Recommended Service Accounts, Permissions and Best Practices for SharePoint
Everyone has their way of setting up service accounts. Technically, it’s possible to run every SharePoint service under ONE account. Let’s follow the least privilege principle best practice.
Recommended SharePoint 2016 Service Accounts and Naming Conventions:
When running with multiple SharePoint 2013 / 2016 environments like Dev, Test, and Production (Best Practice!), you can explicitly segregate the service accounts in their names. Such as: SP16_PROD_Setup.
Here is my list of SharePoint 2013 service accounts and permissions needed to setup, manage and administer SharePoint:
Account Name | Description | Rights |
Managed Account?
|
SP13_Setup
| The Setup account is used to perform the following tasks: -SharePoint Installation -Runs SharePoint Products Configuration Wizard -Configure and manage the server farm, farm configuration wizard | Local Administrator on all the SharePoint Servers. On the SQL Server, we need to grant SecurityAdmin and DBCreator Server Roles. It needs DBO access on Content databases to run PowerShell, Which should be added later (Add-SPShellAdmin). |
No
|
SP13_Farm
| – Application pool identity for the SharePoint Central Administration Web site. – Database access account -Runs SharePoint Timer Service. | Permissions are automatically granted to the farm account on running Config wizard. Account needs to be in the local administrator group when User Profile Provisioning! |
Yes
|
SP13_Pool
| The account is used to run the Web Application Pools. |
None
|
Yes
|
SP13_Services
| The account is used to run the service applications. |
None
|
Yes
|
SP13_Crawl
| The default content access account for the search service application | Read-only Access on all external sites. |
No
|
SP13_UserProfile | The account is used to Import user profiles and provides synchronization between SharePoint and AD. | Replicate Directory Changes permission on the domain. |
No
|
SP13_SuperUser
| Cache account for web application super user account . | Web application Policy Full Control |
No
|
SP13_SuperReader
| Cache account for web application super reader account | Web application Policy Full read |
No
|
SQL_Admin
| SQL Admin on the SQL Server. Used to install the SQL Server. | Local Administrator on the SQL Server |
No
|
SQL_Services
| service account for the following SQL Server services |
None
|
No
|
Your service accounts must have Log on a service, Log on as a batch job, and Allow log on locally properties set to ON (By default, these properties are ON unless you have very tight security policies)
How to change SharePoint 2013 service account?
Managed Accounts can be registered via Central Administration >> Security >> Configure managed accounts. To configure service accounts as a managed account, refer: Create New Managed Account in SharePoint 2013 Using PowerShell
After setting up the managed accounts, you can start assigning to some services. Go to Central Administration >> Security >> Configure service accounts page to associate service accounts with SharePoint services, such as “Farm account”.
SharePoint 2013 change search service account
To Create SharePoint Service Accounts in AD using PowerShell: Create SharePoint Service Accounts in AD using PowerShell
Depending on your organization’s security policies, you may have to add/remove service accounts to this list. You may consider additional Service Applications for services such as Excel Unattended Service, Visio, etc. SharePoint 2013 service accounts reference in TechNet