Feb 6, 2013

List of SharePoint Service Accounts

Hi guys,
Long time no blog since Aug 2012. Just want to share a little bit about SharePoint installation, List of SharePoint Service Accounts. These service accounts are grabbed from Microsoft Technet, and hope it useful for you.

Account Category Account Name Purpose Requirements
SQL Server Service Account SQL Server   The SQL Server service account is used to run SQL Server. It is the service account to run SQL Server service, MSSQLSERVER. > Domain user account.
SQL Server Setup User Account SQL Server   The Setup user account is used to run SQL Server Setup. > Domain user account.
> Member of the Administrators group on each SQL Server on which Setup is run.
SQL Server Agent Service Account SQL Server   The SQL Server service account is used to run SQL Server. It is the service account to run SQL Server Agent service, SQLSERVERAGENT. > Domain user account.
Application Pool Account SharePoint   The application pool account is used for application pool identity.
Recommended action is to make this account specific to each SharePoint Web Application.
> Domain user account.
> Registered Managed Accounts in Central Administration.
> This account must not be a member of the Farm Administrators group.
Content Access Account SharePoint   Content access accounts are configured to access content by using the Search administration crawl rules feature. This type of account is optional and you can configure it when you create a new crawl rule. For example, external content (such as a file share) might require this separate content access account. > Domain user account.
> The content access account must have read access to external or secure content sources that this account is configured to access.
> For SharePoint Server sites that are not part of the server farm, you have to explicitly grant this account full read permissions to the web applications that host the sites.
> This account must not be a member of the Farm Administrators group.
Default Content Access Account SharePoint   The default content access account is used within a specific service application to crawl content, unless a different authentication method is specified by a crawl rule for a URL or URL pattern. > Domain user account.
> The content access account must have read access to external or secure content sources that this account is configured to access.
> For SharePoint Server sites that are not part of the server farm, you have to explicitly grant this account full read permissions to the web applications that host the sites.
> This account must not be a member of the Farm Administrators group.
Excel Services Unattended Service Account SharePoint   Excel Services uses the Excel Services unattended service account to connect to external data sources that require a user name and password that are based on operating systems other than Windows for authentication. If this account is not configured, Excel Services will not attempt to connect to these types of data sources. Although account credentials are used to connect to data sources of operating systems other than Windows, if the account is not a member of the domain, Excel Services cannot access them. > Domain user account.
My Sites Application Pool Account SharePoint   The application pool account is used for My Site application pool identity.
Recommended action is to make this account specific to each SharePoint Web Application.
> Domain user account.
> Registered Managed Accounts in Central Administration.
> This account must not be a member of the Farm Administrators group.
Server farm account or database access account SharePoint   The server farm account is used to perform the following tasks: Configure and manage the server farm, act as the application pool identity for the SharePoint Central Administration Web site, run the Microsoft SharePoint Foundation Workflow Timer Service. > Domain user account.
> Additional permissions are automatically granted for the server farm account on Web servers and application servers that are joined to a server farm.
> The server farm account is automatically added as a SQL Server login on the computer that runs SQL Server. The account is added to the following SQL Server security roles: 'dbcreator' fixed server role, 'securityadmin' fixed server role, 'db_owner' fixed database role for all SharePoint databases in the server farm.
Service Application Application Pool Account SharePoint   The application pool account is used for service application application pool identity.
Recommended action is to make this account to be used in all SharePoint Service Application across farm.
> Domain user account.
> Registered Managed Accounts in Central Administration.
SharePoint Setup User Account SharePoint   The Setup user account is used to run the following, SharePoint Setup and SharePoint Products Configuration Wizard. > Domain user account.
> Member of the Administrators group on each SharePoint server on which Setup is run.
> SQL Server login on the computer that runs SQL Server.
> Member of the following SQL Server roles: 'securityadmin' fixed server role and 'dbcreator' fixed server role.
SharePoint User Profile Service Account SharePoint   The user account is used to run the User Profile Synchronization service. Configured under User Profile Service Application for a connection to Active Directory. > Domain user account.
> Registered Managed Accounts in Central Administration.
> Replicating Directory Changes rights in Active Directory security management.
SharePoint Search Service Account SharePoint   The user account is used to run the Search Service Application. > Domain user account.
> Registered Managed Accounts in Central Administration.


Maybe you wonder why we must separate service account to several accounts. The exact reason behind is, I don't know. But from what I have heard from Microsoft's employee when I was doing some troubleshooting, is that easier for them to do debugging if something goes wrong. SharePoint is the most crazy product that I've ever know! Integrating with so many softwares and services such as FAST Search, Performance Point, Forefront Identity Manager, and any type of Directories (Active Directory). Any type of users they trying to grab and make love with them. And now what they're trying to do is to make love with "many type" of developers. And, maybe we don't know exactly which one causing error, but they do know. So, doing this thing is quite important at the time they need it. Trust me, its hard to track while debugging some code issue without isolating the case!