Suggested Links

By Eric Harlan
Published: September 6, 2010
Updated: September 6, 2010
Print    Email




I really liked the grid we had for SharePoint 2007 and although we have some very detailed information about Service Accounts we should be using in SharePoint 2010, I couldn’t find a quick reference guide.

So here we go a quick reference guide to the service accounts you should create when installing SharePoint 2010.  This is the guide I use when installing SharePoint 2010. If for whatever reason something changes, i'll note the change in red.

Why do we need to create these service accounts?

Account

What it’s for

Permissions

Administrative Accounts

SVCSPSQL

The SQL Server service account is used to run SQL Server. It is the service account for the following SQL Server services:

  • MSSQLSERVER
  • SQLSERVERAGENT

If you do not use the default SQL Server instance, in the Windows Services console, these services will be shown as the following:

  • MSSQL$InstanceName
  • SQLAgent$InstanceName

 

Use either a Local System account or a domain user account.

If you plan to back up to or restore from an external resource, permissions to the external resource must be granted to the appropriate account. If you use a domain user account for the SQL Server service account, grant permissions to that domain user account. However, if you use the Network Service or the Local System account, grant permissions to the external resource to the machine account (domain_name\SQL_hostname$).

The instance name is arbitrary and was created when Microsoft SQL Server was installed.

 

SVCSPSetup

The Setup user account is used to run the following:

  • Setup
  • SharePoint Products Configuration Wizard(which you really should NEVER RUN unless you know exactly why you're running it)

 

  • Domain user account.
  • Member of the Administrators group on each server on which Setup is run.
  • SQL Server login on the computer that runs SQL Server.
  • Member of the following SQL Server security roles:
    • securityadmin fixed server role
    • dbcreator fixed server role

If you run Windows PowerShell cmdlets that affect a database, this account must be a member of the db_owner fixed database role for the database.

 

SVCSPFarm

The server farm account is used to perform the following tasks:

  • Configure and manage the server farm.
  • Act as the application pool identity for the SharePoint Central Administration Web site.
  • Run the Microsoft SharePoint Foundation Workflow Timer Service.

 

  • Domain user account.

Additional permissions are automatically granted for the server farm account on Web servers and application servers that are joined to a server farm.

The server farm account is automatically added as a SQL Server login on the computer that runs SQL Server. The account is added to the following SQL Server security roles:

  • dbcreator fixed server role
  • securityadmin fixed server role
  • db_owner fixed database role for all SharePoint databases in the server farm

 

SVCSPFoundSearch

The SharePoint Foundation 2010 search service account is used as the service account for the SharePoint Foundation 2010 Search service

  • This account must have domain user account permissions.

The following machine-level permission is configured automatically: The search service account is a member of WSS_WPG.

The following SQL Server and database permissions are conferred by membership in the WSS_CONTENT_APPLICATION_POOLS role in the server farm configuration database:

  • Read access to the server farm configuration database.
  • Read access to the SharePoint_Admin content database.
  • This account is assigned the db_owner role for the SharePoint Foundation 2010 search database.

 

SVCSPFoundSearchCA

The SharePoint Foundation 2010 search content access account is used by the SharePoint Foundation 2010 Search service to crawl content across sites

  • This account must have domain user account permissions.
  • This account must not be a member of the farm administrators group.

The following SQL Server and database permissions are configured automatically:

  • Read access to the server farm configuration database.
  • Read access to the SharePoint_Admin content database.
  • This account is assigned to the db_owner role for the SharePoint Foundation 2010 search database.

A full Read policy for the SharePoint Foundation 2010 search content access account is created on all Web applications.

 

Service Applications Accounts

SVCSPAppPool

The application pool account is used for application pool identity.

The following machine-level permission is configured automatically: The application pool account is a member of WSS_WPG.

The following SQL Server and database permissions for this account are configured automatically:

  • The application pool accounts for Web applications are assigned to the db_owner role for the content databases.
  • This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the farm configuration database.
  • This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the SharePoint_Admin content database.

 

SVCSPSearch

The SharePoint Server 2010 Search service account is used as the service account for the SharePoint Server 2010 Search service. The SharePoint Server Search Service is an NT Service, which is used by all Search Service Applications. For any given server, there is only one instance of this service.

The following machine-level permission is configured automatically: The SharePoint Server 2010 search service account is a member of WSS_WPG.

The following SQL Server and database permissions are configured automatically:

  • This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the farm configuration database.
  • This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the SharePoint_Admin content database.

 

SVCSPSearchAccess

The default content access account is used within a specific service application to crawl content, unless a different authentication method is specified by a crawl rule for a URL or URL pattern.

  • The default content access account must be a domain user account and it must have read access to external or secure content sources that you want to crawl by using this account.
  • For SharePoint Server sites that are not part of the server farm, this account must be explicitly granted full read permissions to the Web applications that host the sites.
  • This account must not be a member of the farm administrators group.

SVCSPExcel

The Excel Services unattended service account is used by Excel Services to connect to external data sources that require a user name and password that are based on operating systems other than Windows for authentication. If this account is not configured, Excel Services will not attempt to connect to these types of data sources. Although account credentials are used to connect to data sources of operating systems other than Windows, if the account is not a member of the domain, Excel Services cannot access it.

This account must be a domain user account.

SVCSPMySite

The My Sites application pool account must be a domain user account. This account must not be a member of the farm administrators group.

The following machine-level permission is configured automatically: This account is a member of WSS_WPG.

The following SQL Server and database permissions are configured automatically:

  • This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the farm configuration database.
  • This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the SharePoint_Admin content database.

 

Service Application Accounts (User Profile Sync)

SVCSPUPSContent

Used to host the sync content as an application pool

The following machine-level permission is configured automatically: The application pool account is a member of WSS_WPG.

The following SQL Server and database permissions for this account are configured automatically:

  • The application pool accounts for Web applications are assigned to the db_owner role for the content databases.
  • This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the farm configuration database.
  • This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the SharePoint_Admin content database.

 

SVCSPUPS

Used to do the actual profile synchronization (server side)

Requires Replicating Directory Changes permissions

SVCSPUPSServices

Used to run the UPS Service Application

 

Additional Service Application Accounts

SVCSP_ADDITIONAL

_ACCOUTS

ANY OTHER SERVICE ACCOUNTS YOU NEED IN ORDER TO EFFECTIVLY ISOLATE YOUR DATA/FAILOVER

 

 

Resources:

http://technet.microsoft.com/en-us/library/ee662513.aspx

http://technet.microsoft.com/en-us/library/cc678863.aspx

http://www.harbar.net/articles/sp2010ups.aspx

 

 





Submit Article

137909 Views - View Comments (9)

Search Engine

Key Word(s): Search By:  

Twitter Feed @ericharlan

Latest Blog

Blogs I Frequent

Connect

 


  

 

 

Locations of visitors to this page

RSS Syndicator