Following errors generated in the SharePoint Health analyzer,
Error 1 : The
server farm account should not be used for other services.
NA\prodspinstall,
the account used for the SharePoint timer service and the central
administration site, is highly privileged and should not be used for any other
services on any machines in the
server
farm.
The following
services were found to use this account:
SAM - 80
(Application Pool) ,SharePoint - 8001 (Application Pool) ,SharePoint - 8080
(Application Pool) ,SharePoint - BPSMERFWWF.pxl.int (Application
Pool),SharePoint - TelePresence.pxl.int (Application Pool) ,OSearch14(Windows
Service) ,Web Analytics Data Processing Service(Windows Service) ,
Remedy: Browse to /_admin/FarmCredentialManagement.aspx
and change the account used for the services listed in the explanation.
For more information about this rule, see "http://go.microsoft.com/fwlink/?LinkID=142685".
These are the
following are basic accounts we need to configure for SharePoint2010 Env .
SharePoint
Installation Account, SharePoint Farm Account, Service Applications Account, Content
Web Application App Pool Account, UPS Sync Account(User Profiles),My Site
Host Web Application App Pool Account
Managed Service
Accounts:
- All Service Application Pool Accounts
- Access Service Application
- BCS Service Application
- Excel Services Service Application
- Metadata Service Application
- PerformancePoint Service Application
- Enterprise Search Service Application
- Secure Store Service Application
- Subscription Settings Service Application
- User Profile Service Application
- Visio Services Service Application
- Web Analytics Service Application
- Word Automation Service Application
- Word Viewing Service Application
- PowerPoint Viewing Service Application
- Security Token Service Application
- All Content Web Application Pools
- Service Instances
- Claims to Windows Token Service
- Document Conversion Launcher Service
- Document Conversion Load Balancer Service
- Microsoft SharePoint Foundation Sandboxed Code Service
- SharePoint Foundation Help Search
- SharePoint Server Search (Enterprise Search)
- Web Analytics Data Processing Service
Service Accounts
(should not be managed):
- Search Crawl Accounts
- For Foundation Search and Server (Enterprise) Search
- Unattended User Accounts
- Excel Services Service Application
- Visio Services Service Application
- PerformancePoint Service Application
- (in general, any Secure Store application credentials)
- Object Cache Portal Accounts
- Super User Account
- Super Reader Account
- User Profile
- Synchronization Service Account (listed incorrectly on the FarmCredentialManagement.aspx page)
- Synchronization Connection Account
- Server Search Custom Crawl Rule Accounts
- Any crawl rule that specifies an account other than the default crawl account
Please find the
list of Service Accounts and their purpose details as below:
Account
|
Purpose
|
Domain
Rights
|
Local
Admin Rights
|
SQL
Server Rights
|
What
Happens behind the screen?
|
SharePoint
Installation Account(e.g. sp_install)
|
Install
the SharePoint binaries using the SharePoint Setup Program. Run the
SharePoint Product Configuration Wizard.
Performs
post-installation updates, patches, and installation of products such as
language packs.
Will provision
the server farm account during the SharePoint product config wizard.
|
Must
be Domain User Account. Local User Accounts are not supported.
|
Member
of Local Administrators Group on each server where SharePoint Installer would
run (aka. WFE and Application Servers, excluding SQL Server or SMTP Server).
|
SQL
Server Login on the database server. Needs access to the SQL Server where
SharePoint 2010 databases will run.Member of following SQL Server Security
Roles – SecurityAdmin fixed server role and dbcreator fixed server role.
SharePoint setup and psconfig.exe requires these privileges to create
databases and to create SQL logins for SharePoint accounts.
Not required
during installation but may be required for patching (needs to confirm!!) –
Member of the db_owner fixed database role, if you are running powershell
cmdlets that would affect the database. In reality, installation account
requires the SharePoint_Shell_Access database role for any database that you
want to create or modify using Windows PowerShell. This role is currently
equivalent to dbowner, but is a separate role.
|
After
you run the configuration wizards, machine-level permissions for this account
are added:
After you run
the configuration wizards, database permissions are added:
Configures the
SharePoint 2010 Timer Service (SPTimerV4) to run under farm (sp_farm) account
Configures the
SharePoint Admin Windows Service (SPAdminV4) to run under Local System user
Configures the
SharePoint VSS Writer (SPWriterV4) to run under Local System user
Configures the
SharePoint Tracing Service (SPTraceV4) under Local Service user
|
SharePoint
Farm Account(e.g. sp_farm)
|
This
account is automatically configured during the SharePoint Configuration
Wizard.Also known as Database Access Account for the SharePoint_Config
database on the SharePoint Configuration Wizard.
Used for
Configure and Manage the SharePoint Farm. Becomes the owner of the farm. In
other words, its configured as a dbowner of the SharePoint Config database.
Act as an
application pool identity for the SharePoint Central Admin.
Runs the
SharePoint Foundation Timer Service (SPTimerV4).
Preferred to
use this account to run the User Profile Sync Service.
Using this
account, you can add additional farm administrators from the central
administration site.
|
Can
be local user account or domain user account.Must be domain account if SQL
Server is hosted on another server.
|
Although
it is not required for full time term, farm account should be Member of Local
Administrators Group on each server where SharePoint Installer would run
(aka. WFE and Application Servers, excluding SQL Server or SMTP Server). It
will provide ease of access for the SharePoint Admins.Must be on the Member
of Local Administrators Group on the server during UPS Service provisioning
process.
|
None
|
This
account will be registered as Managed Service Account in the Central
Administration.After you run the configuration wizards, Additional
permissions are automatically granted to the server farm account on Web
servers and application servers that are joined to a server farm.
After you run
the configuration wizards, SQL Server and database permissions for sp_farm
includes:
|
Service
Applications Account(e.g. sp_serviceapps)
|
Application
Pool identity to run the majority of the all the SharePoint 2010 Service
Applications (WCF endpoint) as the IIS worker process (e.g. Managed
Metadata Service and/or User Profile Service).Please note that both Service
Application App Pool and Web Application App Pool behaves same.
You can create
more than 1 service account to isolate the IIS processes under services will
run.
|
Must
be Domain User Account.Must register as SharePoint Managed Account.
|
None
|
None
|
After
you create the SharePoint Service Application, following machine-level
permission is configured automatically:
After you
create the SharePoint Service Application, following SQL Server and database
permissions for this account are configured automatically:
|
Content
Web Application App Pool Account(e.g. sp_defaultwebapp)
|
Application
Pool identity to run the IIS Site hosting the SharePoint Content Web
Applications and SharePoint Site Collections as the IIS worker
process.Please note that both Service Application App Pool and Web
Application App Pool behaves same
It is best
practice to run all the content web applications in their dedicated
application pool account.
|
Must
be Domain User Account. Must register as SharePoint Managed Account.
|
None
|
None
|
After
you create the SharePoint Web Application, following machine-level permission
is configured automatically:
After you
create the SharePoint Web Application, following SQL Server and database
permissions for this account are configured automatically:
|
UPS
Sync Account(e.g. sp_ups)
|
Perform
the User Profile Sync. FIM uses this account to import the AD profiles.
Specify on the Synchronization Connection on the User Profile Service
Administration Page.
|
Domain
User Account with Replicating Directory Changes Permission. No need to
register as SharePoint Managed Account.
|
None
|
None
|
None
|
My
Site Host Web Application App Pool Account(e.g. sp_mysiteapp)
|
Application
Pool identity to run the IIS Site hosting the My Sites Web Applications and
User Personal Sites as the IIS worker process.
|
Must
be Domain User Account.Must not be a member of the farm administrators group.
|
None
|
None
|
After
you create the My Site Host, machine-level permission is configured
automatically
After you
create the My Site Host, SQL Server and database permissions are configured
automatically:
|
