Wednesday, May 4, 2011

SharePoint 2010 Service Accounts - Necessary Permissions and Naming Convention Best Practices

There are lot of naming conventions/patterns in naming service accounts for SharePoint. Here is mine:

Service Accounts Naming Pattern - Best Practice:
svc + environment (Such as Dev, Test, Prod) +  SP + account name (keep the service account names to less than 20 characters)

SharePoint 2010 Service Accounts List and required Permissions:

Account nameRoleLocal Server rights needed
svcPrdSPSetupSetup Account - Used to install SharePoint binaries. Local administrator on all SharePoint boxes (with Remote Login Enabled).  Needs Logon as a service right (GPO) rights. SQL: Explicit dbcreator and securityadmin SQL roles
svcPrdSPFarmFarm account. Used for Windows Timer Service, Central Admin and User Profile serveSharePoint Managed Account. Local Administrator on all SharePoint boxes. Needs Logon as a batch job rights (GPO), Log on as a service. DB Access will granted by SharePoint Config Wizard.
svcPrdSPAdminPoolApp pool account for Central Administration application PoolSharePoint Managed Account. Needs Logon as a batch job rights
svcPrdSPPortalPoolApp pool account for web app "Portal"SharePoint Managed Account. Needs Logon as a batch job rights
svcPrdSPPartnerPoolApp pool account for web app "Partner"SharePoint Managed Account. Needs Logon as a batch job rights
svcPrdSPMySitePoolApp pool account for my site web applicationSharePoint Managed Account. Needs Logon as a batch job rights
svcPrdSPServAppPoolService application's Application pool accountSharePoint Managed Account. Needs Logon as a batch job rights
svcPrdSPSearchAccount used to run search serviceSharePoint Managed Account.  Needs Log on as a service rights
svcPrdSPSearchCrawlAccount used to run search servicemust have read access to external or secure content sources that you want to crawl by using this account. Full Read on each web application. This account must not be a member of the farm administrators group. Must not be SharePoint Managed Account
svcPrdSPADCrawlAccount used by the User Profile services to access Active DirectoryMust have Replicating Change permissions to AD. Must be given in BOTH ADUC and ADSIEDIT. If domain is Windows 2003 or early, must also be a member of the "Pre-Windows 2000" built-in group. Must not SharePoint Managed Account
svcPrdSPSQLThe SQL Server service account is used to run SQL ServerLocal administrator in SQL Server. Member of SQL Admin Server Role.  Must not SharePoint Managed Account
Following services will be using the account
1. MSSQLSERVER
2. SQLSERVERAGENT
svcPrdSPSecStoreSharePoint User Account for Secure Store Service Application (If we incorporate LOB applications)Local Admin on WFE Servers


More Info:
http://technet.microsoft.com/en-us/library/cc678863.aspx
http://www.sharepointpromag.com/article/sharepoint/Least-Privilege-Service-Accounts-for-SharePoint-2010
http://www.ericharlan.com/sharepoint-service-accounts/
http://absolute-sharepoint.com/2013/01/sharepoint-2013-service-accounts-best-practices-explained.html



You might also like:
SharePoint Usage Reports
Usage reports, collaboration and audit for SharePoint.
Document SharePoint Farm
Automatically generate SharePoint documentation.
*Sponsored


Check out these SharePoint products:

No comments :

Post a Comment

Please Login and comment to get your questions answered!

You might also like:

Related Posts Plugin for WordPress, Blogger...