SharePoint 2007 Installation Service Accounts

Saturday, September 24, 2011


Figuring out what service accounts are needed to setup SharePoint can be pretty confusing.  There's a whole novella on MSDN with excruciating detail on all the different combinations of AD and SQL accounts you could use.  I had to scrape pieces of my brain off the walls after reading through that monstrosity.

But after doing a few buildouts, I've found that a basic setup is actually very simple.  And unless you have a specific reason to do otherwise (like having to satisfy a security requirement), sticking with the basic setup is the best way to stay sane.

There's a ton of information in the MSDN article about what permissions each account needs.  But, you really only have to worry about permissions for ONE account: the install account. The SharePoint setup and configuration wizards will automatically assign appropriate permissions for the rest of the service accounts!

I recommend creating a separate install account just for doing the SharePoint setup.  The install account must be a local Administrator on each SharePoint server, as well as the SQL server.  It should have sysadmin and dbcreator roles in SQL.  Run the SharePoint setup and config wizards under that account account.  In fact, it's a good idea to simply log in as the install account to do all your setup.

(On a side note, I've seen a lot of cases where people resolve permission issues by making the Farm account or other service accounts local Administrators. Only the install account should be a local Admin, and only for doing the initial setup! If you have to make other service accounts local Admin, there's probably something mis-configured.)

Once setup is complete, all administrative privileges for the install account can be revoked.

All in all, I typically use 1 install account, and 5 service accounts:

Account Description
Install Account This is the account I login to each server as to do the buildout. Before doing the setup, you have to manually make this account a local Administrator on each server. It also needs to have sysadmin and dbcreator roles in SQL.

After the initial setup of SharePoint, this account is no longer needed.
Farm Account Runs Central Admin app pool and SP Timer service.
SSP Account Runs SSP Admin app pool, as well as individual SSP app pools
Search Account Runs the Search services (Windows SharePoint Services Search service, and Office SharePoint Server Search service)
Crawl Account Default account used to crawl content
Web Application Account Runs web application app pool. I usually create a separate app pool account for each web application


Great blog!
If you interested in modern agriculture and farming, then I will invite you to visit my blog.
Methods of Modern Farming

Post a Comment