Suggestions for SharePoint 2010

That's a really good question, and I wish I had have addressed it in my blog post. Where were you an hour ago? :)

The reason to separate these accounts is simple, security. You don't want an app pool account (like sp_wepappapp) that is exposed and could be compromised to also be a local admin on all your boxes, or have the ability to write information to Active Directory. This is one example. By breaknig out the accounts and their permissions it is easier to keep your farm safe.

tk

Todd O. Klindt

on 10/23/2010 10:39 PM

Re: Service Account Suggestions for SharePoint 2010

Hello Todd,

Thank you for the post on service account. In regard to sp_farm, please clarify if the "log on locally" right will be retained even though local admin right was removed after provision of UPS.

-HN

on 10/24/2010 8:04 AM

Re: Service Account Suggestions for SharePoint 2010

HN,
You have to add both manually. You have to make sp_farm a local admin AND make give it the log on locally right separately. If you just make it a local admin, everything will work until you remove sp_farm from the local admin group it won't have log on locally anymore and you'll see failures.

tk

Todd O. Klindt

on 10/24/2010 9:01 AM

Correction for sp_superuser

Todd,

A small mistake but sp_superuser needs to have Full Control - not Full Read

AndrewWoody

on 10/24/2010 2:23 PM

Re: Correction for sp_superuser

AndrewWoody,
Whoops. You're right. I changed the blog post to reflect the SuperUser account needs Full _Control_ not just Full Read.

tk

Todd O. Klindt

on 10/24/2010 2:32 PM

sp_serviceapps

Todd, can you elaborate on db permission needed for sp_serviceapps. Thanks.

-Hien Nguyen

on 11/5/2010 4:05 AM

Search Accounts

Todd - I have a question about using the search accounts.

When you setup the search service application for the search service account do you use sp_search, because this account choice is setup by SharePoint as the content access account by default which you have a content access account also.

Do you suggest still using sp_serviceapps for both app pools for search?

on 11/14/2010 8:07 PM

Re: Search Accounts

Hi Chris,
You could use the sp_serviceapps account instead of sp_search and you'd be fine. I break it out mainly out of habit from SharePoint 2007. If you put my feet to the fire and made me justify why I break out sp_search I'm not sure I could do it. Since I use sp_content for the default content crawl I can't even use that as a reason. :)

tk

Todd O. Klindt

on 11/14/2010 8:20 PM

Secure Store Service Best practice

Hi Todd,

Microsoft states that this is the best practice for Secure Store Service:
• Run the Secure Store Service in a separate application pool that is not used for any other service.
• Run the Secure Store Service on a separate application server that is not used for any other service.
• Create the secure store database on a separate application server running SQL Server. Do not use the same SQL Server installation that contains content databases.
In your practice did you find this necessary?
Microsoft did not give a very clear reason as to why.
http://technet.microsoft.com/en-us/library/ee806889.aspx

Thank you in advance,

JCP

on 12/25/2010 8:34 PM

1 - 10