Plan for administrative and service accounts (Windows SharePoint Services)

Plan for administrative and service accounts (Windows

SharePoint Services)
Updated: 2009-04-23

In this article:

● About administrative and service accounts

● Single server standard requirements

● Server farm standard requirements

● Least-privilege administration requirements when using domain user accounts

● Least-privilege administration requirements when using SQL authentication

● Least-privilege administration requirements when connecting to pre-created databases

● Technical reference: Account requirements by scenario

This article describes the accounts that that you must plan for and describes the deployment scenarios
that affect account requirements.

Use this article with the following planning tool: Windows SharePoint Services security account
requirements [ http://go.microsoft.com/fwlink/?LinkId=92885&clcid=0x409 ] (http://go.microsoft.com/
fwlink/?LinkId=92885&clcid=0x409). This planning tool lists the requirements for each account based on
the deployment scenario. The requirements are also listed in the Technical reference: Account
requirements by scenario section of this article.

The account requirements detail the specific permissions that you need to grant prior to running Setup. In
some cases, additional permissions that are automatically granted by running Setup are noted in the
planning tool.

This article does not describe security roles and permissions required to administer Windows SharePoint
Services 3.0. For more information, see Plan for security roles (Windows SharePoint Services) [ http://
technet.microsoft.com/en-us/library/cc288186(office.12).aspx ] .

About administrative and service accounts

This section lists and describes the accounts that you must plan for. The accounts are grouped according
to scope. If an account has a limited scope, you might need to plan multiple accounts for this category.

After you complete installation and configuration of accounts, ensure that you do not use the Local
System account to perform administration tasks or to browse sites. For example, do not use the same
account that is used to run Setup to perform administration tasks.

http://technet.microsoft.com/en-us/library/cc288210(office.12,printer).aspx (1 of 18) [7/20/2010 4:38:29 AM]

Plan for administrative and service accounts (Windows SharePoint Services)

Server farm-level accounts

The following table describes the accounts that are used to configure Microsoft SQL Server database
software and to install Windows SharePoint Services 3.0.

Account Purpose

SQL Server service account SQL Server prompts for this account during SQL Server Setup. This account is
used as the service account for the following SQL Server services:

● MSSQLSERVER

● SQLSERVERAGENT

If you are not using the default instance, these services will be shown as:

● MSSQL$InstanceName

● SQLAgent$InstanceName

Setup user account The user account that is used to run:

● Setup on each server computer

● The SharePoint Products and Technologies Configuration Wizard

● The Psconfig command-line tool

● The Stsadm command-line tool

Server farm account This account is also referred to as the database access account.

This account is:

● The application pool identity for the SharePoint Central Administration

Web site.

● The process account for the Windows SharePoint Services Timer service.

Windows SharePoint Services Search accounts

The following table describes the accounts that are used to set up and configure Windows SharePoint
Services Search.

Account Purpose

Windows SharePoint Services Search service account Used as the service account for the Windows SharePoint
Services Search service. There is one instance of this
service on each search server. Typically, a server farm
will include only one search server.

Windows SharePoint Services Search content access Used by the Windows SharePoint Services Search
account application server role to crawl content across sites.

Plan for multiple accounts if the server farm includes

multiple search server computers. This is not common.

Additional application pool identity accounts

http://technet.microsoft.com/en-us/library/cc288210(office.12,printer).aspx (2 of 18) [7/20/2010 4:38:29 AM]

Plan for administrative and service accounts (Windows SharePoint Services)

If you create additional application pools to host sites, plan for additional application pool identity
accounts. The following table describes the application pool identity account. Plan one application pool
account for each application pool you plan to implement.

Account Purpose

Application pool identity The user account that the worker processes that service the application pool use as
their process identity. This account is used to access content databases associated
with the Web applications that reside in the application pool.

Single server standard requirements

If you are deploying to a single server computer, account requirements are greatly reduced. In an
evaluation environment, you can use a single account for all of the account purposes. In a production
environment, ensure that the accounts you create have the appropriate permissions for their purposes.

For a list of account permissions for single server environments, see the Windows SharePoint Services
security account requirements [ http://go.microsoft.com/fwlink/?LinkId=92885&clcid=0x409 ] (http://go.
microsoft.com/fwlink/?LinkId=92885&clcid=0x409) planning tool, or view the requirements listed in the
Technical reference: Account requirements by scenario section of this article.

Server farm requirements

If you are deploying to more than one server computer, use the server farm standard requirements to
ensure that accounts have the appropriate permissions to perform their processes across multiple
computers. The server farm standard requirements detail the minimum configuration that is necessary to
operate in a server farm environment. For a more secure environment, consider using the least privilege
administration requirements using domain user accounts.

For a list of standard requirements for server farm environments see the Windows SharePoint Services
security account requirements [ http://go.microsoft.com/fwlink/?LinkId=92885&clcid=0x409 ] (http://go.
microsoft.com/fwlink/?LinkId=92885&clcid=0x409) planning tool, or view the requirements listed in the
Technical reference: Account requirements by scenario section of this article.

For some accounts, additional permissions or access to databases are configured when you run Setup.
These are noted in the accounts planning tool. An important configuration for database administrators to
be aware of is the addition of the WSS_Content_Application_Pools database role. Setup adds this role
to the following databases:

● SharePoint_Config database (configuration database)

● SharePoint_AdminContent database

Members of the WSS_Content_Application_Pools database role are granted the Execute permission to
a subset of the stored procedures for the database. Additionally, members of this role are granted the
Select permission to the Versions table (dbo.Versions) in the SharePoint_AdminContent database.

For other databases, the accounts planning tool indicates that access to read from these databases is
automatically configured. In some cases, limited access to write to a database is also automatically
configured. To provide this access, permissions to stored procedures are configured. For the
SharePoint_Config database, for example, access to the following stored procedures is automatically
configured:

http://technet.microsoft.com/en-us/library/cc288210(office.12,printer).aspx (3 of 18) [7/20/2010 4:38:29 AM]

Plan for administrative and service accounts (Windows SharePoint Services)

● proc_dropEmailEnabledList

● proc_dropEmailEnabledListsByWeb

● proc_dropSiteMap

● proc_markForDeletionEmailEnabledList

● proc_markForDeletionEmailEnabledListsBySite

● proc_markForDeletionEmailEnabledListsByWeb

● proc_putDistributionListToDelete

● proc_putEmailEnabledList

● proc_putSiteMap

Least-privilege administration requirements when using domain user accounts

Least privilege administration is a recommended security practice in which each service or user is
provided with only the minimum privileges needed to accomplish the tasks they are authorized to
perform. This means that each service is granted access to only the resources that are necessary to its
purpose. The minimum requirements to achieve this design goal include the following:

● Separate accounts are used for different services and processes.

● No executing service or process account is running with local administrator permissions.

By using separate service accounts for each service and limiting the permissions assigned to each
account, you reduce the opportunity for a malicious user or process to compromise your environment.

Least privilege administration with domain user accounts is the recommended configuration for most
environments.

For a list of least privilege administration requirements with domain user accounts, see the Windows
SharePoint Services security account requirements [ http://go.microsoft.com/fwlink/?
LinkId=92885&clcid=0x409 ] (http://go.microsoft.com/fwlink/?LinkId=92885&clcid=0x409) planning tool,
or view the requirements listed in the Technical reference: Account requirements by scenario section of
this article.

Least-privilege administration requirements when using SQL authentication

In environments where SQL authentication is a requirement, you can follow the principle of least privilege
administration. In this scenario:

● SQL authentication is used for every database that is created.

● All other administration and service accounts are created as domain user accounts.

http://technet.microsoft.com/en-us/library/cc288210(office.12,printer).aspx (4 of 18) [7/20/2010 4:38:29 AM]

Plan for administrative and service accounts (Windows SharePoint Services)

Setup and configuration

Using SQL authentication requires additional setup and configuration:

● All database accounts must be created as SQL Server login accounts in SQL Server 2000 Enterprise
Manager or SQL Server 2005 Management Studio. These accounts must be created before the
creation of any databases, including the configuration database and the AdminContent database.

● You must use the Psconfig command-line tool to create the configuration database and the
SharePoint_AdminContent database. You cannot use the SharePoint Products and Technologies
Configuration Wizard to create these databases. To create a farm or to join a computer to a farm,
specify the SQL Server login that you created for these databases as the dbusername and
dbpassword. The same SQL Server login is used to access both databases.

● You can create additional content databases in Central Administration by selecting the SQL
authentication option. However, you must first create the SQL Server login accounts in SQL
Server 2000 Enterprise Manager or SQL Server 2005 Management Studio.

● Secure all communication with the database servers by using Secure Sockets Layer (SSL) or
Internet Protocol security (IPsec).

When SQL authentication is used:

● SQL Server login accounts are encrypted in the registry of the Web servers and application servers.

● The server farm account is not used to access the configuration database and the
SharePoint_AdminContent database. The corresponding SQL Server login accounts are used instead.

Creating service and administration accounts

For a list of least privilege administration requirements with SQL authentication, see the Windows
SharePoint Services security account requirements [ http://go.microsoft.com/fwlink/?
LinkId=92885&clcid=0x409 ] (http://go.microsoft.com/fwlink/?LinkId=92885&clcid=0x409) planning tool,
or view the requirements listed in the Technical reference: Account requirements by scenario section of
this article.

Creating SQL Server logins

Before creating databases, create SQL Server logins for each of the databases. Two logins are created for
the configuration and SharePoint_AdminContent databases. Create one login for each content database.

The following table lists the logins that must be created. The Login column indicates the account that is
specified or created for the SQL Server login. For the first login, you must enter the Setup user account.
For all other logins, you create a new SQL Server login account. For these logins, the Login column
provides an example account name.

Login Database SQL Rights

Setup user account Configuration and Specify Windows authentication when

SharePoint_AdminContent databases creating the login.

http://technet.microsoft.com/en-us/library/cc288210(office.12,printer).aspx (5 of 18) [7/20/2010 4:38:29 AM]

Plan for administrative and service accounts (Windows SharePoint Services)

<ConfigAdminDBAcc> Configuration and

Specify SQL authentication
SharePoint_AdminContent databases
●

when creating the login.

● Assign the dbcreator server

role.

<WSSSearch_DB_Acc> WSS_Search database

● Specify SQL authentication
when creating the login.

● Assign the dbcreator server

role.

<Content_DB_Acc1> Content databases

● Specify SQL authentication
when creating the login.

● Assign the dbcreator server

role.

Least-privilege administration requirements when connecting to pre-created databases

In environments where databases are pre-created by a database administrator, you can follow the
principle of least privilege administration. In this scenario:

● Administration and service accounts are created as domain user accounts.

● SQL Server logins are created for the accounts that are used to configure databases.

● Databases are created by a database administrator.

For more information about deploying Windows SharePoint Services 3.0 using pre-created blank
databases, see Deploy using DBA-created databases (Windows SharePoint Services) [ http://technet.
microsoft.com/en-us/library/cc288606(office.12).aspx ] .

Creating service and administration accounts

For a list of least privilege administration requirements when connecting to an existing blank database,
see the Windows SharePoint Services security account requirements [ http://go.microsoft.com/fwlink/?
LinkId=92885&clcid=0x409 ] (http://go.microsoft.com/fwlink/?LinkId=92885&clcid=0x409) planning tool,
or view the requirements listed in the Technical reference: Account requirements by scenario section of
this article.

Creating SQL Server logins

Before creating databases, create SQL Server logins for each of the accounts that will access the
databases. The accounts planning tool details the specific permissions that are configured for each
account. For instructions on how to create and grant permissions to databases, see Deploy using DBA-
created databases (Windows SharePoint Services) [ http://technet.microsoft.com/en-us/library/cc288606
(office.12).aspx ] .

The following table lists the logins that must be created. The database column indicates which databases
are configured with permissions for each login account. For each login, specify Windows authentication
when creating the login.

http://technet.microsoft.com/en-us/library/cc288210(office.12,printer).aspx (6 of 18) [7/20/2010 4:38:29 AM]

Plan for administrative and service accounts (Windows SharePoint Services)

Login Database

Setup user account (run-as user for the All databases

Psconfig command-line tool)

Server farm account (Office SharePoint

SSP database
Server database access account)
●

● SSP search database

Windows SharePoint Services Search service

WSS_Search database
account
●

● Configuration database

● SharePoint_AdminContent database

Application pool identity for additional

SSP database
content databases
●

● SSP search database

● Content databases associated with the application pool

Technical reference: Account requirements by scenario

This section lists account requirements by scenario:

● Single server standard requirements

● Server farm standard requirements

● Least-privilege administration requirements when using domain user accounts

● Least-privilege administration requirements when using SQL authentication

● Least-privilege administration requirements when connecting to pre-created databases

Single server standard requirements

Server farm-level accounts

Account Requirements

SQL Server service account Local System account (default)

Setup user account Member of the Administrators group on the local computer

Server farm account Network Service (default)

No manual configuration is necessary.

Windows SharePoint Services Search accounts

Account Requirements

http://technet.microsoft.com/en-us/library/cc288210(office.12,printer).aspx (7 of 18) [7/20/2010 4:38:29 AM]

Plan for administrative and service accounts (Windows SharePoint Services)

Windows SharePoint Services Search By default, this account runs as the Local System account.
service account

Windows SharePoint Services Search Must not be a member of the Farm Administrators group.
content access account
The following are automatically configured:

● Added to the Web application Full Read policy for the farm.

Additional application pool identity accounts

Account Requirements

Application pool identity No manual configuration is necessary.

The Network Service account is used for the default Web site that is created during
Setup and configuration.

Server farm standard requirements

Server farm-level accounts

Account Requirements

SQL Server service account Use either a Local System account or a domain user account.

If a domain user account is used, this account uses Kerberos authentication by

default, which requires additional configuration in your network environment. If SQL
Server uses a service principal name (SPN) that is not valid (that is, that does not
exist in the Active Directory directory service environment), Kerberos authentication
fails, and then NTLM is used. If SQL Server uses an SPN that is valid but is not
assigned to the appropriate container in Active Directory, authentication fails,
resulting in a "Cannot generate SSPI context" error message. Authentication will
always try to use the first SPN it finds, so ensure that there are no SPNs assigned to
inappropriate containers in Active Directory.

If you plan to back up to or restore from an external resource, permissions to the

external resource must be granted to the appropriate account. If you use a domain
user account for the SQL Server service account, grant permissions to that domain
user account. However, if you use the Network Service or the Local System account,
grant permissions to the external resource to the machine account (domain_name
\SQL_hostname$).

Setup user account

● Domain user account.

● Member of the Administrators group on each server on which Setup is run.

● SQL Server login on the computer running SQL Server.

● Member of the following SQL Server security roles:

❍ securityadmin fixed server role

❍ dbcreator fixed server role

If you run Stsadm commands that affect a database, this account must be a
member of the db_owner fixed database role for the database.

http://technet.microsoft.com/en-us/library/cc288210(office.12,printer).aspx (8 of 18) [7/20/2010 4:38:29 AM]

Plan for administrative and service accounts (Windows SharePoint Services)

Server farm account

● Domain user account.

Additional permissions are automatically granted for this account on Web servers
and application servers that are joined to a server farm.

This account is automatically added as a SQL Server login on the computer running
SQL Server and added to the following SQL Server security roles:

● dbcreator fixed server role

● securityadmin fixed server role

● db_owner fixed database role for all databases in the server farm

Note if you configure the Microsoft Single Sign-On Service, the server farm
account will not automatically be given db_owner access to the SSO database

Windows SharePoint Services Search accounts

Account Requirements

Windows SharePoint Services Search

Must be a domain user account.
service account
●

● Must not be a member of the Farm Administrators group.

The following are automatically configured:

● Access to read from the configuration database and the

SharePoint_Admin Content database.

● Membership in the db_owner role for the Windows SharePoint

Services Search database.

Windows SharePoint Services Search

Same requirements as the Windows SharePoint Services Search
content access account
●

service account.

The following are automatically configured:

● Added to the Web application Full Read policy for the farm.

Additional application pool identity accounts

Account Requirements

Application pool identity No manual configuration is necessary.

The following are automatically configured:

● Membership in the db_owner role for content databases and search

databases associated with the Web application.

● Access to read from the configuration and the SharePoint_AdminContent

databases.

● Additional permissions for this account to front-end Web servers and

application servers are automatically granted.

Least-privilege administration requirements when using domain user accounts

http://technet.microsoft.com/en-us/library/cc288210(office.12,printer).aspx (9 of 18) [7/20/2010 4:38:29 AM]

Plan for administrative and service accounts (Windows SharePoint Services)

Server farm-level accounts

Least-privilege using domain

Account Server farm standard requirements user accounts requirements

SQL Server Use either a Local System account or a domain user Server farm standard requirements
service account account. with the following additions or
exceptions:
If a domain user account is used, this account uses
Kerberos authentication by default, which requires
Use a separate domain user
additional configuration in your network
●

environment. If SQL Server uses a service principal account.

name (SPN) that is not valid (that is, that does not
exist in the Active Directory directory service
environment), Kerberos authentication fails, and then
NTLM is used. If SQL Server uses an SPN that is valid
but is not assigned to the appropriate container in
Active Directory, authentication fails, resulting in a
"Cannot generate SSPI context" error message.
Authentication will always try to use the first SPN it
finds, so ensure that there are no SPNs assigned to
inappropriate containers in Active Directory.

If you plan to back up to or restore from an external

resource, permissions to the external resource must
be granted to the appropriate account. If you use a
domain user account for the SQL Server service
account, grant permissions to that domain user
account. However, if you use the Network Service or
the Local System account, grant permissions to the
external resource to the machine account
(domain_name\SQL_hostname$).

Setup user Server farm standard requirements

Domain user account.
account with the following additions or
●

exceptions:
● Member of the Administrators group on each
server on which Setup is run.
● Use a separate domain user
● SQL Server login on the computer running account.
SQL Server.
● This account should NOT be a
● Member of the following SQL Server security member of the Administrators
roles: group on the computer running
SQL Server.
❍ securityadmin fixed server role

❍ dbcreator fixed server role

If you run Stsadm commands that affect a database,

this account must be a member of the db_owner
fixed database role for the database.

http://technet.microsoft.com/en-us/library/cc288210(office.12,printer).aspx (10 of 18) [7/20/2010 4:38:29 AM]

Plan for administrative and service accounts (Windows SharePoint Services)

Server farm Server farm standard requirements

Domain user account.
account with the following additions or
●

exceptions:
● If the server farm is a child farm with Web
applications that consume shared services
● Use a separate domain user
from a parent farm, this account must be a
account.
member of the db_owner fixed database role
on the configuration database of the parent
● NOT a member of the
farm.
Administrators group on any
server in the server farm,
Additional permissions are automatically granted for including the computer running
this account on Web servers and application servers
SQL Server.
that are joined to a server farm.

This account is automatically added as a SQL Server ● This account does not require
login on the computer running SQL Server and added permissions to SQL Server
to the following SQL Server security roles: before creating the
configuration database.
● dbcreator fixed server role

● securityadmin fixed server role

● db_owner fixed database role for all

databases in the server farm.

Note If you configure the Microsoft Single Sign-On

Service, the server farm account will not
automatically be given db_owner access to the SSO
database.

Windows SharePoint Services Search accounts

Least-privilege using
domain user accounts
Account Server farm standard requirements requirements

Windows SharePoint Server farm standard

Must be a domain user account.
Services Search service requirements with the following
●

account additions or exceptions:

● Must not be a member of the Farm
Administrators group.
● Use a separate domain user
account.
The following are automatically configured:

● Access to read from the configuration

database and the SharePoint_Admin
Content database.

● Membership in the db_owner role for the

Windows SharePoint Services Search
database.

Windows SharePoint Server farm standard

Same requirements as the Windows
Services Search requirements with the following
●

content access account SharePoint Services Search service additions or exceptions:

account.
● Use a separate domain user
The following are automatically configured: account.

● Added to the Web application Full Read

policy for the farm.

http://technet.microsoft.com/en-us/library/cc288210(office.12,printer).aspx (11 of 18) [7/20/2010 4:38:29 AM]

Plan for administrative and service accounts (Windows SharePoint Services)

Additional application pool identity accounts

Least-privilege using domain

Account Server farm standard requirements user accounts requirements

Application pool No manual configuration is necessary. Server farm standard requirements

identity with the following additions or
The following are automatically configured: exceptions:

● Membership in the db_owner role for ● Use a separate domain user

content databases and search databases account for each application
associated with the Web application. pool.

● Access to read from the configuration and ● This account should not be a
the SharePoint_AdminContent databases. member of the Administrators
group on any computer in the
● Additional permissions for this account to server farm.
front-end Web servers and application
servers are automatically granted.

Least-privilege administration requirements when using SQL authentication

Server farm-level accounts

Least-privilege using SQL

Account Server farm standard requirement authentication requirements

SQL Server Use either a Local System account or a domain Server farm standard requirements with the
service user account. following additions or exceptions:
account
If a domain user account is used, this account
Use a separate domain user account.
uses Kerberos authentication by default, which
●

requires additional configuration in your

network environment. If SQL Server uses a
service principal name (SPN) that is not valid Note:
(that is, that does not exist in the Active
Directory directory service environment),
Kerberos authentication fails, and then NTLM is All database accounts must be created as SQL
used. If SQL Server uses an SPN that is valid Server login accounts in Microsoft SQL Server
but is not assigned to the appropriate 2000 Enterprise Manager or SQL Server 2005
container in Active Directory, authentication Management Studio. These accounts must be
fails, resulting in a "Cannot generate SSPI created before the creation of any content
context" error message. Authentication will databases, including the configuration
always try to use the first SPN it finds, so database and the SharePoint_AdminContent
ensure that there are no SPNs assigned to database. Create one SQL Server login for
inappropriate containers in Active Directory. both the configuration database and the
SharePoint_AdminContent database.
If you plan to back up to or restore from an
external resource, permissions to the external
resource must be granted to the appropriate
account. If you use a domain user account for
the SQL Server service account, grant
permissions to that domain user account.
However, if you use the Network Service or the
Local System account, grant permissions to
the external resource to the machine account
(domain_name\SQL_hostname$).

http://technet.microsoft.com/en-us/library/cc288210(office.12,printer).aspx (12 of 18) [7/20/2010 4:38:29 AM]

Plan for administrative and service accounts (Windows SharePoint Services)

Setup user Server farm standard requirements with the

Domain user account.
account following additions or exceptions:
●

● Member of the Administrators group on

each server on which Setup is run. ● Use a separate domain user account.

● SQL Server login on the computer ● SQL Server login on the SQL Server
running SQL Server. computer.

● Member of the following SQL Server ● NOT a member of the following SQL
security roles: Server security roles:

❍ securityadmin fixed server role ❍ securityadmin fixed server role

❍ dbcreator fixed server role ❍ dbcreator fixed server role

If you run Stsadm commands that affect a ● NOT a member of the Administrators
database, this account must be a member of group on the computer running SQL
the db_owner fixed database role for the Server.
database.

Note:

You must use the Psconfig command-line tool

to create the configuration database and the
SharePoint_AdminContent database. You
cannot use the SharePoint Products and
Technologies Configuration Wizard to create
these databases. To create a farm or to join a
computer to a farm, specify the SQL Server
login that you created for these databases as
the dbusername and dbpassword. The same
SQL Server login is used to access both
databases. All other content databases can be
created in Central Administration by selecting
the SQL authentication option.

Server farm Server farm standard requirements with the

Domain user account.
account following additions or exceptions:
●

● If the server farm is a child farm with

Web applications that consume shared ● Use a separate domain user account.
services from a parent farm, this
● NOT a member of the Administrators
account must be a member of the
group on any server in the server farm,
db_owner fixed database role on the
including the computer running SQL
configuration database of the parent
Server.
farm.
● NOT a SQL Server login on the
Additional permissions are automatically computer running SQL Server.
granted for this account on Web servers and
application servers that are joined to a server ● This account does not require
farm.
permissions to SQL Server before
This account is automatically added as a SQL creating the configuration database.
Server login on the computer running SQL
Server and added to the following SQL Server
security roles:

● dbcreator fixed server role

● securityadmin fixed server role

● db_owner fixed database role for all

http://technet.microsoft.com/en-us/library/cc288210(office.12,printer).aspx (13 of 18) [7/20/2010 4:38:29 AM]

Plan for administrative and service accounts (Windows SharePoint Services)

databases in the server farm

Note If you configure the Microsoft Single

Sign-On Service, the server farm account will
not automatically be given db_owner access
to the SSO database.

Windows SharePoint Services Search accounts

Least-privilege using SQL

Account Server farm standard requirement authentication requirements

Windows SharePoint Server farm standard requirements with

Must be a domain user account.
Services Search the following additions or exceptions:
●

service account
● Must not be a member of the Farm
Administrators group. ● Use a separate domain user
account.

The following are automatically configured:

● NOT a member of the
Administrators group on any
● Access to read from the configuration server in the farm, including the
database and the SharePoint_Admin computer running SQL Server.
Content database.
● NOT a SQL Server login.
● Membership in the db_owner role for
the Windows SharePoint Services
Search database.

Windows SharePoint Server farm standard requirements with

Same requirements as the Windows
Services Search the following additions or exceptions:
●

content access SharePoint Services Search service

account account.
● Use a separate domain user
account.
The following are automatically configured:
● NOT a member of the
● Added to the Web application Full Read Administrators group on any
policy for the farm. server in the farm, including the
computer running SQL Server.

● NOT a SQL Server login.

Additional application pool identity accounts

Least-privilege using SQL

Account Server farm standard requirement authentication requirements

Application pool No manual configuration is necessary. Server farm standard requirements

identity with the following additions or
The following are automatically configured: exceptions:

● Membership in the db_owner role for ● Use a separate domain user

content databases and search databases account.
associated with the Web application.
● NOT a member of the
● Access to read from the configuration and Administrators group on any
the SharePoint_AdminContent databases. server in the farm, including
the computer running SQL
● Additional permissions for this account to Server.
front-end Web servers and application
servers are automatically granted. ● NOT a SQL Server login.

http://technet.microsoft.com/en-us/library/cc288210(office.12,printer).aspx (14 of 18) [7/20/2010 4:38:29 AM]

Plan for administrative and service accounts (Windows SharePoint Services)

Least-privilege administration requirements when connecting to pre-created databases

Server farm-level accounts

Least-privilege when
connecting to pre-created
Account Server farm standard requirement databases requirements

SQL Server Use either a Local System account or a domain user Server farm standard requirements
service account account. with the following additions or
exceptions:
If a domain user account is used, this account uses
Kerberos authentication by default, which requires
Use a separate domain user
additional configuration in your network
●

environment. If SQL Server uses a service principal account.

name (SPN) that is not valid (that is, that does not
exist in the Active Directory directory service
environment), Kerberos authentication fails, and then
NTLM is used. If SQL Server uses an SPN that is valid
but is not assigned to the appropriate container in
Active Directory, authentication fails, resulting in a
"Cannot generate SSPI context" error message.
Authentication will always try to use the first SPN it
finds, so ensure that there are no SPNs assigned to
inappropriate containers in Active Directory.

● If you plan to back up to or restore from an

external resource, permissions to the external
resource must be granted to the appropriate
account. If you use a domain user account for
the SQL Server service account, grant
permissions to that domain user account.
However, if you use the Network Service or
the Local System account, grant permissions
to the external resource to the machine
account (domain_name\SQL_hostname$).

Setup user Server farm standard requirements

Domain user account.
account with the following additions or
●

exceptions:
● Member of the Administrators group on each
server on which Setup is run.
● Use a separate domain user
● SQL Server login on the computer running account.
SQL Server.
● NOT a member of the
● Member of the following SQL Server security Administrators group on the
roles: computer running SQL Server.

❍ securityadmin fixed server role This account is used to configure

databases. After each database has
❍ dbcreator fixed server role been created, change the database
owner (dbo or db_owner) to the
Setup User account.
If you run Stsadm commands that affect a database,
this account must be a member of the db_owner
fixed database role for the database.

http://technet.microsoft.com/en-us/library/cc288210(office.12,printer).aspx (15 of 18) [7/20/2010 4:38:29 AM]

Plan for administrative and service accounts (Windows SharePoint Services)
Server farm
Domain user account.
account
●
● If the server farm is a child farm with Web
applications that consume shared services
from a parent farm, this account must be a
member of the db_owner fixed database role
on the configuration database of the parent
farm.
Additional permissions are automatically granted for
this account on Web servers and application servers
that are joined to a server farm.
This account is automatically added as a SQL Server
login on the computer running SQL Server and added
to the following SQL Server security roles:
● dbcreator fixed server role
● securityadmin fixed server role
● db_owner fixed database role for all
databases in the server farm
Note If you configure the Microsoft Single Sign-On
Service, the server farm account will not
automatically be given db_owner access to the SSO
database.
Windows SharePoint Services Search accounts
Least-privilege when connecting
Account Server farm standard requirement
Windows SharePoint
Must be a domain user account.
Services Search
●
service account
● Must not be a member of the Farm
Administrators group.
The following are automatically configured:
● Access to read from the configuration
database and the SharePoint_Admin
Content database.
● Membership in the db_owner role for
the Windows SharePoint Services
Search database.
http://technet.microsoft.com/en-us/library/cc288210(office.12,printer).aspx (16 of 18) [7/20/2010 4:38:29 AM]
Server farm standard requirements
with the following additions or
exceptions:
● Use a separate domain user
account.
● NOT a member of the
Administrators group on any
server in the server farm,
including the computer running
SQL Server.
● This account does not require
permissions to SQL Server
before creating the
configuration database.
After the Shared Services Provider
(SSP) database and the SSP search
database are created, add this account
to the following for each of these
databases:
● Users group
● db_owner fixed database role
to pre-created databases
requirements
Server farm standard requirements with
the following additions or exceptions:
● Use a separate domain user
account.
When running the Psconfig command-
line tool to start the Windows
SharePoint Services Search service,
membership is automatically configured
in the following:
● Users group and db_owner role
for the WSS_Search database.
● Users group in the configuration
database.
● Users group in the Central
Administration content database.
Plan for administrative and service accounts (Windows SharePoint Services)

Windows SharePoint Server farm standard requirements with

Same requirements as the Windows
Services Search the following additions or exceptions:
●

content access SharePoint Services Search service

account account.
● Use a separate domain user
account.
The following are automatically configured:

When running the Psconfig command-

● Added to the Web application Full Read line tool to start the Windows
policy for the farm. SharePoint Services Search service,
membership is automatically configured
in the following:

● Users group and the db_owner

role in the WSS— Search
database.

● Users group in the configuration

database.

● Users group in the Central

Administration content database.

Additional application pool identity accounts

Least-privilege when
connecting to pre-created
Account Server farm standard requirement databases requirements

Application pool No manual configuration is necessary. Server farm standard requirements

identity with the following additions or
The following are automatically configured: exceptions:

● Membership in the db_owner role for ● Use a separate domain user

content databases and search databases account for each application
associated with the Web application. pool.

● Access to read from the configuration and ● This account should not be a
the SharePoint_AdminContent databases. member of the Administrators
group on any computer in the
● Additional permissions for this account to server farm.
front-end Web servers and application
servers are automatically granted.
After the SSP database and the SSP
search database are created, add
this account to the following for each
of these databases:

● Users group

● db_owner role

Download this book

This topic is included in the following downloadable book for easier reading and printing:

● Planning and architecture for Windows SharePoint Services 3.0, part 2 [ http://go.microsoft.com/
fwlink/?LinkID=85553 ]

http://technet.microsoft.com/en-us/library/cc288210(office.12,printer).aspx (17 of 18) [7/20/2010 4:38:29 AM]

Plan for administrative and service accounts (Windows SharePoint Services)

See the full list of available books at Downloadable books for Windows SharePoint Services [ http://go.
microsoft.com/fwlink/?LinkId=81199 ] .

See Also

Concepts
Plan for security roles (Windows SharePoint Services) [ http://technet.microsoft.com/en-us/library/
cc288186(office.12).aspx ]

http://technet.microsoft.com/en-us/library/cc288210(office.12,printer).aspx (18 of 18) [7/20/2010 4:38:29 AM]