Home > Uncategorized > Dedicated SharePoint Installation Account

Dedicated SharePoint Installation Account

The conversation about installing SharePoint Server using a dedicated installation account, and the principle of ‘least privileges’ is not a new one and I refer to an article written by Spence Harbar many moons ago which still applies today.

However I still come across many situations where a dedicated install account is never considered, and (more worryingly) even quite a few situations where installing using the Farm Account (also known as the DBA Account) is considered!

You should absolutely 100% NOT be installing SharePoint using the Farm account or any other service account, for the following reasons:

– It’s a service account and therefore should not have any logon rights at all.

– It should only have the permissions assigned to it by the configuration wizard.  None should be assigned manually before or after.

The Dedicated SharePoint Installation Account

A dedicated account should be used to Install SharePoint and any Service Packs/Hotfixes, run the Configuration Wizard, and run any STSADM/Powershell scripts on the farm.  This is because:

1) It is granted the highest permissions of any of the SharePoint server accounts, and you don’t want these privileges assigned to your service accounts:

Local Administrator on each SharePoint Server

SQL Server Roles: dbcreate + securityadmin

2) It has no influence on the running of the farm so if it gets locked out (because someone keyed in the test farm password three times for example) it has zero consequence.  It is even recommended it is disabled when not in use.

3) It also keeps things nice and tidy and prevents giving high permissions to Tom Cobley and all to perform farm admin. Yes, you may not be able to identify culprits who make mistakes, but you shouldn’t be giving this account out on a whim either.

This hangs over from MOSS 2007 and the best practise is pretty much identical.  Yes, there is a known bug with the User Profile service where admin rights must be temporarily raised on the farm account (but then rescinded), but this is no reason to do run any of the installation as MOSS Farm!

The only exception is when configuring a DEV machine, but if you train bad habits you’ll end up executing them for real!

Advertisements
Categories: Uncategorized
  1. October 9, 2014 at 1:19 pm

    I will right away seize your rss feed as I can’t find your email subscription link or newsletter service.
    Do you’ve any? Kindly let me recognise in order that
    I may subscribe. Thanks.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: