Pages

Friday, June 28, 2013

SharePoint 2013 Installation Part 5

Part 5 : SharePoint Service Accounts

Part 1: Preparing the environment
Part 2: Installing Windows Server 2012
Part 3: Adding Active Directory Domain Services
Part 4 : Configure DNS 


In the Part 1 of this series we saw how to create a VM with Windows Server 2012. In part 2 we continued with server 2012 install and renaming the our VM. In Part 3 we enables Active Directory Domain Services in the server and Part 4 we saw how we can configure DNS in our server. That completes all necessary steps in preparing Windows Server environment to Host SharePoint. 

Starting in Part 5 we will see get deep into SharePoint prerequisites. SharePoint as you know since SP 2010 has embraced Service Application architecture. This is a clean and tidy process of separating different application and its resources. SharePoint 2013 continues on the same road and infact have leveled some of the bumbs that was present in SP 2010.

Though we are creating a development machine where we can run all services in single account but we should make it a habit of creating multiple accounts based similar to our production deployment so we adhere to best practices. I do this because this a practice for production and I also remember to create multiple accounts for service accounts

In this blog I will share some of the Service accounts that I always create even in development environment and their permissions.

I tend to base my service accounts requirements and permissions on these blogs because this explains much more lucidly than Microsoft technet. Todd KlindtVlad Catrinescu. and Eric Harlan has explained the need much more elaborately.  I took Todd Klindt table model as a example because it helps at a glance. Names can be anything and in development environment is at our discretion but in production please name in a way that anybody can understand. If there is any naming convention in the organization for production its better to stick to the convention.
 


Accounts for Base Install of SharePoint 2013




Account name
Role
Domain rights
Local SharePoint Server rights needed
SQL rights needed
sp_install
Used to install SharePoint binaries.
Domain User
Local administrator on all SharePoint boxes
public, dbcreator, and securityadmin SQL roles. Need to be SysAdmin on SQL when installing the Workflow Manager
sp_farm
Farm account. Used for Windows Timer Service, Central Admin and User Profile service
Domain User
Local Admin during UPS provisioning, log on locally right
public, dbcreator, and securityadmin SQL roles. Need to be SysAdmin on SQL when installing the Workflow Manager
sp_webapp
App pool id for content web apps
Domain User
None
None
sp_serviceapps
Service app pool id
Domain User
None
None
sp_content 
Default account used by Search Service Application to crawl content
Domain User
None
None
sp_userprofile
Account used by the User Profile services to access Active Directory
Must have Replicating Change permissions to AD. Must be given in BOTH ADUC and ADSIEDIT. If domain is Windows 2003 or early, must also be a member of the "Pre-Windows 2000" built-in group.
None
None
sp_superuser
Cache account
Domain User
Web application Policy Full Control
Web application super account setting
None
sp_superreader
Cache account
Domain User
Web application Policy Full read
Web application super reader account setting
None










Accounts Required for SQL Server


Name
Role
Domain rights
Local SharePoint Server rights needed
SQL rights needed
SQL_Admin
SQL Admin on the SQL Server. Used to Install the SQL Server.
Domain User
None
Local Administrator on the SQL Server
SQL_Services
It is the service account for the following SQL Server services: MSSQLSERVER SQLSERVERAGENT.
Domain User
None
Will be given necessary permissions when SQL Server is installed by a local administrator on the SQL box

 

I usually use one account for SQL but Vlad Catrinescu. has explained the security and even has more advanced scenarios.

Accounts Required for Search

Name
Role
Domain rights
Local SharePoint Server rights needed
SQL rights needed
SP_Crawl
The Default Content Access Account for the Search Service Application
Domain User
None
None
SP_Search
Service Account to run the SharePoint Search “Windows Service”
Domain User
None
None

 

Accounts Required for Optional Components

Account name
Role
Domain rights
Local SharePoint Server rights needed
SQL rights needed
sql_ssas
Account that we run the SQL Server Analysis Service services as
Domain User
None
db_datareader on databases
sp_excel
Excel services unattended account.
Domain User
None
None
sp_pps
PerformancePoint Unattended account
Domain User
None
None
sp_accsvc
Access Services. Used to create all Access databases in SQL and the service account running the service app pool for the Access Service Application
Domain User
None
db_owner, public, and securityadmin
sp_workflow
The RunAs account for the Workflow Manager service
Domain User
None
None


Its time to create all these accounts in our domain for our journey.

Let me know your thoughts in the form of comments.

No comments:

Post a Comment