Please review the service account usage of my SharePoint 2010 setup

Hi Everyone.

I have ​just finished setting up my first SharePoint 2010 demo server and want to validate and correct some areas where I may not be spot on.

My server is NOT installed as a standalone machine, but there is only a single machine in my farm (excluding SQL Server)

Below is an outline of the accounts I have created in AD and where they are used in relation to the SQL Server, Windows Server and SharePoint.

Please use the comments section to praise my good work and (constructively) criticise where I am not quite right.

I will then make any necessary changes and try to publish a correct account usage blog post as a follow up to this.

​Account Name Farm Administrator​ Managed Account Setting​ SQL Permissions​ Services​
S​PDBAccess​​ 
SharePoint Database Access Account
Yes Shows in Configure Managed Accounts, but has not settings configured​

Server Roles: dbcreator; public; securityadmin

User Mapping: Profile DB (dbo); Search_Service_Application_CrawlStoreDB (dbo); Search_Service_Application_DB (dbo); Search_Service_PropertyStoreDB (dbo); SharePoint_AdminContent (SPDBAccess); SharePoint_Config (SPDBAccess); StateService (dbo); Sync DB​ (dbo)

Farm Account​

Windows Service – Microsoft SharePoint Foundation Sandboxed Code Service

Windows Service – Web Analytics Data Procesing Service

Service Application Pool – SecurityTokenServiceApplicatioPool

Service Application Pool – SharePoint Web Services System

SPContentAccess
SharePoint Search Content Access Account

Server Roles: public

User Mapping: WSS_Search (db_owner, public)​

SPService​
SharePoint Service Account
 

Server Roles: public

User Mapping: Search_Service_Application_CrawlStoreDB (db_owner, public); Search_Service_Application_DB (db_owner, public); Search_Service_PropertyStoreDB (db_owner, public); SharePoint_AdminContent (public, WSS_Content_Application_Pools); SharePoint_Config (public, WSS_Content_Applications_Pools)

​SharePoint Server Search

Service Application Pool – SharePoint Web Services Default

SPUserProfiles
SharePoint User Profile Service
 

Server Roles: public

User Mapping: Profile DB (db_owner, public); SharePoint_AdminContent (public, WSS_Content_Application_Pools)​

​Windows Service – User Profile Synchronization Service

Service Application Pool – SharePoint – User Profiles

Local System​   Windows Service – Claims to Windows Token Service

Windows Service – Document Conversions Launcher Service

Windows Service – Document Conversions Load Balancer Service​

SPApp-WWW
www.sharepointstudio.com web application pool identity​.
Not filled in, can add if useful. Windows Service – SharePoint Foundation Help Service
SPApp-Myspstudio​
My Site Web Application Pool Account
My Sites web application identity​
MStokes
My user account​
Yes​
Builtin\Administrators
Local server Adminsitrators Group
​Yes
Administrator​
Domain Administrator​​
Yes​

 

 The SharePoint Health Analyzer is currently giving me these account related issues:

  1. The server farm account should not be used for other services
    SPDBAccess, the account used for the SharePoint timer service and the central administration site, is highly priveleged and should not be used for any other services on any machines in the server farm.  The following services were found to use this account: SPUserCodeV4(Windows Service)
  2. Built-in accounts are used as application pool or service identities
    Using built-in accounts like Network Service or Local System as application pool or as service identities is not supported in a farm configuration.  The following services are currently running as built-in identities on one or more servers SPTraceV4(Windows Service)

Published by

Mark Stokes

I am a SharePoint Server MVP and the founding Director of Red Plane, a Microsoft Silver Partner in the North West of the UK. I am interested in Travel, Extreme Sports, Photography, Technology, Gadgets, Raspberry Pi and, of course, SharePoint! Note: This is my personal blog and entries may not represent the views of my employer.

Leave a Reply

Your email address will not be published. Required fields are marked *