Tuesday, November 10, 2015

Planning Service Accounts Permissions For SharePoint 2013 Installation

Hi Mates,

I'll try to cover the service accounts and permissions required to each service account for a setup in SharePoint. Microsoft recommends many different service accounts for different purposes like configuration, setup and service applications but it totally depends on your needs what you need to configure.

Here are few of service accounts with their permissions required in AD, OS, SQL and their usage for a medium level architecture. 

Tip: To fit this table on my blog page, i am decreasing the font size. If can't copy it from here, download or view the below Excel file that contains the same data.

File: Planning Service Accounts And Permissions For SharePoint 2010 and SharePoint 2013 Installation

Account Name
Usage
SQL Permissions
AD Permissions
OS Permissions
AD Policy
YourDomain\
SPSVCSetup
Installation, Configuration Wizard and Remote Server Access, SharePoint Management Shell
Domain user account.
Dbcreator fixed server role.
Securityadmin fixed server role.
db_owner for all SharePoint databases.
SQL Server login on the computer running SQL Server.
Add-SPShellAdmin Rights.
Member of the Server admin SQL Server security role.

Member of the Administrators group on each server on which Setup is run.
Password Never Expires.
User Cannot Change the Password.
YourDomain\
SPSVCFarm
It's the application pool identity for the SharePoint Central Administration website.
It's the process account for the Windows SharePoint Services Timer service.
dbcreator fixed server role
securityadmin fixed server role
db_owner fixed database role for all databases in the server farm


Password Never Expires.
User Cannot Change the Password.
YourDomain\
SPSVCSQL
Use this account during the SQL server setup. Effected services are MSSQLSERVER and SQLSERVERAGENT
Full rights on SQL Server


Password Never Expires.
User Cannot Change the Password.
YourDomain\
SPSVCUPS
User Profile Service
Securityadmin fixed server role.
Db_owner role for Search Service Database
Read access to the directory service.
The account must have the Replicate Changes permission in AD DS.
Manage User Profiles personalization services permission.
View permissions on entities used in Business Data Catalog import connections.

Password Never Expires.
User Cannot Change the Password.
YourDomain\
SPSVCSearch
Search Service Application
Minimum login rights into SQL server
Must be member of Windows Authorization Access Group in AD.
Must be a domain user account.
Must not be a member of the Farm Administrators group.
Password Never Expires.
User Cannot Change the Password.
YourDomain\
SPSVC<WebAppName>
Multiple service accounts for different web applications to use them as application pool identity to run indipendently from SPFarm account.
Domain user account.
Dbcreator fixed server role.
Securityadmin fixed server role.
Db_owner for the specified web application content database


Password Never Expires.
User Cannot Change the Password.
YourDomain\
SPSVCDISTCACHE
To be used for Distributed Cache SharePoint
Domain user account.
Securityadmin fixed SQL role.


Password Never Expires.
User Cannot Change the Password.
YourDomain\
SPSVCMETADATA
To be used for Managed MetaData Service Account
Domain user account.
Minimum login rights into SQL server


Password Never Expires.
User Cannot Change the Password.
YourDomain\
SPSVCOFFICE
To be used for Excel, Word, Access,PowerPoint and Visio services.
Domain user account.
Minimum login rights into SQL server


Password Never Expires.
User Cannot Change the Password.
YourDomain\
SPSVCREPORTS
To be used for SQL server reporting services.
Domain user account.
Minimum login rights into SQL server


Password Never Expires.
User Cannot Change the Password.

No comments:

Post a Comment