Corey’s Guide to SharePoint Service Accounts

Posted Monday, May 23, 2011 8:48 AM by CoreyRoth

Everyone has their own take on what service accounts should exist on a given SharePoint farm.  From the official documentation, you pretty much have to patch together bits of pieces of things to come up with a concrete list.  The purpose of today’s post is to give you a starting point for your own account list.  It also includes the permissions that need to be granted in order to make things work properly.  In a lot of organizations, companies lock down a lot of the privileges accounts have via group policy.  This guide will hopefully give you a list that you can start with on your next install to make the process go smoothly.  Did I get something wrong?  Perhaps.  Leave a comment and I’ll continue to update this post so that it has the best information possible.

Let’s start with the general naming of accounts.  If you read my article on naming conventions, then you know consistency is key.  You also know I can’t stand abbreviations when it comes to naming anything.  However, if you know Active Directory, you also know that account names (SAM Account Names) are limited to 20 characters (for backwards compatibility reasons).  For this reason, you really have to abbreviate some things and you are best if you keep your account name prefix short.  Ideally you want all of the SharePoint accounts to have the same prefix so that they are easily identified and found.  For my accounts, I typically go with the prefix sp_.  SharePoint is pretty recognizable with the sp abbreviation.  I typically don’t like underscores but I tend to include them in account names.  You can leave it out just as well.  I also go with lowercase letters for the prefix as I find it just looks better.  Of course this is just one possible prefix, you can always come up with something you prefer better.  Just keep in mind the account name length limitations.

Let’s take a look at the account list.

Account Permissions Description
sp_Setup
  • SQL Server – dbcreator and securityadmin roles
  • Local administrator on SharePoint servers
  • This account is used to perform the initial install and configuration of SharePoint.
  • Technically not a service account
sp_Farm
  • SQL Server – dbecreator and securityadmin roles
  • Allow log on locally
  • Log on as a service
  • SharePoint farm account specified in SharePoint Configuration Wizard
  • This account also will have local administrator privileges when provisioning User Profile Synchronization
sp_PortalAppPool
  • Log on as a batch job
  • Application pool account for main SharePoint web application
  • Could also just be called sp_AppPool or spAppPool + <PortNumber>
sp_ServiceAppPool
  • Log on as a batch job
  • Application pool account for web application hosting service applications
sp_MySitesAppPool
  • Log on as a batch job
  • Application pool account for My Sites web application
sp_UserProfileSync
  • Account used to synchronize user profiles from Active Directory
sp_Search
  • Log on as a service
  • Account used for running Search Service
sp_SearchCrawl
  • Full Read on each web application
  • This account is used by search when crawling
  • This account must not have local administrator permission or SharePoint administrator permissions
sp_FastUser
  • SQL Server – dbcreator role
  • Log on as a service
  • Allow log on locally
  • This account is used to run the FAST Search for SharePoint services

 

No accounts should ever have domain administrator privileges.  Log on a service, Log on as a batch job, and Allow log on locally are all privileges inside Local Security Policy.  SharePoint usually does a pretty good job of assigning these privileges when you set up the accounts.  However, if your servers are running under a tight group policy, then it is more than possible that the GPO will remove these privileges or your accounts might be in Deny groups.  If your servers do run under a GPO which strips privileges, everything will more than likely work up until the point you reboot.  Once you log back in, you will find that none of your services have started.  At this point, you will need to work with your Active Directory administrator to get the required permissions.

This is quite a few accounts.  Can you get by with less?  Maybe, but I recommend against it.  Some domain administrators are more concerned about the clicks required to create a new account than the actual security of your SharePoint farm.  You might be able to consolidate your application pool accounts.  However, some accounts have conflicting security requirements.  For example, the sp_Farm account has full permissions on your SharePoint farm but the sp_SearchCrawl account must only have read permissions or bad things happen.  The lesson here is don’t take shortcuts when it comes to SharePoint accounts.

What about environment specific accounts (i.e.: development, test, production)?  A lot of organizations use separate accounts for test versus production.  This is a pretty good practice but you have to have a naming convention to accommodate these different environments.  You might be tempted to append something like dev, test, or prod to the account names.  However the issue with the names I provided is that many of them use up most of the available characters.  Instead, what I recommend is that you leave the production accounts as is.  By default if you see an account name, you assume it’s production.  For test, your best bet it to probably append or prefix a letter such as T.  For example, the farm account would be sp_FarmT or tsp_Farm.  Neither might be an elegant solution, but keep in mind you can always include the full word in the display name of the account (i.e.: SharePoint Farm Test).  Have a better way to organize these accounts?  Leave a comment.

I hope this serves as a good starting point for those of you setting up new farms.  Do you have accounts that you think should be on the list?  Let me know.  One area in particular, I didn’t cover was the BI features such as PerformancePoint and PowerPivot.  I’ll add these areas in at a later date.

Follow me on twitter @coreyroth.

Comments

# Enterprise App Stores on the Way?; Windows 8 in 2012; What’s Next For Microsoft?

Tuesday, May 24, 2011 7:50 AM by SharePoint Daily

Top News Stories Jive Buys OffiSync to Deepen Links with Microsoft Apps (CIO) Jive Software has acquired

# re: Corey’s Guide to SharePoint Service Accounts

Friday, June 24, 2011 9:56 AM by James McGinley

Account names for separate dev & test environments

Could you use

UPNs that have two parts to the name

- name@name_suffix

and somehow use the

- name_suffix to indicate dev or test

# re: Corey’s Guide to SharePoint Service Accounts

Thursday, August 18, 2011 1:30 AM by Ivan Wilson

That was a great help. I found I also had to grant Log on as a Batch Job to the sp_Farm account as well. Otherwise the Central Admin app pool wouldn't start.

# re: Corey’s Guide to SharePoint Service Accounts

Wednesday, January 11, 2012 4:00 AM by Peat G

Thanks very useful. I am having an issue with service accounts not being granted the appropriate permissions in local security policy and rather than grant them manually we need to know what is preventing them from being applied during set up. Any tips on how to investigate this would be appreciated.

# re: Corey’s Guide to SharePoint Service Accounts

Wednesday, January 11, 2012 8:13 AM by CoreyRoth

@Peat It's a total pain, but it's probably some type of group policy preventing those accounts from having those permissions.  I've seen it plenty of times before.  Sometimes you will see info in the logs in the 14 hive.  Occasionally the event log.  The service accounts are obvious because when you reboot, the services won't start.

# re: Corey’s Guide to SharePoint Service Accounts

Monday, January 23, 2012 8:37 PM by Jay

Nice post. Is it possible for you to give clarity on the various Service Applications that are available in SP2010, for e.g., Excel Services, Managed Metadata Services, Secure Store Services etc

# re: Corey’s Guide to SharePoint Service Accounts

Monday, February 6, 2012 11:58 PM by CoreyRoth

@Jay try this video for more details on service applications.

# re: Corey’s Guide to SharePoint Service Accounts

Wednesday, August 29, 2012 9:09 AM by Hilton Giesenow

Great article, thanks Corey! I was still running into trouble though, until I added "Impersonate a client after authentication" to the GPO as well (got it from here dathan.wordpress.com/.../13)

# 503 Service Unavailable | SharePoint Blog - Create Site Collection

Pingback from  503 Service Unavailable | SharePoint Blog - Create Site Collection

# SharePoint 2010: HTTP Error 503 &#8211; Service Unavailable. - Expiscornovus

Pingback from  SharePoint 2010: HTTP Error 503 &#8211; Service Unavailable. - Expiscornovus

# Enterprise App Stores on the Way?; Windows 8 in 2012; What????????s Next For Microsoft? &#8211; Bamboo Solutions

Pingback from  Enterprise App Stores on the Way?; Windows 8 in 2012; What????????s Next For Microsoft? &#8211; Bamboo Solutions

# Enterprise App Stores on the Way?; Windows 8 in 2012; What???s Next For Microsoft? &#8211; Bamboo Solutions

Pingback from  Enterprise App Stores on the Way?; Windows 8 in 2012; What???s Next For Microsoft? &#8211; Bamboo Solutions

Leave a Comment

(required) 
(required) 
(optional)
(required)