Short & Sweet
- For a single server installation you’ll need to run setup as a Local Administrator and you’ll need a normal domain user account (that’s not a farm administrator) for the WSS content access account. Everything else uses Local System or Network System accounts.
- For a server farm installation you’ll need to run setup with an account that’s a Local Administrator on all servers. You’ll need another domain user account to use as the server farm account and a third account, that’s not a farm administrator for the search service and search content access services.
Detailed Information
WSS Service accounts can be broken down into three categories:
- Server farm-level accounts
- WSS search accounts
- Application pool identity accounts
NOTE: SSI = Single Server Installation. SFI = Server Farm Installation
Server Farm-level Accounts
- SQL Server service account: Used during SQL Server installation.
- SSI: Local System account.
- SFI: Local System account or a domain user account.
- Setup user account: This is the account that you use to run WSS setup.
- SSI: Local Administrator account.
- SFI: Local Administrator on each server. dbCreator and securityadmin on the SQL Server (needs db_owner for certain stsadm commands).
- Server farm account: Used as the WSS Time service account and is the identity of Central Admnistration’s application pool.
- SSI: Default value: Network Service.
- SFI: Domain user account. (Automatically granted special permissions on WSS servers and given dbcreator, securityadmin and db_owner permissions on SQL)
WSS Search Accounts
- WSS Search Service service account:
- SSI: Local System by default.
- SFI: Domain user account that isn’t a member of Farm Administrators. (Automatically be given read access to the configuration database and db_owner for the WSS search database)
- WSS Search content access account: Used by WSS Search to crawl site content.
- SSI: Not a member of Farm Administrator. (Aatomatically added to the Full Read policy for all sites)
- SFI: Domain user account. Not a member of farm Administrators. (Automatically be added to the Full Read policy for the farm)
Application Pool Identity Accounts
- Application pool identity account: Used to access content databases.
- SSI: No configuration. (Network System account used by default)
- SFI: No configuration. (Automatically made a db_owner for the application pool’s content and search databases, given read access to the configuration database and any other required pemissions are configured automatically).
References
-
Plan for administrative and service accounts (Windows SharePoint Services)
http://technet.microsoft.com/en-us/library/cc288210.aspx - Windows SharePoint Services security account requirements
http://go.microsoft.com/fwlink/?LinkId=92885&clcid=0×409
Hi Fodi ,
This is really a great series you are writing, this will help lots of people in the technology those who are aspiring for MCTS – 541, really i m gonna follow the articles in this series and expecting lot more on this! Good work!
Pankaj
Thanks for the positive feedback Pankaj. I had to take break from bloggind due to other work and personal commitments, but I’m going to start blogging again. Look for some new posts in the next day or so.