SharePoint 2010 Service Accounts – Necessary Permissions and Naming Convention Best Practices
There are lot of naming conventions/patterns in naming service accounts for SharePoint. Here is mine:
Service Accounts Naming Pattern – Best Practice:
svc + environment (Such as Dev, Test, Prod) + SP + account name (keep the service account names to less than 20 characters)
SharePoint 2010 Service Accounts List and required Permissions:
Account name | Role | Local Server rights needed |
---|---|---|
svcPrdSPSetup | Setup Account – Used to install SharePoint binaries. | Local administrator on all SharePoint boxes (with Remote Login Enabled). Needs Logon as a service right (GPO) rights. SQL: Explicit dbcreator and securityadmin SQL roles |
svcPrdSPFarm | Farm account. Used for Windows Timer Service, Central Admin and User Profile serve | SharePoint Managed Account. Local Administrator on all SharePoint boxes. Needs Logon as a batch job rights (GPO), Log on as a service. DB Access will granted by SharePoint Config Wizard. |
svcPrdSPAdminPool | App pool account for Central Administration application Pool | SharePoint Managed Account. Needs Logon as a batch job rights |
svcPrdSPPortalPool | App pool account for web app “Portal” | SharePoint Managed Account. Needs Logon as a batch job rights |
svcPrdSPPartnerPool | App pool account for web app “Partner” | SharePoint Managed Account. Needs Logon as a batch job rights |
svcPrdSPMySitePool | App pool account for my site web application | SharePoint Managed Account. Needs Logon as a batch job rights |
svcPrdSPServAppPool | Service application’s Application pool account | SharePoint Managed Account. Needs Logon as a batch job rights |
svcPrdSPSearch | Account used to run search service | SharePoint Managed Account. Needs Log on as a service rights |
svcPrdSPSearchCrawl | Account used to run search service | must have read access to external or secure content sources that you want to crawl by using this account. Full Read on each web application. This account must not be a member of the farm administrators group. Must not be SharePoint Managed Account |
svcPrdSPADCrawl | Account used by the User Profile services to access Active Directory | Must have Replicating Change permissions to AD. Must be given in BOTH ADUC and ADSIEDIT. If domain is Windows 2003 or early, must also be a member of the “Pre-Windows 2000” built-in group. Must not SharePoint Managed Account |
svcPrdSPSQL | The SQL Server service account is used to run SQL Server | Local administrator in SQL Server. Member of SQL Admin Server Role. Must not SharePoint Managed Account Following services will be using the account 1. MSSQLSERVER 2. SQLSERVERAGENT |
svcPrdSPSecStore | SharePoint User Account for Secure Store Service Application (If we incorporate LOB applications) | Local Admin on WFE Servers |
More Info:
https://technet.microsoft.com/en-us/library/cc678863.aspx
https://absolute-sharepoint.com/2013/01/sharepoint-2013-service-accounts-best-practices-explained.html