Table of Contents
For a SharePoint installation, this page recommends the following best practices and naming conventions for service accounts. In your deployment you many not need all these accounts. For example, if PerformancePoint will not be deployed then you will not need the PerformancePoint service account.
Overview
The account name is arbitrary. But, ensure the length of the account is within the character limits (see below: SharePoint and Managed Service Accounts and SharePoint Service Account Character Length) and the name is short while at the same time descriptive enough.
- SQL Server Accounts
- SQL Admin
- SQL Service
- SharePoint Server Accounts
- SP Admin
- SP Farm
- SP Web Application
- SP Services
- SP C2WTS
- SP Cache Super User
- SP Cache Super Reader
- SP Excel User
- SP Visio User
- SP PerformancePoint User
- SP Profile
- SP Profile Sync
- SP Search Crawl
- Project Server Accounts and Groups
- PS Project
- PS Workflow Proxy
- PS Project Report
- PS Project Report Authors
- PS Project Report Viewers
- PS Project External Report Viewers
Service Accounts
SQL Server
SQL Admin
- Setup User Administrator Account
- Used for:
- SQL Server Administrator (this account has unrestricted access to the DB engine)
- SQL installation/update/upgrade
- Domain account
- Local Admin on SQL Server machine
SQL Service
- Used for:
- Running SQL Server engine and SQL Server Agent.
- Domain account
- Preferably Managed Service Account
- Optionally, for more secure environments you will want to create multiple account (all domain accounts and MSA) for each of SQL Server services.
- SQL Service – for SQL DB Engine
- SQL Agent Service – for SQL Agent
- SQL AS Service – for SQL Server Analysis Services
- SQL RS Service – for SQL Server Reporting Services
- SQL IS Service – for SQL Server Integration Services
- SQL DR Controller Service – for Distributed Replay Controller
- SQL DR Client Service – for Distributed Replay Client
SharePoint Server
SP Admin
- Setup User Administrator Account
- Used for:
- SharePoint installation
- Running the SharePoint Product Configuration Wizard
- Other Farm configurations
- Domain account
- Local Admin on APP and WFE servers
SP Farm
- SharePoint Database Access Account (AKA SharePoint Farm Service Account)
- Used for:
- Central Administration app pool identity
- Microsoft SPF Workflow Timer Service account
- Domain account
- During User Profile Synchronization application provisioning needs to be local admin and have Log On Locally rights on the Server that will be hosting the UPS application
- After UPS application provisioning remove the local admin privilege but keep the Log On Locally rights
- After giving this account local admin and Log On Locally rights permissions, it is important that you logout and log back into the server (or restart the server)
SP Web Application
- Web Application Pool Account
- Used for:
- Application pool identity for the main web application IIS website
- Domain account
SP Services
- SharePoint Web Services Application Pool Account
- Used for:
- Application pool identity for the SharePoint Web Services IIS website
- Domain account
SP C2WTS
- Claims to Windows Token Service Account
- Used as the identity for the Claims to Windows Token Service account
- Create this dedicate account if you plan to use Excel, Visio, PerformancePoint, or Office Web Apps Excel services.
- Domain account
- Local Admin on SharePoint Servers that will be running any of the following services:
- Excel Services
- Visio Service
- PerformancePoint Service
- Office Web Apps Excel Service
SP Cache Super User
- Portal Super User
- Used for:
- Super user cache account
- Domain account
- This account requires Full Control access to the web application.
SP Cache Super Reader
- Portal Super Reader
- Used for:
- Super reader cache account
- Domain account
- This account requires Full Read access to the web application.
SP Excel User
- Excel Service Unattended Service Account
- Used for:
- Connecting to external data sources that require a username and password that are based on OS other than Windows for authentication
- Domain account
SP Visio User
- Visio Graphics Service Unattended Service Account
- Used for:
- Connecting to external data sources that require a username and password that are based on OS other than Windows for authentication
- Domain account
SP PerformancePoint User
- PerformancePoint Service Unattended Service Account
- Used for:
- Connecting to external data sources that require a username and password that are based on OS other than Windows for authentication
- Domain account
SP My Site Application Pool Account
- My Sites Application Pool Account
- Used for:
- My Site application pool
- Domain account
- If you are hosting My Site site collection under the same web application as other site collections, then you don’t need this account. Create this account only if you are creating a dedicated web application of My Site site collection, in which case you set the web application app pool account to this account.
SP Profile Synchronization
- Synchronization Account
- Used for:
- Connecting to a directory service
- User Profile Services to access AD
- User Profile Services to run profile synchronization
- Domain account
- This accounts requires Replicate Directory Changes in AD DS on the domain node
- The Grant Replicate Directory Changes permission does not enable an account to create, change or delete AD DS object. It enables the account to read AD DS objects and to discover AD DS object that were changed in the domain.
SP Search Service
- Search Service Account
- Used for:
- Windows user credentials for the SharePoint Search service
- Domain account
SP Search Crawl
- Default Content Access Account
- Used for:
- For Search service application to crawl content.
- Domain account
- This account must have read access to external or secure content sources that SharePoint will be crawling.
- For SharePoint sites that are not part of the server farm, this account must explicitly be granted full read permissions to the web applications that host the sites
Project Server
If planning to deploy Project Server the following accounts and groups are required for least-privilege scenario
Accounts
- PS Project
- Project Server Service Application Application Pool Account
- Database owner for content databases with the Web application
- Read/write access to the associated Project Server Service Application database
- Read permission on SharePoint_Config database
- PS Project Report
- Secure Store Target Application Account
- This account provides the credentials needed for report viewers to view reports generated from data in the PWA database.
- This account is used as part of the Secure Store Configuration
- Add this account to the Report Authors Active Directory group
- Permission:
- Database datareader on PWA database
- PS Workflow Proxy
- Project Server Workflow Activities Account
- This account is used to make Project Server Interface (PSI) calls associated with each workflow.
- Configured as a Project Server user account, with the following permissions:
- Global permissions:
- Log On
- Manage Users and Groups
- Manage Workflow and Project Detail Pages
- Category permissions:
- Open Project
- Save Project to Project Server
- Global permissions:
- If using SharePoint Permission mode, add this account to the Administrators for PWA security group
Groups
- PS Project Report Authors
- Report Authors Group
- AD security group – Global
- Users in this group can create reports
- If report authors will also be viewing reports, add this group to the Report Viewer Group
- Permission: db_datareader on PWA database
- PS Project Report Viewers
- Report Viewers Group
- AD security group – Global
- Users in this group can view reports
- This group is used as part of Secure Store configuration
- That is, add the Secure Store account to this group
- PS Project External Report Viewers
- External Report Viewer Group
- This account is optional
- Users that do not have a PWA user account but require access to the Project Server BI Center to view reports
- Add the Secure Store Target Application Account to the Report Authors Active Directory group
- Permissions:
- Read permission to the BI Center site
SharePoint and Managed Service Accounts
For SharePoint service accounts, do not create Active Directory Domain Services accounts that are Managed Service account or Virtual Service account. These two type of service accounts were introduced in Windows Server 2008 R2 and Windows 7. They are not supported in SharePoint 2013.
In Windows Server 2012, group Managed Service account (gMSA) was introduced. Those are not supported in SharePoint 2013, either. (http://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx
SharePoint implements its own managed service account system in the Central Administration web site. You can use that to manage the SharePoint accounts.
For SQL Server services use Managed Service account or better yet gMSA, if using SQL Server 2012. MSA & gMSA is supported in SQL Server 2012. For example, you can use MSA/gMSA for the SQL Server Engine and SQL Server Agent. Use MSA/gMSA for SQL Server accounts that will not be used to login to the server. You can’t use MSA to login to a server. The use of MSA/gMSA for SQL Server services is considered as best practice. MSAs are limited to a total of 15 characters (this does not include the DOMAIN\ part). The following provides a good reference on how to enable MSA (http://blogs.technet.com/b/rhartskeerl/archive/2011/08/22/sql-server-code-name-denali-adds-support-for-managed-service-accounts.aspx
SharePoint Service Account Character Length
SharePoint service accounts (managed accounts) are limited to a total of 20 characters – including the Domain Name (for example Domain\SP_Name – total characters should be less than 20). This limitation is not imposed on SQL Server service accounts or SharePoint’s Setup User Account (ex: SPAdmin). But to be on the safe side, I would still follow the 20 to 25 character limit.