Home > Administration and Configuartion > User and Service Account (Office SharePoint Server)

User and Service Account (Office SharePoint Server)

User and Service Account

There are two types of installation in MOSS2007, standalone installation and server farm installation. According to your installation type selection you need to plan for administrative and service accounts.

Single server standard requirements

In case of, you are deploying to a single server computer, accounts requirements are greatly reduced. You can use a single account for all of the account purposes. In a production environment, ensure that the accounts you create have the appropriate permissions for their purposes.

Account Description Single server standard requirements
SQL Server service account SQL Server prompts for this account during SQL Server Setup. This account is used for the following SQL Server services:§   SQL Server (MSSQLSERVER)§   SQL Server Agent (SQLSERVERAGENT) Local System account (default)
Setup user account The user account that is used to run:§   Setup on each server computer§   The SharePoint Products and Technologies Configuration Wizard

§   The Psconfig command-line tool

§   The Stsadm command-line tool

Member of the Administrators group on the local computer
Server farm account This account is also referred to as the database access account.This account is:§   The identity for the application pool that hosts the SharePoint Central Administration Web site.

§   The process account for the Windows SharePoint Services Timer service.

Network Service (default)No manual configuration is necessary.
SSP application pool account Application pool identity for the shared services administration Web application. No manual configuration is necessary.
SSP service account Used by the following:§   SSP Web services for inter-server communication§   SSP Timer service to run specific types of jobs

§   Application pool identity of application pool associated with the virtual directory associated with a given SSP

§   No manual configuration is necessary.§   This account should not be a member of the Administrators group on any computer in the server farm.
Office SharePoint Server Search service account Used as the service account for the Office SharePoint Server Search service. There is only one instance of this service and it is used by all SSPs. By default, this account runs as the Local System account.§   If you want to crawl remote content by changing the default content access account or by using crawl rules, change this to a domain user account. If you do not change this account to a domain user account, you cannot change the default content access account to a domain user account or add crawl rules to crawl this content. This restriction is designed to prevent elevation of privilege for any other process running as the Local System account.
Default content access account The default account used within a specific SSP to crawl content, unless a different authentication method is specified by a crawl rule for a URL or URL pattern. No manual configuration is necessary if this account is only crawling local farm content. If you want to crawl remote content by using crawl rules, change this to a domain user account, and apply the requirements listed for a server farm.
Content access account A specific account that is configured to access a content source. This account is optional and is specified when you create a new crawl rule. For example, content sources that are external to Office SharePoint Server (such as a file share) might require a different content access account. Same as the SSP default content access account listed previously.
Profile import default access account Used to:§   Connect to a directory service, such as the Active Directory directory service, a Lightweight Directory Access Protocol (LDAP) directory, a Business Data Catalog application, or other directory source.§   Import profile data from a directory service.

If no account is specified, the default content access account is used. If the default content access account does not have read access to the directory or directories that you want to import data from, use a different account. You can plan up to one account per directory connection.

§   Read access to the directory service.§   If Enable Server Side Incremental is selected for an Active Directory connection and the environment is Windows 2000 Server, the account must have the Replicate Changes permission in Active Directory. This permission is not required for Windows Server 2003 Active Directory environments.§   Manage User Profiles personalization services permission.

View permissions on entities used in Business Data Catalog import connections.

Excel Services unattended service account The account that Excel Calculation Services uses to connect to external data sources that require a non-Windows user name and password string for authentication. If this account is not configured, Excel Services will not attempt to connect to these types of data sources. Although the account credentials are used to connect to non-Windows data sources, the account must be a member of the domain in order for Excel Calculation Services to use it. Must be a domain user account.
Windows SharePoint Services Search service account  Used as the service account for the Windows SharePoint Services Help Search service. There is only one instance of this service in a farm. By default, this account runs as the Local System account.
Windows SharePoint Services Search content access account Used by the Windows SharePoint Services Search application server role to crawl content across sites. Must not be a member of the Farm Administrators group.The following are automatically configured:Added to the Web application Full Read policy for the farm.
Application pool identity The user account that the worker processes that service the application pool use as their process identity. This account is used to access content databases associated with the Web applications that reside in the application pool. No manual configuration is necessary.The Network Service account is used for the default Web site that is created during Setup and configuration.

Server farm requirements

In case of, you are deploying to more than one server computer use the server farm standard requirements to ensure that accounts have the appropriate permissions to perform their processes across multiple computers.

Account Description Server farm standard requirements
SQL Server service account SQL Server prompts for this account during SQL Server Setup. This account is used for the following SQL Server services:§   SQL Server (MSSQLSERVER)§   SQL Server Agent (SQLSERVERAGENT) Use either a Local System account or a domain user account.If a domain user account is used, this account uses Kerberos authentication by default, which requires additional configuration in your network environment. If SQL Server uses a service principal name (SPN) that is not valid (that is, that does not exist in the Active Directory directory service environment), Kerberos authentication fails, and then NTLM is used. If SQL Server uses an SPN that is valid but is not assigned to the appropriate container in Active Directory, authentication fails, resulting in a “Cannot generate SSPI context” error message. Authentication will always try to use the first SPN it finds, so ensure that there are no SPNs assigned to inappropriate containers in Active Directory.If you plan to back up to or restore from an external resource, permissions to the external resource must be granted to the appropriate account. If you use a domain user account for the SQL Server service account, grant permissions to that domain user account. However, if you use the Network Service or the Local System account, grant permissions to the external resource to the machine account (domain_name\SQL_hostname$).
Setup user account The user account that is used to run:§   Setup on each server computer§   The SharePoint Products and Technologies Configuration Wizard

§   The Psconfig command-line tool

§   The Stsadm command-line tool

§   Domain user account.§   Member of the Administrators group on each server on which Setup is run.§   SQL Server login on the computer running SQL Server.

§   Member of the following SQL Server security roles:

  • securityadmin fixed server role
  • dbcreator fixed server role

If you run Stsadm commands that affect a database, this account must be a member of the db_owner fixed database role for the database.

Server farm account This account is also referred to as the database access account.This account is:§   The identity for the application pool that hosts the SharePoint Central Administration Web site.

§   The process account for the Windows SharePoint Services Timer service.

§   Domain user account.§   If the server farm is a child farm with Web applications that consume shared services from a parent farm, this account must be a member of the db_ownerfixed database role on the configuration database of the parent farm.Additional permissions are automatically granted for this account on Web servers and application servers that are joined to a server farm.

This account is automatically added as a SQL Server login on the computer running SQL Server and added to the following SQL Server security roles:

§   dbcreator fixed server role

§   securityadmin fixed server role

db_owner fixed database role for all databases in the server farm

SSP application pool account Application pool identity for the shared services administration Web application. No manual configuration is necessary.The following are automatically configured:§   Membership in the db_owner role for the SSP content database.

§   Access to read from and write to the SSP content database.

§   Access to read from and write to content databases for Web applications that are associated with the SSP.

§   Access to read from the configuration database.

§   Access to read from the Central Administration content database.

Additional permissions to front-end Web servers and application servers are automatically granted.

SSP service account Used by the following:§   SSP Web services for inter-server communication§   SSP Timer service to run specific types of jobs

§   Application pool identity of application pool associated with the virtual directory associated with a given SSP

§   Use a domain user account.§   No manual configuration is necessary. The same permissions as the SSP application pool account are automatically granted.§   This account should not be a member of the Administrators group on any computer in the server farm.
Office SharePoint Server Search service account Used as the service account for the Office SharePoint Server Search service. There is only one instance of this service and it is used by all SSPs. §   Must be a domain user account.§   Should not be a member of the Farm Administrators group on the server.The following are automatically configured:

§   Access to read from the configuration database.

Default content access account The default account used within a specific SSP to crawl content, unless a different authentication method is specified by a crawl rule for a URL or URL pattern. §   Must be a domain user account.§   Must not be a member of the Farm Administrators group.§   Read access to external or secure content sources that you want to crawl by using this account.

§   For sites that are not a part of the server farm, this account must explicitly be granted Full Read permissions on the Web applications that host the sites.

The following are automatically configured:

Full Read permissions are automatically granted to content databases hosted by the server farm.

Content access account A specific account that is configured to access a content source. This account is optional and is specified when you create a new crawl rule. For example, content sources that are external to Office SharePoint Server (such as a file share) might require a different content access account. §   Read access to external or secure content sources that this account is configured to access.For Web sites that are not a part of the server farm, this account must explicitly be granted Full Read permissions on the Web applications that host the sites.
Profile import default access account Used to:§   Connect to a directory service, such as the Active Directory directory service, a Lightweight Directory Access Protocol (LDAP) directory, a Business Data Catalog application, or other directory source.§   Import profile data from a directory service.

If no account is specified, the default content access account is used. If the default content access account does not have read access to the directory or directories that you want to import data from, use a different account. You can plan up to one account per directory connection.

§   Read access to the directory Read access to the directory service.§   If Enable Server Side Incremental is selected for an Active Directory connection and the environment is Windows 2000 Server, the account must have the Replicate Changes permission in Active Directory. This permission is not required for Windows Server 2003 Active Directory environments.§   Manage User Profiles personalization services permission.

View permissions on entities used in Business Data Catalog import connections.

Excel Services unattended service account The account that Excel Calculation Services uses to connect to external data sources that require a non-Windows user name and password string for authentication. If this account is not configured, Excel Services will not attempt to connect to these types of data sources. Although the account credentials are used to connect to non-Windows data sources, the account must be a member of the domain in order for Excel Calculation Services to use it. Must be a domain user account.
Windows SharePoint Services Search service account  Used as the service account for the Windows SharePoint Services Help Search service. There is only one instance of this service in a farm.
  • Must be a domain user account.
  • Should not be a member of the Farm Administrators group on the server.

The following are automatically configured:

  • Access to read from the configuration database and the SharePoint_Admin Content database.
  • Membership in the db_owner role for the Windows SharePoint Services Search database.
Windows SharePoint Services Search content access account Used by the Windows SharePoint Services Search application server role to crawl content across sites.
  • Same requirements as the Windows SharePoint Services Search service account.

The following are automatically configured:

Added to the Web application Full Read policy for the farm.

Application pool identity The user account that the worker processes that service the application pool use as their process identity. This account is used to access content databases associated with the Web applications that reside in the application pool. No manual configuration is necessary.The following are automatically configured:

  • Membership in the db_owner role for content databases and search databases associated with the Web application.
  • Access to read from the configuration and the SharePoint_AdminContent databases.
  • Access to read from and write to the associated SSP database.

Additional permissions for this account to front-end Web servers and application servers are automatically granted.

 

 

References:-

http://technet.microsoft.com/en-us/library/cc263445%28office.12%29.aspx#Section2

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: