Installing SharePoint Server 2010 on Windows Server 2008 R2 and SQL Server 2008 R2 - Part 5: Administrative and service accounts

by Andreas

This article describes the administrative and service accounts required for deploying SharePoint Server 2010 and is a part of a series describing the complete installation of SharePoint Server 2010 on Windows Server 2008 R2 and SQL Server 2008 R2. Using the right accounts to install SharePoint is important independent of the kind of environment: development, staging, integration, test or production or what else.

The best thing about a SharePoint deployment in a least privilege scenario is the amount of accounts you need to manually create and assign permission. It's exactly one the setup account or setup administrator. Of course to completely install SharePoint we need a lot more accounts but luckily we don't have to assign permissions by hand. The rest of the needed accounts will get it's permissions by the setup account.

In a production environment you usually have a SQL Server service account to run the SQL Server, a domain administrator and Windows server administrator. To keep things simple and easy the setup administrator will be SQL Server administrator (sysadmin), domain administrator and Windows server administrator. This way I can use the same account for all administrative tasks I have to do in my development environment.

With SharePoint 2010 comes a new feature: managed accounts. A managed account is an Active Directory domain user. The thing that makes it to a managed account is the fact that the credentials are managed by and stored within SharePoint. If your Active Directory Domain Policy requires a user to frequently change it's password a managed account can be used to meet this requirement.

You can also stick with the solution for SharePoint 2007 where you needed to mark a user in Active Directory with the following properties: "User cannot change password" and "Password never expires". I still use this for my development environment.

It would be great if you leave a comment or join the discussion at the end of the post.

You can also go back to the beginning of the series were you can find an overview of the complete series and of course the farm topology and the deployment scenario.

Install SharePoint 2010 - Administrators and Developers Edt.
Install SharePoint 2010 Administrators and Developers Edition
 

See 12 steps you won't find in this article...

Please have a look at

Active Directory required accounts

It is strongly recommended to create domain accounts and use them as service accounts. You need to create at least the following accounts in Active Directory:

Account type Account name
SQL Service sqlSvcAcc
Setup Admin spAdmin
Farm Account spFarmAcc


Difference to SharePoint 2007

Service accounts in SharePoint 2007 needed 2 properties when they were created in Active Directory:

-User cannot change password and 
-Password never expires.

This isn’t necessary with SharePoint 2010 since we now have managed accounts capable of password expiration and automatic change.

So in my development environment I will choose the options “User cannot change password” and “Password never expires”.

Assign permission

You need to assign permission only to the SharePoint 2010 setup administrator.

SQL Server service account

You don’t need to assign permissions since they are assigned during installation of SQL Server 2008.

The SQL Server service account is used to run SQL Server and should be a domain account.

Setup administrator

You need to manually assign permissions.

The setup administrator is used to install SharePoint 2010.

The SharePoint 2010 setup administrator has to be a member of the administrators group on every server SharePoint should be installed.

Add the SharePoint 2010 setup administrator to the local administrators group. The setup administrator was added to the locel administrators group.

The SharePoint 2010 setup administrator needs to have the securityadmin and dbcreator role. The sysadmin role is assigned if you decide during SQL Server 2008 installation that your SharePoint 2010 setup administrator should be the SQL admin.

I decided to do so in my Hyper-V development environment.

The SharePoint 2010 setup administrator needs to have the securityadmin and dbcreator role.

Farm account

You don’t need to assign permissions since they are automatically assigned by the SharePoint 2010 setup administrator.

The farm account is used for the following things [1]:

  • “Configure and manage the server farm.”
  • “Act as the application pool identity for the SharePoint Central Administration Web site.”
  • “Run the Microsoft SharePoint Foundation Workflow Timer Service.”

Resources

Here are the resources used in this article:

Next steps


Get FREE & Advanced SharePoint Training, how-to's, tips & tricks:
Learn SharePoint

Comments (18) -

11/21/2009 3:34:30 AM #

Jeremy Thake

Did you get User Profile Synchronization Service working with seperate accounts?

Jeremy Thake Australia Reply

11/24/2009 9:14:39 AM #

Andreas Glaser

Hi Jeremy,

I did't try it since I was running out of time the last days... maybe at the end of the week but that depends... I will drop a comment.

Andreas

Andreas Glaser Switzerland Reply

5/11/2010 5:09:12 PM #

TT

Thanks for this very good article!
Is your Farm Account (spFarmAcc) a managed service account? During the install of Sharepoint 2010, it looks like I need to create a simple domain account but it also looks like a MSA would make sense. What are your thoughts on that?

TT United Kingdom Reply

5/11/2010 10:23:14 PM #

Andreas Glaser

@TT:

During installation and configuration with PowerShell scripts the [b]spFarmAcc[/b] is automatically added to the group of [b]managed accounts[/b] and I didn't do it on purpose. I don't know if it's also done if you install SharePoint without scripts... but I think so.

In my opinion every domain account you want to use in SharePoint 2010 has to be registered as a managed account. As a developer I would definitely use domain accounts since SharePoint is usually deployed with these type of accounts at your customer. This way you can develop close to your customers environment.
The word [b]managed[/b] 'only' helps administrators to be able to easily change passwords if some security policy requires it.

You don't mean the [b]service application pool accounts[/b] used to run service applications like [b]word viewing service[/b], right?

Andreas Glaser Switzerland Reply

5/19/2010 12:10:11 AM #

Wes Preston

On the previous page when installing AD if making an all-in-one demo machine your screen shots show the 2003 AD Mode.  It looks like the 2003 mode doesn't allow for Local Users and Groups (I am NOT an AD guy Smile ).  I put my SharePoint Setup account in the domain admins group to hopefully make up for this.  If this works you might want to highlight the following options:

- If selecting AD-2003 mode, the SPAdmin account needs to be added to the Domain Admins group in AD

- If selecting AD-2008 R2 mode, the SPAdmin account can be added to the Local Admins group

Correct?  

Wes Preston United States Reply

5/20/2010 9:37:20 AM #

TT

Thanks a lot Andreas, sorry it took so long to comment on your reply.
Sharepoint confused me with words... spFarmAcc is added to the group of managed accounts even if you install Sharepoint without scripts. What confused me is that I thought I'd need to create a MSA in AD with PowerShell then use it in Sharepoint. A simple domain account is actually enough as sharepoint adds it to the managed accounts. If that makes any sense. Anyway, all working now, I can play with Search Server Express. Thanks.

TT United Kingdom Reply

8/29/2010 11:13:35 AM #

martin

Thank you Andreas for all your tutorials.
Though i have some difficulties here in setting everything up.
So far I have installed R2, enabled the roles and installed AD.
Can you please tell me where exactly are you choosing Account Type? You have mentioned AD required accounts but i cannot find this feature [SQL Service Account type etc..]
Also when going under Computer Management I do not have "Local Users and Groups" under this tree view.
Can you please advise? Thank you in advance

martin Poland Reply

8/31/2010 9:39:48 PM #

Andreas Glaser

Hi Martin,

if you have installed your AD please go to the AD server and log on. There you can go to
"Start -> Administrative Tools -> Active Directory Users and Computer".

Depending on your setup it might be located under
"Start -> Programs -> Administrative Tools -> Active Directory Users and Computer".

There you need to create the users... where "account type" is only a description for the purpose of this account. So it doesn't matter. What is more important are the following accounts:

sqlSvcAcc
setupAdmin
spFarmAcc

They have to exist in Active Directory. So if you followed the steps in this comment you should be able to create these 3 new users in Active Directory.

After you created them only the setupAdmin needs permissions assigned by you. These are the permissions described under "Setup administrator" in the article above.

If you need additional information please drop a comment.

Regards
Andreas

Andreas Glaser Switzerland Reply

9/1/2010 9:46:47 AM #

martin

Thank you very much Andreas,
it really helped me. I am just installing and configuring MOSS on a virtual machine for myself not for a company thus needed advise on the above.
That is great.
Have a good day.
Regards,
m.

martin Poland Reply

6/8/2011 10:59:33 AM #

Navi

Hi, First thanks for such nice article, I am not AD and nor sharepoint guy just have basic knowledge, I am trying to create sharepoint farm, I have two machine one for sql server and one for sharepoint, I just want to use only one user to manage whole farm.

This is domain user and not member of any group, I have plan (I  not sure if i am right) to install sql server as local admin and during installation assign same user in service account, and make the same user local admin in sharepoint machine to manager sharepoint. But while i try to assign user in service account i got error "The credentials you provide for the sql server agent service are invalid" Please help me.

Navi Germany Reply

6/15/2011 10:18:40 AM #

Abdul

Hi,
How i can make the list of service accounts shorter and in the same time follow the best practice ? below the complete list of accounts i have , which accounts i can combin in the same role? without compromising the best practice.

SVCSPSQL : will be used for the Installation of SQL Server, and will run as service account for the SQL Instance.
SVCSPSetup: Will be used to setup all SharePoint Server, and later on will be disabled
SVCSPFarm: Farm Administrator
SVCSPSearch: For Search Service
SVCSPSearchCrawl: Search Content access
SVCSPProf:  profile access
SVCSPMySite: pool service account for My Site
SVCSPPoolApp: pool service account for the web application
SVCSPCached: Cache reader
SVCSPCacheADM: Cache Admin
SVCSPService: Managed account
SVCSPBDC: Business Data Connectivity
SVCSPExcel: Excel Service
SVCSPPPT: power point service
SVCSPWordAuto: word automation
SVCSPWordViewer: word viewer
SVCSPPerfPoint: performance point
SVCSPAccess: Access Service
SVCSPMMD: Meta Data Service
SVCSPSecure: Secure service
SVCSPSSO: Single Sign on

Many thanks.

Abdul U.A.E. Reply

6/15/2011 7:09:51 PM #

Andreas Glaser

Hi Abdul,

that's an interesting question... I haven't seen any information yet. In my opinion I would definitely use:

-SVCSPSQL : will be used for the Installation of SQL Server, and will run as service account for the SQL Instance.
-SVCSPSetup: Will be used to setup all SharePoint Server, and later on will be disabled
-SVCSPFarm: Farm Administrator
-SVCSPSearch: For Search Service
-SVCSPSearchCrawl: Search Content access
-SVCSPMySite: pool service account for My Site
-SVCSPPoolApp: pool service account for the web application
-SVCSPBDC: Business Data Connectivity

The following accounts are related to your SharePoint farm, right? Or are they needed SharePoint out-of-the-box?

-SVCSPCached: Cache reader
-SVCSPCacheADM: Cache Admin

It would be interesting what the others think...

Andreas

Andreas Glaser Switzerland Reply

6/15/2011 8:13:55 PM #

Abdul

Hi Andreas,
when we create application service manually( Excel Service,power point service, word automation , word viewer, performance point,  Access Service, Meta Data Service, Secure service, Single Sign on service )
Would you create a dedicated service account for each of these services ? or you think it is better to run its all under one  service account ? .

Actually i am a little bit confused!

Abdul U.A.E. Reply

12/7/2011 2:27:48 PM #

Andreas

Hello Andreas,

thanks for this guidance. You're refering this Microsoft url technet.microsoft.com/.../...3%28office.14%29.aspx to confirm the suggested permissions for the farm accout.

You're saying that the farm account should be used for administration of the SharePoint Server. So the user has to be local administrator else you won't be able to create a new webapplication or start services with this account. However, if you assign local administrator permission to the account which gets app pool identity for the central administration you'll get at least a warning about that.

On the website I've posted above is an other link to a 2nd Microsoft site called "Account permissions and security settings (SharePoint Server 2010)." If you read the part for farm account there, you'll find out that at that page they're not using the farm account for the administration part. It's only for app pool identity and database access, therefor you don't need local administrator permission). However in that case, you have to stick to the setup user to configure you're SharePoint Farm.

Could you please confirm my thoughts and my observations?

Andreas Germany Reply

1/3/2012 7:58:06 PM #

Andreas Glaser

Hi Andreas,

yes your right...

[quote]"If you read the part for farm account there, you'll find out that at that page they're not using the farm account for the administration part. It's only for app pool identity and database access, therefor you don't need local administrator permission). However in that case, you have to stick to the setup user to configure you're SharePoint Farm."[/quote]

I made a mistake.

Sorry for the late reply,
Andreas

Andreas Glaser Switzerland Reply

4/23/2012 4:37:46 AM #

Santhan

Hi,

Iy my SP server was in domain B and users and their pc's part of domain A, then which domain do I create the service accounts? there is a one way trust where domain A can access domain B

Santhan Australia Reply

5/17/2012 3:02:36 PM #

Arnel

Hi Everyone,

We are having a problem with SharePoint. We cannot publish an access database to SharePoint server 2010 as we get this error “An error occurred while initializing access services database.” whenever we try to publish the default contact database. By the way, we are using the single server environment (standalone). If you need more details just let me know. Any help would be appreciated guys, thanks.

Arnel Philippines Reply

8/28/2012 10:45:13 AM #

MAZ

Hi Gents,

I have to quote for one project, comprising on MS Exch, MS Sharepoint and MS SQL.
What is required for all?
  1. Do i need AD and Domain controller on separate server?
  2. Can I install MS Exch and AD on single server?
  3. What is best pratice either using MS Share Point builtin Database of MS SQL Express, or having MS SQL Ent on same machine of MS Share point?
  4. Is there any free lance to work on this kind of projects, based on MS Application,e.g. Exch, MS SQL, Share Point, etc

Thanks & Regards,
MAZ

MAZ Saudi Arabia Reply

Pingbacks and trackbacks (3)+

Add comment


Loading