Part 1: Preparing the environment
Part 2: Installing Windows Server 2012
Part 3: Adding Active Directory Domain Services
Part 4 : Configure DNS
In the Part 1 of this series we saw how to create a VM with Windows Server 2012. In part 2 we continued with server 2012 install and renaming the our VM. In Part 3 we enables Active Directory Domain Services in the server and Part 4 we saw how we can configure DNS in our server. That completes all necessary steps in preparing Windows Server environment to Host SharePoint.
Starting in Part 5 we will see get deep into SharePoint prerequisites. SharePoint as you know since SP 2010 has embraced Service Application architecture. This is a clean and tidy process of separating different application and its resources. SharePoint 2013 continues on the same road and infact have leveled some of the bumbs that was present in SP 2010.
Though we are creating a development machine where we can run all services in single account but we should make it a habit of creating multiple accounts based similar to our production deployment so we adhere to best practices. I do this because this a practice for production and I also remember to create multiple accounts for service accounts
In this blog I will share some of the Service accounts that I always create even in development environment and their permissions.
I tend to base my service accounts requirements and permissions on these blogs because this explains much more lucidly than Microsoft technet. Todd Klindt, Vlad Catrinescu. and Eric Harlan has explained the need much more elaborately. I took Todd Klindt table model as a example because it helps at a glance. Names can be anything and in development environment is at our discretion but in production please name in a way that anybody can understand. If there is any naming convention in the organization for production its better to stick to the convention.
Accounts for Base Install of SharePoint 2013
Account name
|
Role
|
Domain rights
|
Local SharePoint Server rights needed
|
SQL rights needed
|
sp_install
|
Used to install SharePoint binaries.
|
Domain User
|
Local administrator on all SharePoint boxes
|
public, dbcreator, and securityadmin SQL roles. Need to be
SysAdmin on SQL when installing the Workflow Manager
|
sp_farm
|
Farm account. Used for Windows Timer Service, Central Admin and
User Profile service
|
Domain User
|
Local Admin during UPS provisioning, log on locally right
|
public, dbcreator, and securityadmin SQL roles. Need to be
SysAdmin on SQL when installing the Workflow Manager
|
sp_webapp
|
App pool id for content web apps
|
Domain User
|
None
|
None
|
sp_serviceapps
|
Service app pool id
|
Domain User
|
None
|
None
|
sp_content
|
Default account used by Search Service Application to crawl
content
|
Domain User
|
None
|
None
|
sp_userprofile
|
Account used by the User Profile services to access Active
Directory
|
Must have Replicating Change permissions to AD. Must be given in
BOTH ADUC and ADSIEDIT. If domain is Windows 2003 or early, must also be a
member of the "Pre-Windows 2000" built-in group.
|
None
|
None
|
sp_superuser
|
Cache account
|
Domain User
|
Web application Policy Full Control
Web application super account setting
|
None
|
sp_superreader
|
Cache account
|
Domain User
|
Web application Policy Full read
Web application super reader account setting
|
None
|
Accounts Required for SQL Server
Name
|
Role
|
Domain rights
|
Local SharePoint Server rights needed
|
SQL rights needed
|
SQL_Admin
|
SQL Admin on the SQL
Server. Used to Install the SQL Server.
|
Domain User
|
None
|
Local Administrator on
the SQL Server
|
SQL_Services
|
It is the service account
for the following SQL Server services: MSSQLSERVER SQLSERVERAGENT.
|
Domain User
|
None
|
Will be given necessary
permissions when SQL Server is installed by a local administrator on the SQL
box
|
I usually use one account for SQL but Vlad Catrinescu. has explained the security and even has more advanced scenarios.
Accounts Required for Search
Name
|
Role
|
Domain rights
|
Local SharePoint Server rights needed
|
SQL rights needed
|
SP_Crawl
|
The Default Content Access Account for the Search Service
Application
|
Domain User
|
None
|
None
|
SP_Search
|
Service Account to run the SharePoint Search “Windows Service”
|
Domain User
|
None
|
None
|
Accounts Required for Optional Components
Account name
|
Role
|
Domain rights
|
Local SharePoint Server
rights needed
|
SQL rights needed
|
sql_ssas
|
Account that we run the SQL Server Analysis Service services as
|
Domain User
|
None
|
db_datareader on databases
|
sp_excel
|
Excel services unattended account.
|
Domain User
|
None
|
None
|
sp_pps
|
PerformancePoint Unattended account
|
Domain User
|
None
|
None
|
sp_accsvc
|
Access Services. Used to create all Access databases in SQL and
the service account running the service app pool for the Access Service
Application
|
Domain User
|
None
|
db_owner, public, and securityadmin
|
sp_workflow
|
The RunAs account for the Workflow Manager service
|
Domain User
|
None
|
None
|
Its time to create all these accounts in our domain for our journey.
Let me know your thoughts in the form of comments.
