By Eric Harlan
Published: September 6, 2010
Updated: September 6, 2010

I really liked the grid we had for SharePoint 2007 and although we have some very detailed information about Service Accounts we should be using in SharePoint 2010, I couldn�t find a quick reference guide.

So here we go a quick reference guide to the service accounts you should create when installing SharePoint 2010.� This is the guide I use when installing SharePoint 2010. If for whatever reason something changes, i'll note the change in red.

Why do we need to create these service accounts?

Account	What it�s for	Permissions
Administrative Accounts
SVCSPSQL	The SQL Server service account is used to run SQL Server. It is the service account for the following SQL Server services: MSSQLSERVER SQLSERVERAGENT If you do not use the default SQL Server instance, in the Windows Services console, these services will be shown as the following: MSSQL$InstanceName SQLAgent$InstanceName �	Use either a Local System account or a domain user account. If you plan to back up to or restore from an external resource, permissions to the external resource must be granted to the appropriate account. If you use a domain user account for the SQL Server service account, grant permissions to that domain user account. However, if you use the Network Service or the Local System account, grant permissions to the external resource to the machine account (domain_name\SQL_hostname$). The instance name is arbitrary and was created when Microsoft SQL Server was installed. �
SVCSPSetup	The Setup user account is used to run the following: Setup SharePoint Products Configuration Wizard(which you really should NEVER RUN unless you know exactly why you're running it) �	Domain user account. Member of the Administrators group on each server on which Setup is run. SQL Server login on the computer that runs SQL Server. Member of the following SQL Server security roles: securityadmin fixed server role dbcreator fixed server role If you run Windows PowerShell cmdlets that affect a database, this account must be a member of the db_owner fixed database role for the database. �
SVCSPFarm	The server farm account is used to perform the following tasks: Configure and manage the server farm. Act as the application pool identity for the SharePoint Central Administration Web site. Run the Microsoft SharePoint Foundation Workflow Timer Service. �	Domain user account. Additional permissions are automatically granted for the server farm account on Web servers and application servers that are joined to a server farm. The server farm account is automatically added as a SQL Server login on the computer that runs SQL Server. The account is added to the following SQL Server security roles: dbcreator fixed server role securityadmin fixed server role db_owner fixed database role for all SharePoint databases in the server farm �
SVCSPFoundSearch	The SharePoint Foundation 2010 search service account is used as the service account for the SharePoint Foundation 2010 Search service	This account must have domain user account permissions. The following machine-level permission is configured automatically: The search service account is a member of WSS_WPG. The following SQL Server and database permissions are conferred by membership in the WSS_CONTENT_APPLICATION_POOLS role in the server farm configuration database: Read access to the server farm configuration database. Read access to the SharePoint_Admin content database. This account is assigned the db_owner role for the SharePoint Foundation 2010 search database. �
SVCSPFoundSearchCA	The SharePoint Foundation 2010 search content access account is used by the SharePoint Foundation 2010 Search service to crawl content across sites	This account must have domain user account permissions. This account must not be a member of the farm administrators group. The following SQL Server and database permissions are configured automatically: Read access to the server farm configuration database. Read access to the SharePoint_Admin content database. This account is assigned to the db_owner role for the SharePoint Foundation 2010 search database. A full Read policy for the SharePoint Foundation 2010 search content access account is created on all Web applications. �
Service Applications Accounts
SVCSPAppPool	The application pool account is used for application pool identity.	The following machine-level permission is configured automatically: The application pool account is a member of WSS_WPG. The following SQL Server and database permissions for this account are configured automatically: The application pool accounts for Web applications are assigned to the db_owner role for the content databases. This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the farm configuration database. This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the SharePoint_Admin content database. �
SVCSPSearch	The SharePoint Server 2010 Search service account is used as the service account for the SharePoint Server 2010 Search service. The SharePoint Server Search Service is an NT Service, which is used by all Search Service Applications. For any given server, there is only one instance of this service.	The following machine-level permission is configured automatically: The SharePoint Server 2010 search service account is a member of WSS_WPG. The following SQL Server and database permissions are configured automatically: This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the farm configuration database. This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the SharePoint_Admin content database. �
SVCSPSearchAccess	The default content access account is used within a specific service application to crawl content, unless a different authentication method is specified by a crawl rule for a URL or URL pattern.	The default content access account must be a domain user account and it must have read access to external or secure content sources that you want to crawl by using this account. For SharePoint Server sites that are not part of the server farm, this account must be explicitly granted full read permissions to the Web applications that host the sites. This account must not be a member of the farm administrators group.
SVCSPExcel	The Excel Services unattended service account is used by Excel Services to connect to external data sources that require a user name and password that are based on operating systems other than Windows for authentication. If this account is not configured, Excel Services will not attempt to connect to these types of data sources. Although account credentials are used to connect to data sources of operating systems other than Windows, if the account is not a member of the domain, Excel Services cannot access it.	This account must be a domain user account.
SVCSPMySite	The My Sites application pool account must be a domain user account. This account must not be a member of the farm administrators group.	The following machine-level permission is configured automatically: This account is a member of WSS_WPG. The following SQL Server and database permissions are configured automatically: This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the farm configuration database. This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the SharePoint_Admin content database. �
Service Application Accounts (User Profile Sync)
SVCSPUPSContent	Used to host the sync content as an application pool	The following machine-level permission is configured automatically: The application pool account is a member of WSS_WPG. The following SQL Server and database permissions for this account are configured automatically: The application pool accounts for Web applications are assigned to the db_owner role for the content databases. This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the farm configuration database. This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the SharePoint_Admin content database. �
SVCSPUPS	Used to do the actual profile synchronization (server side)	Requires Replicating Directory Changes permissions
SVCSPUPSServices	Used to run the UPS Service Application	�
Additional Service Application Accounts
SVCSP_ADDITIONAL _ACCOUTS	ANY OTHER SERVICE ACCOUNTS YOU NEED IN ORDER TO EFFECTIVLY ISOLATE YOUR DATA/FAILOVER	�

�

Resources:

http://technet.microsoft.com/en-us/library/ee662513.aspx

http://technet.microsoft.com/en-us/library/cc678863.aspx

http://www.harbar.net/articles/sp2010ups.aspx

Submit Article

126240 Views - View Comments (9)

Parle - March 22, 2012
This is the first and only video tutorial that I could find on uoutybe about MS Access 2010 which is very calm explained, very smooth voice, and explains each step for newbies, as well its fun to watch. Great vid thanks !!!

Neil McNeely - April 20, 2011
Thank you Eric. Hope you are doing well BTW. I am going to try to get to SPS St. Louis because I may be up there for an entirely different reason (Son's robotics). Anyway, one more think to clear up for my brain - has to do with the first question -

For SharePoint Foundation Server 2010 would I use:

SVCSPFoundSearch SVCSPFoundSearchCA

And for SharePoint Server 2010 would I use:

SVCSPSearch SVCSPSearchAccess

Wanted to verify that I would use only 2 of the 4 accounts depending upon the SharePoint ver ?

Thanks again and hope to see you sometime � somewhere soon!

Neil

Eric - April 15, 2011
@Neil

1) the difference between these two accounts is that one is used to run the service itself (SVCSPFoundSearch) and the other is used to access the content its actually indexing (SVCSPFoundSearchCA) "CA" meaning content access.

That said, i wouldn't run combine those two for the simple fact that if you ever need to seperate the data that one indexer can index from another (sensitive or confidential info) you'll need those to be separated. As well, one runs a service one is used to access the content. Those two may have different accesses and permissions.

2) The cons can't be something that i would be able to legitimize. Every single situation is different. There are plenty of people that run an entire development environment off of a single service account. There are others that want to understand what service runs what and breaks it out entirely. Then there are folks that do a hybrid approach based on their needs (kind of like what you want to do).

With that, i can't really say what you shouldn't do. "We" never can, we can only give best practice. I'll give you this tid bit though. In my dev environment I only use about 6-7 accounts for 2010. In production, the sky is the limit because the Service Account model is so modular.

So the famous answer is "It depends" but I think you're on the right track. Do what makes sense for your environment. Just be careful the ole "well our dev box became our production box" situation.

Neil McNeely - April 14, 2011
Hi Eric,

To help me with the service account spaghetti, looking for a few suggestions. I want to spread the services out some, but not to the point of soooo many service accounts � a compromise if you will. Couple of questions.

1. Does SVCSPFoundSearch and SVCSPFoundSearchCA correspond to SVCSPSearch and SVCSPSearchAccess where the first two are for Foundation server and the last two are for SP server 2010 ? In other words, I would only need two of those four if I follow the guide?

2. For SP Server 2010 � what are the con�s for using one account say �SPSearch� for both the SVCSPSearch and SVCSPSearchAccess accounts recommendations in the guide.

This is a small two server environment for development � SQL Server and Sharepoint Server but I did want a little bit of separation because they will be using it for multiple projects and customers where I do not have all the input for now on how that is going to grow.

I�m thinking:
SVCSPSQL
SVCSPSetup
SVCSPFarm

And then
SPSearch (as mentioned above)
SVCSPAppPool (just one for now)
SVCSPMySite

Eric - December 26, 2010
@Ben

Hey Ben here are a few good links to try out..
http://www.ericharlan.com/Moss_SharePoint_2007_Blog/install-sharepoint-2010-and-manually-configure-service-accounts-a179.html

changing passwords:
http://weblogs.asp.net/erobillard/archive/2007/07/06/how-to-change-service-accounts-and-their-passwords-in-moss-and-wss-3-0.aspx

http://blogs.msdn.com/b/joelo/archive/2006/08/22/712945.aspx

Ben Weeks - December 16, 2010
Hi Eric, do you have a guide for doing the installation not using the service wizard? Or perhaps how to install using the service wizard, then manually change to use these specific accounts?

Eric - September 7, 2010
@Rene added the link at the top

Rene - September 7, 2010
Great! Thanks for sharing this!

One small question, though. You talk about "the grid we had for SharePoint 2007 ", can you provide a link for that? Only started recently with looking at SharePoint administration, think that would be very helpful for me

Mike - September 7, 2010
Why use separate accounts for MSF search/access? Wouldn't it reduce account maintenance to just repurpose the SharePoint Server Search accounts?

« Back

Latest Blog

Blogs I Frequent

Connect

RSS Syndicator

Suggested Links

Search Engine

Twitter Feed @ericharlan

Key Word(s):	Search By: