Account permissions and security settings (SharePoint Server 2010)
Good article from MS on Account permissions and security settings (SharePoint Server 2010)
In this MICROSOFT article:
This article describes Microsoft SharePoint Server 2010
administrative and services account permissions. It covers the following
areas: Microsoft SQL Server, the file system, file shares, and registry
entries.
About account permissions and security settings
Many of the SharePoint Server 2010 baseline account
permissions and security settings are configured by the SharePoint
Configuration Wizard (Psconfig) and the Farm Creation Wizard, both of
which are run during a Complete installation.
Administrative accounts
Most of the SharePoint Server 2010 administrative account
permissions are configured automatically during the setup process by one
of the following SharePoint Server 2010 components:
-
The SharePoint Configuration Wizard (Psconfig).
-
The Farm Creation Wizard.
-
The SharePoint Central Administration Web site.
-
Windows PowerShell.
Setup user administrator account
This account is used to set up each server in your farm by
running The SharePoint Configuration Wizard, the initial Farm Creation
Wizard, and Windows PowerShell. For the examples in this article, the
setup user administrator account is used for farm administration, and it
can be managed using Central Administration. Some configuration options
require local administration permissions: for example, configuration of
the SharePoint Server 2010 Search query server. The setup user
administrator account requires the following permissions:
-
It must have domain user account permissions.
-
It must be a member of the local administrators group on
each server in the SharePoint Server 2010 farm, excluding SQL Server
and the Simple Mail Transfer Protocol (SMTP) server.
-
This account must have access to the SharePoint Server 2010 databases.
-
If you use any Windows PowerShell operations that affect
a database, the setup user administrator account must be a member of
the db_owner role.
-
This account must be assigned to the securityadmin and
dbcreator SQL Server security roles during setup and configuration.
Note:
|
The securityadmin and dbcreator SQL Server security
roles might be required for this account during a complete version to
version upgrade because new databases might have to be created and
secured for services.
|
After you run the configuration wizards, machine-level permissions for the setup user administrator account include:
-
Membership in the WSS_ADMIN_WPG Windows security group.
-
Membership in the IIS_WPG role.
After you run the configuration wizards, database permissions include:
-
db_owner on the SharePoint Server 2010 server farm configuration database.
-
db_owner on the SharePoint Server 2010 Central Administration content database.
Warning:
|
If the setup user administrator account is removed
as a login from the computer running SQL Server, the configuration
wizards will not run correctly. If you run the configuration wizards
using an account that does not have the appropriate special SQL role
membership, or access as db_owner on the databases, the configuration
wizards will not run correctly.
|
Farm service account
The server farm account is also referred to as the database
access account and is used as the application pool identity for Central
Administration, and as the process account for the Microsoft SharePoint
Foundation 2010 Timer service. The server farm account requires the
following permissions:
-
It must have domain user account permissions.
Additional permissions are automatically granted to the
server farm account on Web servers and application servers that are
joined to a server farm.
After you run the SharePoint Configuration Wizard, machine-level permissions include:
-
Membership in the WSS_ADMIN_WPG Windows security group for the SharePoint Foundation 2010 Timer service.
-
Membership in WSS_RESTRICTED_WPG for the Central Administration and Timer service application pools.
-
Membership in WSS_WPG for the Central Administration application pool.
After you run the configuration wizards, SQL Server and database permissions include:
-
Dbcreator fixed server role.
-
Securityadmin fixed server role.
-
db_owner for all SharePoint Server 2010 databases.
-
Membership in the WSS_CONTENT_APPLICATION_POOLS role for
the SharePoint Server 2010 server farm configuration database.
-
Membership in the WSS_CONTENT_APPLICATION_POOLS role for
the SharePoint Server 2010 SharePoint_Admin content database.
Microsoft SharePoint Foundation 2010 search service account
The SharePoint Foundation 2010 search service account is
used as the service account for the SharePoint Foundation 2010 Search
service. The SharePoint Foundation 2010 search service account requires
the following permission configuration settings:
-
This account must have domain user account permissions.
The following machine-level permission is configured automatically: The search service account is a member of WSS_WPG.
The following SQL Server and database permissions are
conferred by membership in the WSS_CONTENT_APPLICATION_POOLS role in the
server farm configuration database:
-
Read access to the server farm configuration database.
-
Read access to the SharePoint_Admin content database.
-
This account is assigned the db_owner role for the SharePoint Foundation 2010 search database.
Microsoft SharePoint Foundation 2010 search content access account
The SharePoint Foundation 2010 search content access
account is used by the SharePoint Foundation 2010 Search service to
crawl content across sites. The SharePoint Foundation 2010 search
content access account requires the following permission configuration
settings:
-
This account must have domain user account permissions.
-
This account must not be a member of the farm administrators group.
The following SQL Server and database permissions are configured automatically:
-
Read access to the server farm configuration database.
-
Read access to the SharePoint_Admin content database.
-
This account is assigned to the db_owner role for the SharePoint Foundation 2010 search database.
A full Read policy for the SharePoint Foundation 2010 search content access account is created on all Web applications.
Service application accounts
This section describes the service application accounts that are setup by default during installation.
Application pool account
The application pool account is used for application pool
identity. The application pool account requires the following permission
configuration settings:
The following machine-level permission is configured automatically: The application pool account is a member of WSS_WPG.
The following SQL Server and database permissions for this account are configured automatically:
-
The application pool accounts for Web applications are assigned to the db_owner role for the content databases.
-
This account is assigned to the
WSS_CONTENT_APPLICATION_POOLS role associated with the farm
configuration database.
-
This account is assigned to the
WSS_CONTENT_APPLICATION_POOLS role associated with the SharePoint_Admin
content database.
SharePoint Server search service account
The SharePoint Server 2010 Search service account is used
as the service account for the SharePoint Server 2010 Search service.
The SharePoint Server Search Service is an NT Service, which is used by
all Search Service Applications. For any given server, there is only one
instance of this service. The SharePoint Server 2010 search service
account requires the following permission configuration setting: The
SharePoint Server 2010 search service account is granted access to the
propagation location share (or shares) on all search query servers in a
farm.
The following machine-level permission is configured
automatically: The SharePoint Server 2010 search service account is a
member of WSS_WPG.
The following SQL Server and database permissions are configured automatically:
-
This account is assigned to the
WSS_CONTENT_APPLICATION_POOLS role associated with the farm
configuration database.
-
This account is assigned to the
WSS_CONTENT_APPLICATION_POOLS role associated with the SharePoint_Admin
content database.
Default content access account
The default content access account is used within a
specific service application to crawl content, unless a different
authentication method is specified by a crawl rule for a URL or URL
pattern. This account requires the following permission configuration
settings:
-
The default content access account must be a domain user
account and it must have read access to external or secure content
sources that you want to crawl by using this account.
-
For SharePoint Server sites that are not part of the
server farm, this account must be explicitly granted full read
permissions to the Web applications that host the sites.
-
This account must not be a member of the farm administrators group.
Content access accounts
Content access accounts are accounts that are configured to
access content by using the Search administration crawl rules feature.
This type of account is optional and can be configured when you create a
new crawl rule. For example, external content (such as a file share)
might require this separate content access account. This account
requires the following permission configuration settings:
-
The content access account must have read access to
external or secure content sources that this account is configured to
access.
-
For SharePoint Server sites that are not part of the
server farm, this account must be explicitly granted full read
permissions to the Web applications that host the sites.
Excel Services unattended service account
The Excel Services unattended service account is used by
Excel Services to connect to external data sources that require a user
name and password that are based on operating systems other than Windows
for authentication. If this account is not configured, Excel Services
will not attempt to connect to these types of data sources. Although
account credentials are used to connect to data sources of operating
systems other than Windows, if the account is not a member of the
domain, Excel Services cannot access it. This account must be a domain
user account.
My Sites application pool account
The My Sites application pool account must be a domain user
account. This account must not be a member of the farm administrators
group.
The following machine-level permission is configured automatically: This account is a member of WSS_WPG.
The following SQL Server and database permissions are configured automatically:
-
This account is assigned to the
WSS_CONTENT_APPLICATION_POOLS role associated with the farm
configuration database.
-
This account is assigned to the
WSS_CONTENT_APPLICATION_POOLS role associated with the SharePoint_Admin
content database.
Other application pool accounts
The other application pool account must be a domain user
account. This account must not be a member of the administrators group
on any computer in the server farm.
The following machine-level permission is configured automatically: This account is a member of WSS_WPG.
The following SQL Server and database permissions are configured automatically:
-
This account is assigned to the db_owner role for the content databases.
-
This account is assigned to the db_owner role for search databases associated with the Web application.
-
This account must have read and write access to the associated service application database.
-
This account is assigned to the
WSS_CONTENT_APPLICATION_POOLS role associated with the farm
configuration database.
-
This account is assigned to the
WSS_CONTENT_APPLICATION_POOLS role associated with the SharePoint_Admin
content database.
Database roles
This section describes the database roles that are either
setup by default during installation, or that can be optionally
configured.
WSS_CONTENT_APPLICATION_POOLS database role
The WSS_CONTENT_APPLICATION_POOLS database role applies to
the application pool account for each Web application that is registered
in SharePoint. This enables the Web applications to query and update
the site map, and have read-only access to other items in the
configuration database. Setup assigns the WSS_CONTENT_APPLICATION_POOLS
role to the following databases:
-
The SharePoint_Config database (the configuration database).
-
The SharePoint_AdminContent database.
Members of the WSS_CONTENT_APPLICATION_POOLS role are
granted the execute permission for a subset of the stored procedures for
the database. In addition, members of this role are granted the select
permission to the Versions table (dbo.Versions) in the
SharePoint_AdminContent database. For other databases, the accounts
planning tool indicates that access to read these databases is
automatically configured. In some cases, limited access to write to a
database is also automatically configured. To provide this access,
permissions for stored procedures are configured. For the
SharePoint_Config database, for example, access to the following stored
procedures is automatically configured:
-
proc_dropEmailEnabledList
-
proc_dropEmailEnabledListsByWeb
-
proc_dropSiteMap
-
proc_markForDeletionEmailEnabledList
-
proc_markForDeletionEmailEnabledListsBySite
-
proc_markForDeletionEmailEnabledListsByWeb
-
proc_putDistributionListToDelete
-
proc_putEmailEnabledList
-
proc_putSiteMap
WSS_SHELL_ACCESS database role
The secure WSS_SHELL_ACCESS database role on the
configuration database replaces the need to add an administration
account as a db_owner on the configuration database. By default, the
setup account is assigned to the WSS_SHELL_ACCESS database role.
Membership in this role is granted and removed by using a Windows
PowerShell command. Setup assigns the WSS_SHELL_ACCESS role to the
following databases:
-
The SharePoint_Config database (the configuration database).
-
One or more of the SharePoint Content databases.
This is configurable by using the Windows PowerShell command that
manages membership, and the object assigned to this role.
Members of the WSS_SHELL_ACCESS role are granted the
execute permission for all of the stored procedures for the database. In
addition, members of this role are granted the read and write
permissions on all of the database tables.
Group permissions
This section describes permissions of groups that are created by the SharePoint Server 2010 setup and configuration tools.
WSS_ADMIN_WPG
WSS_ADMIN_WPG has read and write access to local resources.
The application pool accounts for the Central Administration and Timer
services are in WSS_ADMIN_WPG. The following table shows the
WSS_ADMIN_WPG registry entry permissions.
|
Key name
|
Permissions
|
Inherit
|
Description
|
HKEY_CLASSES_ROOT\APPID\{58F1D482-A132-4297-9B8A-F8E4E600CDF6}
|
Full control
|
N/A
|
This is the SharePoint Server 2010 Search service COM Application.
|
HKEY_CLASSES_ROOT\APPID\{6002D29F-1366-4523-88C1-56D59BFEF8CB}
|
Full control
|
N/A
|
This is the SharePoint Foundation 2010 Search service COM Application.
|
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS
|
Full control
|
N/A
|
N/A
|
HKEY_LOCAL_MACHINE\Software\Microsoft\Office\14.0\Registration\{90120000-110D-0000-0000-0000000FF1CE}
|
Read, write
|
N/A
|
N/A
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office Server
|
Read
|
No
|
This key is the root of the SharePoint Server 2010
registry settings tree. If this key is altered, SharePoint Server 2010
functionality will fail.
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office Server\14.0
|
Full control
|
No
|
This key is the root of the SharePoint Server 2010 registry settings.
|
HKEY_LOCAL_MACHINE\Software\Microsoft\Office Server\14.0\LoadBalancerSettings
|
Read, write
|
No
|
This key contains settings for the document conversion service. Altering this key will break document conversion functionality.
|
HKEY_LOCAL_MACHINE\Software\Microsoft\Office Server\14.0\LauncherSettings
|
Read, write
|
No
|
This key contains settings for the document conversion service. Altering this key will break document conversion functionality.
|
HKEY_LOCAL_MACHINE\Software\Microsoft\Office Server\14.0\Search
|
Full control
|
N/A
|
N/A
|
HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\14.0\Search
|
Full control
|
N/A
|
N/A
|
HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\14.0\Secure
|
Full control
|
No
|
This key contains the connection string and the ID of
the configuration database to which the machine is joined. If this key
is altered, the SharePoint Server installation on the machine will not
function.
|
HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\14.0\WSS
|
Full control
|
Yes
|
This key contains settings used during setup. If this
key is altered, diagnostic logging may fail and setup or post-setup
configuration may fail.
|
The following table shows the WSS_ADMIN_WPG file system permissions.
|
File system path
|
Permissions
|
Inherit
|
Description
|
%AllUsersProfile%\Application Data\Microsoft\Sharepoint
|
Full control
|
No
|
This directory contains the file-system-backed cache
of the farm configuration. Processes might fail to start and the
administrative actions might fail if this directory is altered or
deleted.
|
C:\Inetpub\wwwroot\wss
|
Full control
|
No
|
This directory (or the corresponding directory under
the Inetpub root on the server) is used as the default location for IIS
Web sites. SharePoint sites will be unavailable and administrative
actions might fail if this directory is altered or deleted, unless
custom IIS Web site paths are provided for all IIS Web sites extended
with SharePoint Server.
|
%ProgramFiles%\Microsoft Office Servers\14.0
|
Full control
|
No
|
This directory is the installation location for
SharePoint Server 2010 binaries and data. The directory can be changed
during installation. All SharePoint Server 2010 functionality will fail
if this directory is removed, altered, or removed after installation.
Membership in the WSS_ADMIN_WPG Windows security group is required for
some SharePoint Server 2010 services to be able to store data on disk.
|
%ProgramFiles%\Microsoft Office Servers\14.0\WebServices
|
Read, write
|
No
|
This directory is the root directory where back-end
Web services are hosted, for example, Excel and Search. The SharePoint
Server 2010 features that depend on these services will fail if this
directory is removed or altered.
|
%ProgramFiles%\Microsoft Office Servers\14.0\Data
|
Full control
|
No
|
This directory is the root location where local data
is stored, including search indexes. Search functionality will fail if
this directory is removed or altered. WSS_ADMIN_WPG Windows security
group permissions are required to enable search to save and secure data
in this folder.
|
%ProgramFiles%\Microsoft Office Servers\14.0\Logs
|
Full control
|
Yes
|
This directory is the location where the run-time
diagnostic logging is generated. Logging functionality will not function
properly if this directory is removed or altered.
|
%ProgramFiles%\Microsoft Office Servers\14.0\Data\Office Server
|
Full control
|
Yes
|
Same as the parent folder.
|
%windir%\System32\drivers\etc\HOSTS
|
Read, write
|
N/A
|
N/A
|
%windir%\Tasks
|
Full control
|
N/A
|
N/A
|
%COMMONPROGRAMFILES%Microsoft Shared\Web Server Extensions\14
|
Modify
|
Yes
|
This directory is the installation directory for core
SharePoint Server files. If the access control list (ACL) is modified,
feature activation, solution deployment, and other features will not
function correctly.
|
%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\14\ADMISAPI
|
Full control
|
Yes
|
This directory contains the soap services for Central
Administration. If this directory is altered, remote site creation and
other methods exposed in the service will not function correctly.
|
%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\14\CONFIG
|
Full control
|
Yes
|
This directory contains files used to extend IIS Web
sites with SharePoint Server. If this directory or its contents are
altered, Web application provisioning will not function correctly.
|
%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\14\LOGS
|
Full control
|
No
|
This directory contains setup and run-time tracing
logs. If the directory is altered, diagnostic logging will not function
correctly.
|
%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\14\Data
|
Full control
|
Yes
|
N/A
|
%windir%\temp
|
Full control
|
Yes
|
This directory is used by platform components on
which SharePoint Server depends. If the ACL is modified, Web Part
rendering and other deserialization operations might fail.
|
%windir%\System32\logfiles\SharePoint
|
Full control
|
No
|
This directory is used by SharePoint Server usage
logging. If this directory is modified, usage logging will not function
correctly.
|
%systemdrive\program files\Microsoft Office Servers\14 folder on Index servers
|
Full control
|
N/A
|
This permission is granted for a %systemdrive\program files\Microsoft Office Servers\14 folder on Index servers.
|
WSS_WPG
WSS_WPG has read access to local resources. All application
pool and services accounts are in WSS_WPG. The following table shows
WSS_WPG registry entry permissions.
|
Key name
|
Permissions
|
Inherit
|
Description
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office Server\14.0
|
Read
|
No
|
This key is the root of the SharePoint Server 2010 registry settings.
|
HKEY_LOCAL_MACHINE\Software\Microsoft\Office Server\14.0\Diagnostics
|
Read, write
|
No
|
This key contains settings for the SharePoint Server
2010 diagnostic logging. Altering this key will break the logging
functionality.
|
HKEY_LOCAL_MACHINE\Software\Microsoft\Office Server\14.0\LoadBalancerSettings
|
Read, write
|
No
|
This key contains settings for the document conversion service. Altering this key will break document conversion functionality.
|
HKEY_LOCAL_MACHINE\Software\Microsoft\Office Server\14.0\LauncherSettings
|
Read, write
|
No
|
This key contains settings for the document conversion service. Altering this key will break document conversion functionality.
|
HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\14.0\Secure
|
Read
|
No
|
This key contains the connection string and the ID of
the configuration database to which the machine is joined. If this key
is altered, the SharePoint Server installation on the machine will not
function.
|
HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\14.0\WSS
|
Read
|
Yes
|
This key contains settings used during setup. If this
key is altered, diagnostic logging may fail and setup or post-setup
configuration may fail.
|
The following table shows the WSS_WPG file system permissions.
|
File system path
|
Permissions
|
Inherit
|
Description
|
%AllUsersProfile%\Application Data\Microsoft\Sharepoint
|
Read
|
No
|
This directory contains the file-system-backed cache
of the farm configuration. Processes might fail to start and the
administrative actions might fail if this directory is altered or
deleted.
|
C:\Inetpub\wwwroot\wss
|
Read, execute
|
No
|
This directory (or the corresponding directory under
the Inetpub root on the server) is used as the default location for IIS
Web sites. SharePoint sites will be unavailable and administrative
actions might fail if this directory is altered or deleted, unless
custom IIS Web site paths are provided for all IIS Web sites extended
with SharePoint Server.
|
%ProgramFiles%\Microsoft Office Servers\14.0
|
Read, execute
|
No
|
This directory is the installation location for the
SharePoint Server 2010 binaries and data. It can be changed during
installation. All SharePoint Server 2010 functionality will fail if this
directory is removed, altered, or moved after installation. WSS_WPG
read and execute permissions are required to enable IIS sites to load
SharePoint Server 2010 binaries.
|
%ProgramFiles%\Microsoft Office Servers\14.0\WebServices
|
Read
|
No
|
This directory is the root directory where back-end
Web services are hosted, for example, Excel and Search. The SharePoint
Server 2010 features that depend on these services will fail if this
directory is removed or altered.
|
%ProgramFiles%\Microsoft Office Servers\14.0\Logs
|
Read, write
|
Yes
|
This directory is the location where the run-time
diagnostic logging is generated. Logging functionality will not function
properly if this directory is removed or altered.
|
%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\14\ADMISAPI
|
Read
|
Yes
|
This directory contains the soap services for Central
Administration. If this directory is altered, remote site creation and
other methods exposed in the service will not function correctly.
|
%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\14\CONFIG
|
Read
|
Yes
|
This directory contains files used to extend IIS Web
sites with SharePoint Server. If this directory or its contents are
altered, Web application provisioning will not function correctly.
|
%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\14\LOGS
|
Modify
|
No
|
This directory contains setup and run-time tracing
logs. If the directory is altered, diagnostic logging will not function
correctly.
|
%windir%\temp
|
Read
|
Yes
|
This directory is used by platform components on
which SharePoint Server depends. If the ACL is modified, Web Part
rendering, and other deserialization operations may fail.
|
%windir%\System32\logfiles\SharePoint
|
Read
|
No
|
This directory is used by SharePoint Server usage
logging. If this directory is modified, usage logging will not function
correctly.
|
%systemdrive\program files\Microsoft Office Servers\14
|
Read, execute
|
N/A
|
The permission is granted for %systemdrive\program files\Microsoft Office Servers\14 folder on Index servers.
|
Local service
The following table shows the local service registry entry permission:
|
Key name
|
Permissions
|
Inherit
|
Description
|
HKEY_LOCAL_MACHINE\Software\Microsoft\Office Server\14.0\LoadBalancerSettings
|
Read
|
No
|
This key contains settings for the document conversion service. Altering this key will break document conversion functionality.
|
The following table shows the local service file system permission:
|
File system path
|
Permissions
|
Inherit
|
Description
|
%ProgramFiles%\Microsoft Office Servers\14.0\Bin
|
Read, execute
|
No
|
This directory is the installed location of the
SharePoint Server 2010 binaries. All the SharePoint Server 2010
functionality will fail if this directory is removed or altered.
|
Local system
The following table shows the local system registry entry permissions:
|
Key name
|
Permissions
|
Inherit
|
Description
|
HKEY_LOCAL_MACHINE\Software\Microsoft\Office Server\14.0\LauncherSettings
|
Read
|
No
|
This key contains settings for the document conversion service. Altering this key will break document conversion functionality.
|
HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\14.0\Secure
|
Full control
|
No
|
This key contains the connection string and the ID of
the configuration database to which the machine is joined. If this key
is altered, the SharePoint Server installation on the machine will not
function.
|
HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\14.0\Secure\FarmAdmin
|
Full control
|
No
|
This key contains the encryption key used to store
secrets in the configuration database. If this key is altered, service
provisioning and other features will fail.
|
HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\14.0\WSS
|
Full control
|
Yes
|
This key contains settings used during setup. If this
key is altered, diagnostic logging may fail and setup or post-setup
configuration may fail.
|
The following table shows the local file system permissions:
|
File system path
|
Permissions
|
Inherit
|
Description
|
%AllUsersProfile%\Application Data\Microsoft\Sharepoint
|
Full control
|
No
|
This directory contains the file-system-backed cache
of the farm configuration. Processes might fail to start and
administrative actions might fail if this directory is altered or
deleted.
|
C:\Inetpub\wwwroot\wss
|
Full control
|
No
|
This directory (or the corresponding directory under
the Inetpub root on the server) is used as the default location for IIS
Web sites. SharePoint sites will be unavailable and administrative
actions might fail if this directory is altered or deleted, unless
custom IIS Web site paths are provided for all IIS Web sites extended
with SharePoint Server.
|
%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\14\ADMISAPI
|
Full control
|
Yes
|
This directory contains the soap services for Central
Administration. If this directory is altered, remote site creation and
other methods exposed in the service will not function correctly.
|
%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\14\CONFIG
|
Full control
|
Yes
|
If this directory or its contents are altered, Web Application provisioning will not function correctly.
|
%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\14\LOGS
|
Full control
|
No
|
This directory contains setup and run-time tracing
logs. If the directory is altered, diagnostic logging will not function
correctly.
|
%windir%\temp
|
Full control
|
Yes
|
This directory is used by platform components on
which SharePoint Server depends. If the ACL is modified, Web Part
rendering, and other deserialization operations might fail.
|
%windir%\System32\logfiles\SharePoint
|
Full control
|
No
|
This directory is used by SharePoint Server for usage
logging. If this directory is modified, usage logging will not function
correctly.
|
Network service
The following table shows the network service registry entry permission:
|
Key name
|
Permissions
|
Inherit
|
Description
|
HKEY_LOCAL_MACHINE\Software\Microsoft\Office Server\14.0\Search\Setup
|
Read
|
N/A
|
N/A
|
Administrators
The following table shows the administrators registry entry permissions:
|
Key name
|
Permissions
|
Inherit
|
Description
|
HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\14.0\Secure
|
Full control
|
No
|
This key contains the connection string and the ID of
the configuration database to which the machine is joined. If this key
is altered, the SharePoint Server installation on the machine will not
function.
|
HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\14.0\Secure\FarmAdmin
|
Full control
|
No
|
This key contains the encryption key used to store
secrets in the configuration database. If this key is altered, service
provisioning and other features will fail.
|
HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\14.0\WSS
|
Full control
|
Yes
|
This key contains settings used during setup. If this
key is altered, diagnostic logging may fail and setup or post-setup
configuration may fail.
|
The following table shows the administrators file system permissions:
|
File system path
|
Permissions
|
Inherit
|
Description
|
%AllUsersProfile%\Application Data\Microsoft\Sharepoint
|
Full control
|
No
|
This directory contains the file-system-backed cache
of the farm configuration. Processes might fail to start and
administrative actions might fail if this directory is altered or
deleted.
|
C:\Inetpub\wwwroot\wss
|
Full control
|
No
|
This directory (or the corresponding directory under
the Inetpub root on the server) is used as the default location for IIS
Web sites. SharePoint sites will be unavailable and administrative
actions might fail if this directory is altered or deleted, unless
custom IIS Web site paths are provided for all IIS Web sites extended
with SharePoint Server.
|
%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\14\ADMISAPI
|
Full control
|
Yes
|
This directory contains the soap services for Central
Administration. If this directory is altered, remote site creation and
other methods exposed in the service will not function correctly.
|
%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\14\CONFIG
|
Full control
|
Yes
|
If this directory or its contents are altered, Web application provisioning will not function correctly.
|
%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\14\LOGS
|
Full control
|
No
|
This directory contains setup and run-time tracing
logs. If the directory is altered, diagnostic logging will not function
correctly.
|
%windir%\temp
|
Full control
|
Yes
|
This directory is used by platform components on
which SharePoint Server depends. If the ACL is modified, Web Part
rendering, and other deserialization operations might fail.
|
%windir%\System32\logfiles\SharePoint
|
Full control
|
No
|
This directory is used for SharePoint Server usage
logging. If this directory is modified, usage logging will not function
correctly.
|
WSS_RESTRICTED_WPG
WSS_RESTRICTED_WPG can read the encrypted farm
administration credential registry entry. WSS_RESTRICTED_WPG is only
used for encryption and decryption of passwords stored in the
configuration database. The following table shows the WSS_RESTRICTED_WPG
registry entry permission:
|
Key name
|
Permissions
|
Inherit
|
Description
|
HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\14.0\Secure\FarmAdmin
|
Full control
|
No
|
This key contains the encryption key used to store
secrets in the configuration database. If this key is altered, service
provisioning and other features will fail.
|
Users group
The following table shows the users group file system permissions:
|
File system path
|
Permissions
|
Inherit
|
Description
|
%ProgramFiles%\Microsoft Office Servers\14.0
|
Read, execute
|
No
|
This directory is the installation location for
SharePoint Server 2010 binaries and data. It can be changed during
installation. All SharePoint Server 2010 functionality will fail if this
directory is removed, altered, or moved after installation.
|
%ProgramFiles%\Microsoft Office Servers\14.0\WebServices\Root
|
Read, execute
|
No
|
This directory is the root directory where back-end
root Web services are hosted. The only service initially installed on
this directory is a search global administration service. Some of the
search administration functionality using the server-specific Central
Administration Search Settings page will not work if this directory is
removed or altered.
|
%ProgramFiles%\Microsoft Office Servers\14.0\Logs
|
Read, write
|
Yes
|
This directory is the location where the run-time
diagnostic logging is generated. Logging will not function properly if
this directory is removed or altered.
|
%ProgramFiles%\Microsoft Office Servers\14.0\Bin
|
Read, execute
|
No
|
This directory is the installed location of
SharePoint Server 2010 binaries. All of the SharePoint Server 2010
functionality will fail if this directory is removed or altered.
|
All Office SharePoint Server service accounts
The following table shows the all Office SharePoint Server service accounts file system permission:
|
File system path
|
Permissions
|
Inherit
|
Description
|
%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\14\LOGS
|
Modify
|
No
|
This directory contains setup and run-time tracing
logs. If this directory is altered, diagnostic logging will not function
correctly. All SharePoint Server service accounts must have write
permission to this directory. |
Important:
