Question Regarding Managed Accounts and Multi-Farm deployments

I am just about to upgrade my development sandbox to represent a multi-farm environment (Shared Services, Intranet, Collab, Extranet) and came up with an interesting question regarding ​the AD service accounts.

Am I going to need seperate service accounts for each farm or can I reuse them (this is only a devrig after all)?

My main areas of concerns and where I think I need seperate accounts per farm are from a Managed Account point of view.

If I re-used those accounts then will they get really messed up when one of the farms is set to manage the account and change the password? I am assuming that wouldn’t be reflected in the other farms and I’ll end up with failing services and locked out accounts, or is it smart enough to pass those changes around the farms?

I guess I could re-use the farm account as that isn’t typicall set to have it’s password changed, but the others would.

Any background info would be greatly received.

Please comment your answer here, tweet me @MarkStokes or email me mark [dot] stokes [at] sharepointstudio [dot] com

Please review the service account usage of my SharePoint 2010 setup

Hi Everyone.

I have ​just finished setting up my first SharePoint 2010 demo server and want to validate and correct some areas where I may not be spot on.

My server is NOT installed as a standalone machine, but there is only a single machine in my farm (excluding SQL Server)

Below is an outline of the accounts I have created in AD and where they are used in relation to the SQL Server, Windows Server and SharePoint.

Please use the comments section to praise my good work and (constructively) criticise where I am not quite right.

I will then make any necessary changes and try to publish a correct account usage blog post as a follow up to this.

​Account Name Farm Administrator​ Managed Account Setting​ SQL Permissions​ Services​
SharePoint Database Access Account
Yes Shows in Configure Managed Accounts, but has not settings configured​

Server Roles: dbcreator; public; securityadmin

User Mapping: Profile DB (dbo); Search_Service_Application_CrawlStoreDB (dbo); Search_Service_Application_DB (dbo); Search_Service_PropertyStoreDB (dbo); SharePoint_AdminContent (SPDBAccess); SharePoint_Config (SPDBAccess); StateService (dbo); Sync DB​ (dbo)

Farm Account​

Windows Service – Microsoft SharePoint Foundation Sandboxed Code Service

Windows Service – Web Analytics Data Procesing Service

Service Application Pool – SecurityTokenServiceApplicatioPool

Service Application Pool – SharePoint Web Services System

SharePoint Search Content Access Account

Server Roles: public

User Mapping: WSS_Search (db_owner, public)​

SharePoint Service Account

Server Roles: public

User Mapping: Search_Service_Application_CrawlStoreDB (db_owner, public); Search_Service_Application_DB (db_owner, public); Search_Service_PropertyStoreDB (db_owner, public); SharePoint_AdminContent (public, WSS_Content_Application_Pools); SharePoint_Config (public, WSS_Content_Applications_Pools)

​SharePoint Server Search

Service Application Pool – SharePoint Web Services Default

SharePoint User Profile Service

Server Roles: public

User Mapping: Profile DB (db_owner, public); SharePoint_AdminContent (public, WSS_Content_Application_Pools)​

​Windows Service – User Profile Synchronization Service

Service Application Pool – SharePoint – User Profiles

Local System​   Windows Service – Claims to Windows Token Service

Windows Service – Document Conversions Launcher Service

Windows Service – Document Conversions Load Balancer Service​

SPApp-WWW web application pool identity​.
Not filled in, can add if useful. Windows Service – SharePoint Foundation Help Service
My Site Web Application Pool Account
My Sites web application identity​
My user account​
Local server Adminsitrators Group
Domain Administrator​​


 The SharePoint Health Analyzer is currently giving me these account related issues:

  1. The server farm account should not be used for other services
    SPDBAccess, the account used for the SharePoint timer service and the central administration site, is highly priveleged and should not be used for any other services on any machines in the server farm.  The following services were found to use this account: SPUserCodeV4(Windows Service)
  2. Built-in accounts are used as application pool or service identities
    Using built-in accounts like Network Service or Local System as application pool or as service identities is not supported in a farm configuration.  The following services are currently running as built-in identities on one or more servers SPTraceV4(Windows Service)