Reminder: Don’t use an administrator account for your default content access account

Posted Tuesday, March 16, 2010 3:51 PM by CoreyRoth

This,my friends, is bad.

EnterpriseSearchContentAccessAccountAdministrator

I see issues caused by this all the times in the forums, so I thought I would write something up on it.  You do not want your default content access account (aka crawl account) to have administrator privileges.  Besides obvious security reasons, there are others.  The main reason is that if the account is an administrator, it can crawl things that you simply don’t want included in your index.  The last thing you want is sensitive information from some list or document library showing up in your search index.  Yes, SharePoint does security trimming, but when you use an admin account, things just get weird.  This also applies to file shares as well.

There are other reasons you don’t want to do this as well.  If you use an administrator account, things that are not checked in may be indexed.  Also, you may run into issues where regular users cannot get any search results at all.  It effectively seems to mess up security trimming.  I’m sure there are many other reasons I’m not thinking of, but the bottom line is if you are using an administrator account, go change it now.  Of course, test before you make any changes.  You may need to assign permissions to your new account.  This could apply to permissions in SharePoint, on a file share, or in a database (if you’re using the BCS/BDC).

Once you change accounts, you need to perform a full crawl on all of your content sources so that inappropriate items get removed.  You might even go as far as resetting all crawled content first.  You should especially consider this if sensitive information is in your search index and you need to get it out fast.

Comments

# re: Reminder: Don’t use an administrator account for your default content access account

Thursday, June 28, 2012 6:07 AM by Toby

How about providing the crawl account with edit access to specific libraries where you want drafts to be searchable? We are using SP 2010 for ECM and our users want to be able to search for the their drafts.

We have draft visibility set to editors only on the library. In dev I have given the crawl account edit on the library then reset IIS and the index, but the drafts are still not being indexed. Do you know if this is now explicitly ignored by the crawler? This support.microsoft.com/.../2304855 seems to suggest to but it is at odds with a lot of other info in the web

# re: Reminder: Don’t use an administrator account for your default content access account

Monday, August 6, 2012 4:21 PM by CoreyRoth

@Toby that is my understanding.

Leave a Comment

(required) 
(required) 
(optional)
(required)