Sean Wallbridge
I saw a post by Todd Klindt yesterday (Service Account Suggestions for SharePoint 2010) that prompted me to think “you know what, Foundation never seems to get this same attention”. So, I figured I’d share my own preferences for SharePoint 2010 Server accounts and then also the SharePoint Foundation accounts (as there is a limited set of functionality in Foundation and many of these accounts wouldn’t apply). The account names I use are a little different, but I did borrow his initial table as there was some good information provided in regards to the rights that need to be set as well. So here goes… your mileage may vary.
SharePoint 2010 Server Suggested Service Accounts
|
Account name |
Role |
Domain Rights |
Local Server Rights |
SQL Rights |
|
spadmin |
*Optional – You may prefer a different approach* Separate SharePoint account used for Central Administration management and as secondary Site Collection Administrator for all site collections. Often, the SPAdmin and SPInstall accounts will get combined |
|
|
|
|
spinstall |
Used to install SharePoint binaries. |
Domain User |
Local administrator on all SharePoint boxes |
dbcreator and securityadmin SQL roles |
|
spfarm |
Farm account. Used for Windows Timer Service, Central Admin and User Profile serve |
Domain User |
Local Admin during UPS provisioning, log on locally right |
dbcreator and securityadmin SQL roles |
|
spcontentapppool |
App pool id for content web apps |
Domain User |
None |
None |
|
spmysitesapppool |
App pool id for mysites app |
Domain User |
None |
None |
|
spserviceapppool |
Service app pool id |
Domain User |
None |
None, unless using Office Web Apps. Them must give access to content databases manually |
|
spsearch |
Search process id |
Domain User |
None |
None |
|
spcontentaccess |
Account used to crawl content |
Domain User |
None |
None |
|
spups |
Account used by the User Profile services to access Active Directory |
Must have Replicating Change permissions to AD. Must be given in BOTH ADUC and ADSIEDIT. If domain is Windows 2003 or early, must also be a member of the “Pre-Windows 2000” built-in group. |
None |
None |
|
spsuperuser |
Cache account |
Domain User |
Web application Policy Full read. Web application super account setting |
None |
|
spsuperreader |
Cache account |
Domain User |
Web application Policy Full read. Web application super reader account setting |
None |
SharePoint 2010 Foundation Suggested Service Accounts
|
Account Name |
Role |
Domain Rights |
Local Server Rights |
SQL Rights |
|
spadmin |
*Optional – You may prefer a different approach* Separate SharePoint account used for Central Administration management and as secondary Site Collection Administrator for all site collections. Often, the SPAdmin and SPInstall accounts will get combined |
|
|
|
|
spinstall |
Used to install SharePoint binaries. |
Domain User |
Local administrator on all SharePoint boxes |
dbcreator and securityadmin SQL roles |
|
spfarm |
Farm account. Used for Windows Timer Service, Central Admin and User Profile serve |
Domain User |
Local Admin during UPS provisioning, log on locally right |
dbcreator and securityadmin SQL roles |
|
spcontentapppool |
App pool id for content web apps |
Domain User |
None |
None |
|
spserviceapppool |
Service app pool id |
Domain User |
None |
None, unless using Office Web Apps. Them must give access to content databases manually |
|
spsearch |
Search process id |
Domain User |
None |
None |
|
spcontentaccess |
Account used to crawl content |
Domain User |
None |
None |
One response to “SharePoint Server and Foundation User Account Suggestions for 2010”