McAfee Secure

Prepare User Accounts for SharePoint Administration and Services

Exam: Microsoft 70-667 - TS: Microsoft SharePoint 2010, Configuring

The article discusses in detail how user accounts can be prepared for administration and services during the process of initial deployment. For implementing all the aspects related to a production farm additional accounts, permissions are needed.

SharePoint is very close to and can even be said to be dependent on SQL server and Active Directory. Discussing both briefly -

  • Active Directory: This provides services that are related to authentication and identity. User accounts consisting of fields like username and the password for a particular account are stored in the Active Directory. It also performs the function of validating account logons. It lends support to a user logging on to a SharePoint site, the accounts that are brought to use by SharePoint and the SQL services.
  • SQL Server: Nearly all content and configuration of SharePoint farm are stored in the SQL server. Services offered by the SQL server, for example Windows service requires a username and password to log on.

Credentials of Active Directory can also be used to run SharePoint. The Active Directory credentials are brought into use by SharePoint for accessing the data in SQL server. This means that SQL logins are required for authorizing access. Creation of SQL logins takes place automatically. This happens when the setup process is run and web applications created.

For lending support to administration and various services of SQL and SharePoint, identities need to be created in Active Directory. It also essential to see that the proper permissions are available. The 'least privilege' security position should be observed as it only gives permission necessary to perform the task. The accounts that fall under the 'least privilege' category are:

  • SQL_Admin (SQL Server Administrator Account)
  • SQL_Service (SQL Server Service Account)
  • SP_Admin(SharePoint Administrator and Setup User Account)
  • SP_WebApps and SP_Service Apps (Web and Service Application Pool Accounts)
  • SP_Crawl (Search Indexer (Crawler) Account)
  • SP_UserSync (User Profile Synchronization Account)

The accounts utilized in the initial deployment of SharePoint 2010 are discussed in detail below:

  • SQL_Service (SQL Server Service Account): As the name itself suggests, the use of this account is to run an SQL server. It acts as a service account for various services like MSSQLSERVER and SQLSERVERAGENT. If the default SQL Server is not used, the services are shown as

    • 'MSSQL$InstanceName'
    • 'SQLAgent$InstanceName'

    in the Windows Service Screen. The account utilizes a Local System or a domain user account. In case of a backup to an outside source or restoration from an external system, the account under consideration will need to have proper permissions.

  • SP_Admin (Setup user account): This particular account is used for running two functions

    • Setup and
    • SharePoint Products Configuration Wizard

    The account requires a domain user account, the SQL server login responsible for running the SQL Server on the system and the administrator group for each server on which Setup is to run. In addition to these it also requires to be a member of the 'securityadmin' and 'dbcreator' both as a part of Server security roles.

    If Windows PowerShell cmdlets affecting a database are run, the account is required to be a member of 'db_owner'

  • Server farm account/DBA account: This account is used for performing the following functions:

    • Configuration and management of the server farm.
    • Application of pool identity to SharePoint Central Administration Web site.
    • Running the Microsoft SharePoint Foundation Workflow Timer Service.

Automatic addition of the server account farm as a SQL Server login takes place on the system that runs the SQL server. 'dbcreator', 'securityadmin' and 'db_owner' are the SQL Server security roles to which automatic addition takes place.