What are the accounts used in SharePoint
for a least privileged configuration.
In Many Organizations while
Implementing SharePoint. The first question which may arise is What are
the account we need to create and what are the permission levels it should have.
I have tried my best to collate the things together and text it in my Blog as
per my experience.Theese accouns are minimal accounts that required but it
varies as per the requirements.
The setup account: This is the account with which the user is logged that runs the setup. This account must be a local administrator on all systems where SharePoint is run.
Post-Setup Configuration Run-As user: This is the user that runs the PSC tool.
This user must also be a local administrator
PSC runs a prerequisites check.
In addition to being a local administrator on all computers running Office Server, this account also has the following requirements on a remote server running SQL Server to be used as part of a SharePoint Foundation 2010 Services farm
Must be a SQL login
Must be a member of the SQL Server Database Creators Role
Must be a member of the SQL Server Security Administrators Role
This account need not be a local administrator on the server running SQL Server
This is the only account given explicit rights on SQL. It will give the database access account the SQL privileges it needs because it has the rights to do so.
The database access account: This is the account that is specified to the PSC tool when creating or connecting to a Configuration Database.
This account need not be the same as the PSC Run-As user and it need notbe a local administrator on any computer running Office Server.
It should also not be a local administrator on the SQL server, and doesnot require any SQL permissions in advance of creating a configuration database. Many of us refer to this as the “farm admin” account, but thisis misleading. The user that accesses the Central Admin Web pages to perform farm administrative activities is the farm admin account.
Central Admin App Pool ID:This account is “automatically” configured by the PSC tool to be the same account as the database access account that is stipulated to the PSC tool when creating a configuration database. This account and the SPTimer account constitute one exception to separate accounts being usedfor all account types.
The SPTimer account: As with the Central Admin App Pool ID, this account is “automatically” configured by the PSC tool to be the same account as the database accessaccount that is stipulated to the PSC tool when creating a configuration database.
The Farm Admin account: As mentioned earlier, this is the user that accesses the Central Admin Web pages to perform farm administrative functions.
This account can create Web applications, site collections, SSPs, configure Search, IFSS, Profile Imports, assigning permissions, and so on.
The setup account: This is the account with which the user is logged that runs the setup. This account must be a local administrator on all systems where SharePoint is run.
Post-Setup Configuration Run-As user: This is the user that runs the PSC tool.
This user must also be a local administrator
PSC runs a prerequisites check.
In addition to being a local administrator on all computers running Office Server, this account also has the following requirements on a remote server running SQL Server to be used as part of a SharePoint Foundation 2010 Services farm
Must be a SQL login
Must be a member of the SQL Server Database Creators Role
Must be a member of the SQL Server Security Administrators Role
This account need not be a local administrator on the server running SQL Server
This is the only account given explicit rights on SQL. It will give the database access account the SQL privileges it needs because it has the rights to do so.
The database access account: This is the account that is specified to the PSC tool when creating or connecting to a Configuration Database.
This account need not be the same as the PSC Run-As user and it need notbe a local administrator on any computer running Office Server.
It should also not be a local administrator on the SQL server, and doesnot require any SQL permissions in advance of creating a configuration database. Many of us refer to this as the “farm admin” account, but thisis misleading. The user that accesses the Central Admin Web pages to perform farm administrative activities is the farm admin account.
Central Admin App Pool ID:This account is “automatically” configured by the PSC tool to be the same account as the database access account that is stipulated to the PSC tool when creating a configuration database. This account and the SPTimer account constitute one exception to separate accounts being usedfor all account types.
The SPTimer account: As with the Central Admin App Pool ID, this account is “automatically” configured by the PSC tool to be the same account as the database accessaccount that is stipulated to the PSC tool when creating a configuration database.
The Farm Admin account: As mentioned earlier, this is the user that accesses the Central Admin Web pages to perform farm administrative functions.
This account can create Web applications, site collections, SSPs, configure Search, IFSS, Profile Imports, assigning permissions, and so on.