One of the most important aspects of planning for deployment is to identify the service accounts that will be needed. There are several accounts that must be specified, even for the most basic farm topologies. Other accounts will be required depending on the additional functionality deployed.
NOTE: It is a recommended best practice to install SharePoint 2010 using “least-privileged” accounts. This decreases the potential damage in the case where an account is compromised.
Table 1-3 lists the service accounts required for all SharePoint 2010 installations, and Table 1-4 lists other service accounts.
TABLE 1-3 Required Service Accounts
ACCOUNT | PURPOSE | REQUIREMENTS |
SQL Server service account | Run SQL Server processes: · For the default instance, use MSSQLSERVER and SQLSERVERAGENT · For a named instance, use MSSQL$InstanceName and SQLAgent$InstanceName | Either a local system account or domain account. Ensure that this account has access to any external resources used to backup or restore. If using a local system account (Network Service or Local System), grant access to domain_name\SQL_hostname$. |
Setup user Account | Run installation and SharePoint Products and Technologies Configuration Wizard | · Domain account · Member of the Administrators group on each server where setup is run · SQL Server login on database server · Member of securityadmin and dbcreator server roles · If using Windows PowerShell, you must be a member of the dbowner fixed role on the database |
Server farm account/ database access account | · Configure and manage server farm · Application pool identity for Central Administration Web site · Run SharePoint Foundation Timer Service | · Domain account Additional permissions are also granted on Web front-end and application servers because they are added to the farm. This account is also added to the following SQL Server roles on the farm database server: · dbcreator fixed server role · securityadmin fixed server role · db_owner fixed database role on all SharePoint databases for the farm |
TABLE 1-4 Other Service Accounts
ACCOUNT | PURPOSE | REQUIREMENTS |
Search Service account | Run Search Service | This account will default to the farm administrator account, but you should specify a different account for security purposes. |
Content Access account | Used to access content sources for crawling. Defaults to Search Service account. | Domain account with read access to content to be crawled. |
Application pool Accounts | Used for running IIS Web applications that host SharePoint site collections. | Can be a local system account or domain account. |
Reference: SharePoint 2010 Administrator Pocket Consultant (Book)
No comments:
Post a Comment