November 18, 2009  

Installing SharePoint Server 2010 on Windows Server 2008 R2 and SQL Server 2008 R2 - Part 5: Administrative and service accounts

11

This article describes the administrative and service accounts required for deploying SharePoint Server 2010 and is a part of a series describing the complete installation of SharePoint Server 2010 on Windows Server 2008 R2 and SQL Server 2008 R2. Please have a look at

There you can find an overview of the complete series and of course the farm topology and the deployment scenario.

Active Directory required accounts

It is strongly recommended to create domain accounts and use them as service accounts. You need to create at least the following accounts in Active Directory:

Account type Account name
SQL Service sqlSvcAcc
Setup Admin spAdmin
Farm Account spFarmAcc

Additionally you should create for every service a separate service account in order to meet least-privilege security best practice*. (cool phrase isn’t it? ;) 

Account type Account name
Application Pool Account
 spAppPoolAcc
Application Pool Account for BDC Service Application spAppPoolBDCAcc
Application Pool Account for Excel Service Application spAppPoolEXCELAcc
Application Pool Account for PowerPoint Service Application spAppPoolPPTAcc
Application Pool Account for Word Service Application spAppPoolWORDAcc
SharePoint Foundation Search Service Account spfSearchSvc
SharePoint Foundation Search Content Access Account spfSearchCAAcc
more to come...  

* You should give a service account only the permissions needed by the service to work properly. E.g. the content access account only needs read permissions. Using the SharePoint Farm Account which is member of the farm administrators group as the content access account isn’t the thing I would do.

Difference to SharePoint 2007

Service accounts in SharePoint 2007 needed 2 properties when they were created in Active Directory:

  • User cannot change password and
  • Password never expires.

This isn’t necessary with SharePoint 2010 since we now have managed accounts capable of password expiration and automatic change. So in my development environment I will choose the options “User cannot change password” and “Password never expires”.

image  s

Assign permission

You need to assign permission only to the SharePoint 2010 setup administrator.

SQL Server service account

You don’t need to assign permissions since they are assigned during installation of SQL Server 2008.

The SQL Server service account is used to run SQL Server and should be a domain account.

Setup administrator

You need to manually assign permissions.

The setup administrator is used to install SharePoint 2010.

  • The SharePoint 2010 setup administrator has to be a member of the administrators group on every server SharePoint should be installed.

Add the SharePoint 2010 setup administrator to the local administrators group. The setup administrator was added to the locel administrators group.

  • The SharePoint 2010 setup administrator needs to have the securityadmin and dbcreator role. The sysadmin role is assigned if you decide during SQL Server 2008 installation that your SharePoint 2010 setup administrator should be the SQL admin. I decided to do so in my Hyper-V development environment.

The SharePoint 2010 setup administrator needs to have the securityadmin and dbcreator role.

Farm account

You don’t need to assign permissions since they are automatically assigned by the SharePoint 2010 setup administrator.

The farm account is used for the following things [1]:

  • “Configure and manage the server farm.”
  • “Act as the application pool identity for the SharePoint Central Administration Web site.”
  • “Run the Microsoft SharePoint Foundation Workflow Timer Service.”

Resources

Here are the resources used in this article:

Next steps

Please take a look at Part 6: SQL Server 2008 R2 software requirements.

Comments (11) -

11/19/2009 8:17:48 AM #

SharePoint Kaffeetasse 139

SharePoint 2010 Installation Installing SharePoint Server 2010 on Windows Server 2008 R2 and SQL Server

Michael Greth [SharePoint MVP] Reply

11/21/2009 3:34:30 AM #

Did you get User Profile Synchronization Service working with seperate accounts?

Jeremy Thake Australia Reply

11/24/2009 9:14:39 AM #

Hi Jeremy,

I did't try it since I was running out of time the last days... maybe at the end of the week but that depends... I will drop a comment.

Andreas

Andreas Glaser Switzerland Reply

11/29/2009 12:33:29 PM #

نصب تصویری و قدم به قدم شیرپوینت 2010

msdn.microsoft.com/.../ee554869(office.14).aspx www.codeproject.com/.../...ePoint_Server_2010.aspx

مجید رواقی Reply

5/6/2010 9:09:57 PM #

Installing SharePoint Server 2010 on Windows Server 2008 R2 and SQL Server 2008 R2 - Part 1: Overview

Installing SharePoint Server 2010 on Windows Server 2008 R2 and SQL Server 2008 R2 - Part 1: Overview

Andreas Glaser Reply

5/11/2010 5:09:12 PM #

Thanks for this very good article!
Is your Farm Account (spFarmAcc) a managed service account? During the install of Sharepoint 2010, it looks like I need to create a simple domain account but it also looks like a MSA would make sense. What are your thoughts on that?

TT United Kingdom Reply

5/11/2010 10:23:14 PM #

@TT:

During installation and configuration with PowerShell scripts the spFarmAcc is automatically added to the group of managed accounts and I didn't do it on purpose. I don't know if it's also done if you install SharePoint without scripts... but I think so.

In my opinion every domain account you want to use in SharePoint 2010 has to be registered as a managed account. As a developer I would definitely use domain accounts since SharePoint is usually deployed with these type of accounts at your customer. This way you can develop close to your customers environment.
The word managed 'only' helps administrators to be able to easily change passwords if some security policy requires it.

You don't mean the service application pool accounts used to run service applications like word viewing service, right?

Andreas Glaser Switzerland Reply

5/19/2010 12:10:11 AM #

On the previous page when installing AD if making an all-in-one demo machine your screen shots show the 2003 AD Mode.  It looks like the 2003 mode doesn't allow for Local Users and Groups (I am NOT an AD guy Smile ).  I put my SharePoint Setup account in the domain admins group to hopefully make up for this.  If this works you might want to highlight the following options:

- If selecting AD-2003 mode, the SPAdmin account needs to be added to the Domain Admins group in AD

- If selecting AD-2008 R2 mode, the SPAdmin account can be added to the Local Admins group

Correct?  

Wes Preston United States Reply

5/20/2010 9:37:20 AM #

Thanks a lot Andreas, sorry it took so long to comment on your reply.
Sharepoint confused me with words... spFarmAcc is added to the group of managed accounts even if you install Sharepoint without scripts. What confused me is that I thought I'd need to create a MSA in AD with PowerShell then use it in Sharepoint. A simple domain account is actually enough as sharepoint adds it to the managed accounts. If that makes any sense. Anyway, all working now, I can play with Search Server Express. Thanks.

TT United Kingdom Reply

8/29/2010 11:13:35 AM #

Thank you Andreas for all your tutorials.
Though i have some difficulties here in setting everything up.
So far I have installed R2, enabled the roles and installed AD.
Can you please tell me where exactly are you choosing Account Type? You have mentioned AD required accounts but i cannot find this feature [SQL Service Account type etc..]
Also when going under Computer Management I do not have "Local Users and Groups" under this tree view.
Can you please advise? Thank you in advance

martin Poland Reply

8/31/2010 9:39:48 PM #

Hi Martin,

if you have installed your AD please go to the AD server and log on. There you can go to
"Start -> Administrative Tools -> Active Directory Users and Computer".

Depending on your setup it might be located under
"Start -> Programs -> Administrative Tools -> Active Directory Users and Computer".

There you need to create the users... where "account type" is only a description for the purpose of this account. So it doesn't matter. What is more important are the following accounts:

sqlSvcAcc
setupAdmin
spFarmAcc

They have to exist in Active Directory. So if you followed the steps in this comment you should be able to create these 3 new users in Active Directory.

After you created them only the setupAdmin needs permissions assigned by you. These are the permissions described under "Setup administrator" in the article above.

If you need additional information please drop a comment.

Regards
Andreas

Andreas Glaser Switzerland Reply

Pingbacks and trackbacks (3)+

Add comment




  Country flag
biuquote
Loading