Following errors generated in the SharePoint Health analyzer,
Error 1 : The
server farm account should not be used for other services.
NA\prodspinstall,
the account used for the SharePoint timer service and the central
administration site, is highly privileged and should not be used for any other
services on any machines in the
server
farm.
The following
services were found to use this account:
SAM - 80
(Application Pool) ,SharePoint - 8001 (Application Pool) ,SharePoint - 8080
(Application Pool) ,SharePoint - BPSMERFWWF.pxl.int (Application
Pool),SharePoint - TelePresence.pxl.int (Application Pool) ,OSearch14(Windows
Service) ,Web Analytics Data Processing Service(Windows Service) ,
These are the
following are basic accounts we need to configure for SharePoint2010 Env .
SharePoint
Installation Account, SharePoint Farm Account, Service Applications Account, Content
Web Application App Pool Account, UPS Sync Account(User Profiles),My Site
Host Web Application App Pool Account
Managed Service
Accounts:
- All
Service Application Pool Accounts
- Access Service Application
- BCS Service Application
- Excel Services Service Application
- Metadata Service Application
- PerformancePoint Service Application
- Enterprise Search Service Application
- Secure Store Service Application
- Subscription Settings Service Application
- User Profile Service Application
- Visio Services Service Application
- Web Analytics Service Application
- Word Automation Service Application
- Word Viewing Service Application
- PowerPoint Viewing Service Application
- Security Token Service Application
- All
Content Web Application Pools
- Service
Instances
- Claims to Windows Token Service
- Document Conversion Launcher Service
- Document Conversion Load Balancer Service
- Microsoft SharePoint Foundation Sandboxed Code Service
- SharePoint Foundation Help Search
- SharePoint Server Search (Enterprise Search)
- Web Analytics Data Processing Service
Service Accounts
(should not be managed):
- Search
Crawl Accounts
- For Foundation Search and Server (Enterprise) Search
- Unattended
User Accounts
- Excel Services Service Application
- Visio Services Service Application
- PerformancePoint Service Application
- (in general, any Secure Store application credentials)
- Object
Cache Portal Accounts
- Super User Account
- Super Reader Account
- User
Profile
- Synchronization Service Account (listed incorrectly on
the FarmCredentialManagement.aspx page)
- Synchronization Connection Account
- Server
Search Custom Crawl Rule Accounts
- Any crawl rule that specifies an account other than
the default crawl account
Please find the
list of Service Accounts and their purpose details as below:
Account
|
Purpose
|
Domain
Rights
|
Local
Admin Rights
|
SQL
Server Rights
|
What
Happens behind the screen?
|
SharePoint
Installation Account(e.g. sp_install)
|
Install
the SharePoint binaries using the SharePoint Setup Program. Run the
SharePoint Product Configuration Wizard.
Performs
post-installation updates, patches, and installation of products such as
language packs.
Will provision
the server farm account during the SharePoint product config wizard.
|
Must
be Domain User Account. Local User Accounts are not supported.
|
Member
of Local Administrators Group on each server where SharePoint Installer would
run (aka. WFE and Application Servers, excluding SQL Server or SMTP Server).
|
SQL
Server Login on the database server. Needs access to the SQL Server where
SharePoint 2010 databases will run.Member of following SQL Server Security
Roles – SecurityAdmin fixed server role and dbcreator fixed server role.
SharePoint setup and psconfig.exe requires these privileges to create
databases and to create SQL logins for SharePoint accounts.
Not required
during installation but may be required for patching (needs to confirm!!) –
Member of the db_owner fixed database role, if you are running powershell
cmdlets that would affect the database. In reality, installation account
requires the SharePoint_Shell_Access database role for any database that you
want to create or modify using Windows PowerShell. This role is currently
equivalent to dbowner, but is a separate role.
|
After
you run the configuration wizards, machine-level permissions for this account
are added:
- Membership in the
WSS_ADMIN_WPG Windows security group.
After you run
the configuration wizards, database permissions are added:
- DB_OWNER on the SharePoint
Server 2010 server farm configuration database.
- DB_OWNER on the SharePoint
Server 2010 Central Administration content database.
- Never have access to the Service
Application Databases or Web Application Content Databases
Configures the
SharePoint 2010 Timer Service (SPTimerV4) to run under farm (sp_farm) account
Configures the
SharePoint Admin Windows Service (SPAdminV4) to run under Local System user
Configures the
SharePoint VSS Writer (SPWriterV4) to run under Local System user
Configures the
SharePoint Tracing Service (SPTraceV4) under Local Service user
|
SharePoint
Farm Account(e.g. sp_farm)
|
This
account is automatically configured during the SharePoint Configuration
Wizard.Also known as Database Access Account for the SharePoint_Config
database on the SharePoint Configuration Wizard.
Used for
Configure and Manage the SharePoint Farm. Becomes the owner of the farm. In
other words, its configured as a dbowner of the SharePoint Config database.
Act as an
application pool identity for the SharePoint Central Admin.
Runs the
SharePoint Foundation Timer Service (SPTimerV4).
Preferred to
use this account to run the User Profile Sync Service.
Using this
account, you can add additional farm administrators from the central
administration site.
|
Can
be local user account or domain user account.Must be domain account if SQL
Server is hosted on another server.
|
Although
it is not required for full time term, farm account should be Member of Local
Administrators Group on each server where SharePoint Installer would run
(aka. WFE and Application Servers, excluding SQL Server or SMTP Server). It
will provide ease of access for the SharePoint Admins.Must be on the Member
of Local Administrators Group on the server during UPS Service provisioning
process.
|
None
|
This
account will be registered as Managed Service Account in the Central
Administration.After you run the configuration wizards, Additional
permissions are automatically granted to the server farm account on Web
servers and application servers that are joined to a server farm.
- Membership in the
WSS_ADMIN_WPG Windows security group for the SharePoint Foundation 2010
Timer service.
- Membership in
WSS_RESTRICTED_WPG for the Central Administration and Timer service
application pools.
- Membership in WSS_WPG for the
Central Administration application pool.
- Member in the built-in
IIS_IUSRS on IIS 7 (Windows Server 2008) and IIS 7.5 (Windows Server
2008 R2), IIS_IUSRs replaces earlier version IIS_WPG built-in group
After you run
the configuration wizards, SQL Server and database permissions for sp_farm
includes:
- Added as SQL Server Login to
DB Server
- Added as DBCREATOR fixed
server role because when you create new web applications and content
databases, Central Administration’s application pool identity (sp_farm)
has to be able to create those databases on the SQL server.
- Added as SECURITYADMIN fixed
server role because Central Admin can create SQL Server logins when you
create managed accounts or modify app pool identities. Each web
application pool’s identity must have a login for that web application’s
content databases.
- Added as a DB_OWNER fixed database
role for all the SharePoint databases (e.g. configuration databases,
service application databases, or content databases) on the farm.
- Added as a
WSS_CONTENT_APPLICATION_POOLS and SHAREPOINT_SHELL_ACCESS fixed database
roles for the SharePoint Server 2010 server SharePoint_Config and
SharePoint_AdminContent databases.
|
Service
Applications Account(e.g. sp_serviceapps)
|
Application
Pool identity to run the majority of the all the SharePoint 2010 Service
Applications (WCF endpoint) as the IIS worker process (e.g. Managed
Metadata Service and/or User Profile Service).Please note that both Service
Application App Pool and Web Application App Pool behaves same.
You can create
more than 1 service account to isolate the IIS processes under services will
run.
|
Must
be Domain User Account.Must register as SharePoint Managed Account.
|
None
|
None
|
After
you create the SharePoint Service Application, following machine-level
permission is configured automatically:
- Member in the WSS_WPG
- Member in the built-in
IIS_IUSRS on IIS 7 (Windows Server 2008) and IIS 7.5 (Windows Server
2008 R2), IIS_IUSRs replaces earlier version built-in group, IIS_WPG
After you
create the SharePoint Service Application, following SQL Server and database
permissions for this account are configured automatically:
- This account will be assigned
to the db_owner role for the service application content databases (e.g.
Managed Metadata, User Profile DBs etc.)
- Never have access to
the associated web application content databases.
- This account is assigned to
the WSS_CONTENT_APPLICATION_POOLS role associated with the farm
configuration database.
- This account is assigned to
the WSS_CONTENT_APPLICATION_POOLS role associated with the
SharePoint_Admin content database.
|
Content
Web Application App Pool Account(e.g. sp_defaultwebapp)
|
Application
Pool identity to run the IIS Site hosting the SharePoint Content Web
Applications and SharePoint Site Collections as the IIS worker
process.Please note that both Service Application App Pool and Web
Application App Pool behaves same
It is best
practice to run all the content web applications in their dedicated
application pool account.
|
Must
be Domain User Account. Must register as SharePoint Managed Account.
|
None
|
None
|
After
you create the SharePoint Web Application, following machine-level permission
is configured automatically:
- Member in the built-in
IIS_IUSRS on IIS 7 (Windows Server 2008) and IIS 7.5 (Windows Server
2008 R2), IIS_IUSRs replaces earlier version built-in group, IIS_WPG
After you
create the SharePoint Web Application, following SQL Server and database
permissions for this account are configured automatically:
- This account is assigned to
the db_owner role for the Web application content databases.
- This account is assigned to
the WSS_CONTENT_APPLICATION_POOLS role associated with the farm
configuration database.
- This account is assigned to
the WSS_CONTENT_APPLICATION_POOLS role associated with the
SharePoint_Admin content database.
- This account will be assigned
to the db_owner role for the associated user profile service application
databases (e.g. Profile DB, Sync DB, and Social DB)
|
UPS
Sync Account(e.g. sp_ups)
|
Perform
the User Profile Sync. FIM uses this account to import the AD profiles.
Specify on the Synchronization Connection on the User Profile Service
Administration Page.
|
Domain
User Account with Replicating Directory Changes Permission. No need to
register as SharePoint Managed Account.
|
None
|
None
|
None
|
My
Site Host Web Application App Pool Account(e.g. sp_mysiteapp)
|
Application
Pool identity to run the IIS Site hosting the My Sites Web Applications and
User Personal Sites as the IIS worker process.
|
Must
be Domain User Account.Must not be a member of the farm administrators group.
|
None
|
None
|
After
you create the My Site Host, machine-level permission is configured
automatically
- Member in the WSS_WPG
- Member in the built-in
IIS_IUSRS on IIS 7 (Windows Server 2008) and IIS 7.5 (Windows Server
2008 R2), IIS_IUSRs replaces earlier version built-in group, IIS_WPG
After you
create the My Site Host, SQL Server and database permissions are configured
automatically:
- This account is assigned to
the db_owner role for the My Site Host Web application content databases.
- App Pool account is assigned
to the WSS_CONTENT_APPLICATION_POOLS role associated with the farm
configuration database.
- App Pool account is assigned
to the WSS_CONTENT_APPLICATION_POOLS role associated with the
SharePoint_Admin content database.
- This account will be assigned
to the db_owner role for the associated user profile service application
databases (e.g. Profile DB, Sync DB, and Social DB)
|
