Please review the service account usage of my SharePoint 2010 setup

Hi Everyone.

I have ​just finished setting up my first SharePoint 2010 demo server and want to validate and correct some areas where I may not be spot on.

My server is NOT installed as a standalone machine, but there is only a single machine in my farm (excluding SQL Server)

Below is an outline of the accounts I have created in AD and where they are used in relation to the SQL Server, Windows Server and SharePoint.

Please use the comments section to praise my good work and (constructively) criticise where I am not quite right.

I will then make any necessary changes and try to publish a correct account usage blog post as a follow up to this.

​Account Name Farm Administrator​ Managed Account Setting​ SQL Permissions​ Services​
S​PDBAccess​​ 
SharePoint Database Access Account
Yes Shows in Configure Managed Accounts, but has not settings configured​

Server Roles: dbcreator; public; securityadmin

User Mapping: Profile DB (dbo); Search_Service_Application_CrawlStoreDB (dbo); Search_Service_Application_DB (dbo); Search_Service_PropertyStoreDB (dbo); SharePoint_AdminContent (SPDBAccess); SharePoint_Config (SPDBAccess); StateService (dbo); Sync DB​ (dbo)

Farm Account​

Windows Service – Microsoft SharePoint Foundation Sandboxed Code Service

Windows Service – Web Analytics Data Procesing Service

Service Application Pool – SecurityTokenServiceApplicatioPool

Service Application Pool – SharePoint Web Services System

SPContentAccess
SharePoint Search Content Access Account

Server Roles: public

User Mapping: WSS_Search (db_owner, public)​

SPService​
SharePoint Service Account
 

Server Roles: public

User Mapping: Search_Service_Application_CrawlStoreDB (db_owner, public); Search_Service_Application_DB (db_owner, public); Search_Service_PropertyStoreDB (db_owner, public); SharePoint_AdminContent (public, WSS_Content_Application_Pools); SharePoint_Config (public, WSS_Content_Applications_Pools)

​SharePoint Server Search

Service Application Pool – SharePoint Web Services Default

SPUserProfiles
SharePoint User Profile Service
 

Server Roles: public

User Mapping: Profile DB (db_owner, public); SharePoint_AdminContent (public, WSS_Content_Application_Pools)​

​Windows Service – User Profile Synchronization Service

Service Application Pool – SharePoint – User Profiles

Local System​   Windows Service – Claims to Windows Token Service

Windows Service – Document Conversions Launcher Service

Windows Service – Document Conversions Load Balancer Service​

SPApp-WWW
www.sharepointstudio.com web application pool identity​.
Not filled in, can add if useful. Windows Service – SharePoint Foundation Help Service
SPApp-Myspstudio​
My Site Web Application Pool Account
My Sites web application identity​
MStokes
My user account​
Yes​
Builtin\Administrators
Local server Adminsitrators Group
​Yes
Administrator​
Domain Administrator​​
Yes​

 

 The SharePoint Health Analyzer is currently giving me these account related issues:

  1. The server farm account should not be used for other services
    SPDBAccess, the account used for the SharePoint timer service and the central administration site, is highly priveleged and should not be used for any other services on any machines in the server farm.  The following services were found to use this account: SPUserCodeV4(Windows Service)
  2. Built-in accounts are used as application pool or service identities
    Using built-in accounts like Network Service or Local System as application pool or as service identities is not supported in a farm configuration.  The following services are currently running as built-in identities on one or more servers SPTraceV4(Windows Service)

Access is denied. Check that the Default Content Access Account has access to this content

Configuring my first SharePoint 2010 server has thrown up some interesting issues.  I am trying to document them as I find and fix them.

The first issue is around the error message in the Title of this post:

Access is denied. Check that the Default Content Access Account has access to this content

1.) I was getting Access Denied on all the Local SharePoint Sites Content Source
 
2.) I tried to change the default content access account to farm admin account which didn’t make a difference.  If you do the same then remember to remove SharePoint Service account from having Full Read over web app. Refer to point 6.
 
3.) I then changed default content access account back to SPContentAccess and still got access denied on all URL in Local SharePoint Sites
 
4.) Next, to ensure the default content access account had read access to one of the web apps I addedSPContentAccess to the visitors group (read access) to one of the web apps which also didn’t make a difference
 
5.) After some googling at this point I came accross this MS Knowledge Base article (http://support.microsoft.com/kb/896861)
I added the DisableLoopbackCheck key to the Registry, rebooted and tried a full crawl again and it worked!
 
6.) For good measure I ensured SPContentAccess had Full Read at web application level.
 
 
Your default content access account should be listed in Central Administration -> Manage Web Applications -> Choose a web application -> click User Policy.  On that screen verify that your content access account is listed with Full Read permissions.  Whatever, you do, do not change to a content access account that has administrator privileges.
This should be automatically set when you assign a Default Content Access Account

Welcome to SharePoint Studio

Welcome to SharePoint Studio.

This is my refreshed site where I will host my blog and a few other community features.

I don’t have as much time as some SharePoint people to blog original material so I will try to focus on organising content out there to make it easily findable.​