I often come across the SharePoint Farms that are installed and configured with a single service account (e.g. SPFarm account) . One service account to install the farm, to configure farm, to install service application and service application pools , and so on...
There is no precise way to determine how much service account you need on your farm but ONE is definitely too little and too wrong configuration in so many ways. Also one account is very unsafe configuration which can lead to complications down the road.
Now that we've cleared that up let's determine which service accounts we usually need.
NOTE: This is the minimum number of service accounts that we need in order to properly install SharePoint.
SQL_Admin is main SQL service account. This account needs to be a Local Administrator on the SQL server in order to be able to install SQL. With this account we will grant rights to SP_Farm service account.
SP_Farm is main SharePoint account. It needs to have Local Administrator rights to be able to install SharePoint Server and also the SecurityAdmin and DBcreator roles on the SQL Server to create the configuration and other databases. This account will be main Farm Administrator and also run the Timer Service and the web application for Central Administration use to access the SharePoint content database
SP_AppPool is a domain account used for application pool identity. When you create a Web Application, and you create a pool for it, you select this account.
SP_ServiceApps is a domain account used for the Service Applications Pools. When you create a Managed Metadata Service application and create a pool for it, you select this account!
SP_Crawl is used within the Search Service Application to crawl content. The Search Service Application will automatically grant this account read access on all Web Applications. It will also run the SharePoint Windows Search Service.
SP_UserProfiles is the account used for the User Profile Synchronization between your Service Application and your Active Directory. This account does not need any local rights, however you need to give it Replicate Directory Changes rights on the Active Directory in order to allow the synchronization
Most commonly used Service Accounts are:
SQL_Admin is main SQL service account. This account needs to be a Local Administrator on the SQL server in order to be able to install SQL. With this account we will grant rights to SP_Farm service account.
SQL_Services is only used to run the SQL Agent and Database Engine windows services. This account does not have any local rights.
SP_Farm is a domain account that the SharePoint Timer service and the web application for Central Administration use to access the SharePoint content database. This account does not need to be a local administrator. The SharePoint configuration wizard grants the proper minimal privilege in the back-end SQL Server database.The minimum SQL Server privilege configuration is membership in the roles securityadmin and dbcreator.
SP_admin is a domain account you use to install and configure the farm. It is the account used to run the SharePoint Configuration Wizard for SharePoint 2013. The SPAdmin account is the only account that requires local Administrator rights.
SP_AppPool is a domain account used for application pool identity. When you create a Web Application, and you create a pool for it, you select this account.
SP_ServiceApps is a domain account used for the Service Applications Pools. When you create a Managed Metadata Service application and create a pool for it, you select this account!
SP_Crawl is used within the Search Service Application to crawl content. The Search Service Application will automatically grant this account read access on all Web Applications.
SP_Search Is used to run the SharePoint Windows Search Service.
SP_UserProfiles is the account used for the User Profile Synchronization between your Service Application and your Active Directory. This account does not need any local rights, however you need to give it Replicate Directory Changes rights on the Active Directory in order to allow the synchronization
This is most secure configuration but it is using most Service Accounts.
SQL_Admin is main SQL service account. This account needs to be a Local Administrator on the SQL server in order to be able to install SQL. With this account we will grant rights to SP_Farm service account.
SQL_Services is only used to run the SQL Agent windows services. This account does not have any local rights.
SQL_Engine is only used to run the Database Engine windows service. This account does not have any local rights.
SP_Farm is a domain account that the SharePoint Timer service and the web application for Central Administration use to access the SharePoint content database. This account does not need to be a local administrator. The SharePoint configuration wizard grants the proper minimal privilege in the back-end SQL Server database.The minimum SQL Server privilege configuration is membership in the roles securityadmin and dbcreator.
SP_admin is a domain account you use to install and configure the farm. It is the account used to run the SharePoint Configuration Wizard for SharePoint 2013. The SPAdmin account is the only account that requires local Administrator rights.
SP_AppPool is a domain account used for application pool identity. When you create a Web Application, and you create a pool for it, you select this account.
SP_ServiceApps is a domain account used for the Service Applications Pools. When you create a Managed Metadata Service application and create a pool for it, you select this account!
SP_Crawl is used within the Search Service Application to crawl content. The Search Service Application will automatically grant this account read access on all Web Applications.
SP_Search Is used to run the SharePoint Windows Search Service.
SP_MySitePool is a domain account used for the My Sites Web Application Pool Identity. It’s very similar to the SP_Pool, however it is only used for the My Sites Web Application.
SP_UserProfiles is the account used for the User Profile Synchronization between your Service Application and your Active Directory. This account does not need any local rights, however you need to give it Replicate Directory Changes rights on the Active Directory in order to allow the synchronization
This is not all Service accounts that we could use. Project server uses another 8 service account and so on, but I will write about that in another post .
You can find original post on THIS link.
No comments:
Post a Comment