Office SharePoint Server Security Account Requirements

Compiled by György Balássy (Microsoft regional director, ASP.NET MVP) – MSDN Competence Center, Hungary

Account	Summary	Description	Troubleshooting	Scope	Used By	Needed	Requirements	Single server standard requirements	Server farm standard requirements	Least privilege using domain user accounts	Least privilege administration using SQL authentication	Least privilege administration with domain user accounts when connecting to pre-created databases
Server farm-level accounts
Setup User (SPSetup)	On every server where MOSS is to be installed, the account you run setup with must belong to the local administrators group. In addition, this account must be a Domain User and be a member of the following SQL server security roles: Logins, Securityadmin & Dbcreator. This account is going to be doing a lot – creating new databases, and also creating new IIS sites – so make sure you have enough permissions! Typically, an account such as the domain administrator is used to run the installation, which addresses all of the security requirements.	The user account that is used to run: Setup on each server computer The SharePoint Products and Technologies Configuration Wizard The Psconfig command-line tool The Stsadm command-line tool		Farm	Person installing	Setup	Member of the administrator group on each Web front-end (WFE) server and application server computer in the farm. Member of the following SQL Server groups with SQL Security administrator and database creator rights on SQL servers.	Member of the Administrators group on the local computer	Domain user account. Member of the Administrators group on each server on which Setup is run. SQL Server login on the computer running SQL Server. Member of the following SQL Server security roles: securityadmin fixed server role dbcreator fixed server role If you run Stsadm commands that affect a database, this account must be a member of the db_owner fixed database role for the database.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. This account should NOT be a member of the Administrators group on the computer running SQL Server.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. SQL Server login on the SQL Server computer. NOT a member of the following SQL Server security roles: securityadmin fixed server role dbcreator fixed server role NOT a member of the Administrators group on the computer running SQL Server. Note You must use the Psconfig command-line tool to create the configuration database and the SharePoint_AdminContent database. You cannot use the SharePoint Products and Technologies Configuration Wizard to create these databases. To create a farm or to join a computer to a farm, specify the SQL Server login that you created for these databases as the dbusername and dbpassword. The same SQL Server login is used to access both databases. All other content databases can be created in Central Administration by selecting the SQL authentication option.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. NOT a member of the Administrators group on the computer running SQL Server. This account is used to configure databases. After each database has been created, change the database owner (dbo or db_owner) to the Setup User account.
SQL Server Service (SQLService)	This account is specified when a new SQL server is being brought online or a new instance installed. It typically is used for running both the SQL Server & SQL Server Agent, however, each can have their own account. For our purposes, we will utilize one account for both SQL Server & the Agent. The account only needs to be a basic Domain Account with no specific permissions set. When SQL Server is installed, all of the other appropriate permissions will be granted to the account.	SQL Server prompts for this account during SQL Server Setup. This account is used for the following SQL Server services: SQL Server (MSSQLSERVER) SQL Server Agent (SQLSERVERAGENT) If you are not using the default instance, these services will have the following names: MSSQL$InstanceName SQLAgent$InstanceName This is the security context used by Central Administration for creating databases and other SQL configurations.	Always use the SQL tools and never the Services MMC to change this account in SQL.	Farm	MSSQLSERVER, SQLSERVERAGENT	Setup	Member of the administrators group on each server on which setup runs, administrators group on each SQL Server computer, database system administrator, and member of the SQL security administrator and database creator SQL Server groups.	Local System account (default)	Use either a Local System account or a domain user account. If a domain user account is used, this account uses Kerberos authentication by default, which requires additional configuration in your network environment. If SQL Server uses a service principal name (SPN) that is not valid (that is, that does not exist in the Active Directory directory service environment), Kerberos authentication fails, and then NTLM is used. If SQL Server uses an SPN that is valid but is not assigned to the appropriate container in Active Directory, authentication fails, resulting in a "Cannot generate SSPI context" error message. Authentication will always try to use the first SPN it finds, so ensure that there are no SPNs assigned to inappropriate containers in Active Directory. If you plan to back up to or restore from an external resource, permissions to the external resource must be granted to the appropriate account. If you use a domain user account for the SQL Server service account, grant permissions to that domain user account. However, if you use the Network Service or the Local System account, grant permissions to the external resource to the machine account (domain_name\SQL_hostname$).	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. Note All database accounts must be created as SQL Server login accounts in Microsoft SQL Server 2000 Enterprise Manager or SQL Server 2005 Management Studio. These accounts must be created before the creation of any content databases, including the configuration database and the SharePoint_AdminContent database. Create one SQL Server login for both the configuration database and the SharePoint_AdminContent database.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account.
Server Farm (SPFarmService)	This account serves a few roles. The first is that it is used by MOSS to access the databases… it acts as the account by which the server(s) MOSS is installed on communicates back and forth to SQL with (read/write). Additionally, it is used as the identity for the Central Administration application pool & the WSS Timer service. This account needs to be a Domain Account - but note that it is believed to have to be a local admin on every MOSS box - this is not true.	This account is also referred to as the database access account. This account is: The identity for the application pool that hosts the SharePoint Central Administration Web site. The process account for the Windows SharePoint Services Timer service.	You may receive Access Denied on some pages of the Central Administration site when not assigned local admin permissions to this account. If DCOM Error with event ID 10016 is logged to the System Log use the Component Services MMC to assign local activation permission for the IIS WAMREG admin Service to this account. Read KB926959 if you receive Access Denied when trying to edit the content source schedule. Do NOT log in interactively with this account.	Farm	Central administration site application pool identity	Setup	Member of administrators group on each WFE server and application server computer in the farm with SQL security administrator and database creator rights on SQL Servers. Database Owner (DBO) for all databases and additional permissions on WFE server and application server computers are automatically configured for this account when SharePoint is installed.	Network Service (default) No manual configuration is necessary.	Domain user account. If the server farm is a child farm with Web applications that consume shared services from a parent farm, this account must be a member of the db_owner fixed database role on the configuration database of the parent farm. Additional permissions are automatically granted for this account on Web servers and application servers that are joined to a server farm. This account is automatically added as a SQL Server login on the computer running SQL Server and added to the following SQL Server security roles: dbcreator fixed server role securityadmin fixed server role db_owner fixed database role for all databases in the server farm	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. NOT a member of the Administrators group on any server in the server farm, including the computer running SQL Server. This account does not require permissions to SQL Server before creating the configuration database.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. NOT a member of the Administrators group on any server in the server farm, including the computer running SQL Server. NOT a SQL Server login on the computer running SQL Server. This account does not require permissions to SQL Server before creating the configuration database.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. NOT a member of the Administrators group on any server in the server farm, including the computer running SQL Server. This account does not require permissions to SQL Server before creating the configuration database. After the Shared Services Provider (SSP) database and the SSP search database are created, add this account to the following for each of these databases: Users group db_owner fixed database role
SSP accounts
SSP App Pool (SPSSPPool)		Application pool identity for the shared services administration Web application.	If DCOM Error with event ID 10016 is logged to the System Log use the Component Services MMC to assign local activation permission for the IIS WAMREG admin Service to this account.	App	SSP App Pool Identity	SSP Creation	No configuration is necessary. The following permissions are automatically configured for this account when SharePoint is installed: DBO for the Share Service Provider (SSP) content database, read/write permissions for the SSP content database, read/write permissions for content databases for Web applications that are associated with the SSP, read permissions for the configuration database, read permissions for the central administration content database, and additional permissions on WFE server and application server computers	No manual configuration is necessary.	No manual configuration is necessary. The following are automatically configured: Membership in the db_owner role for the SSP content database. Access to read from and write to the SSP content database. Access to read from and write to content databases for Web applications that are associated with the SSP. Access to read from the configuration database. Access to read from the Central Administration content database. Additional permissions to front-end Web servers and application servers are automatically granted.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. For security isolation, use a separate service account for each SSP.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. NOT a member of the local Administrators group on any server in the farm, including the computer running SQL Server. NOT a SQL Server login.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. For security isolation, use a separate service account for each SSP.
SSP Service Account (SPSSP#Service)	Each shared service provider can run under its own account, therefore, it is desirable to name the account using a number. This way, if your MOSS farm ends up having a large number of SSPs, you can map the SSPs back to their specific service accounts easily. This account is used for the SSP web services & the SSP timer jobs. The account only needs to be a basic Domain Account with no specific permissions set.	Used by the following: SSP Web services for inter-server communication SSP Timer service to run specific types of jobs Application pool identity of application pool associated with the virtual directory associated with a given SSP		Farm	SSP Timer service; SSP Web services	SSP Creation	Same as SSP App Pool Account	No manual configuration is necessary. This account should not be a member of the Administrators group on any computer in the server farm.	Use a domain user account. No manual configuration is necessary. The same permissions as the SSP application pool account are automatically granted. This account should not be a member of the Administrators group on any computer in the server farm.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. NOT a member of the Administrators group on any server in the farm, including the computer running SQL Server. NOT a SQL Server login.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. After the configuration database and the Central Administration content databases are created, add this account to the following for these databases: Users group WSS_Content_Application_Pools database role After the content database for the Shared Services Administration site, the SSP database, and the SSP search database are created, add this account to the following for each of these databases: Users group db_owner role After My Sites are created, add this account to the following for the My Sites Web application content database: Users group db_owner role After each content database is created, add this account to the following: Users group db_owner role
Office SharePoint Server Search Service (SPSearchService)	This account is utilized by all of the Shared Service Provider to crawl local & remote content. This account should be a Domain Account & have local administrator permissions on each MOSS server.	Used as the service account for the Office SharePoint Server Search service. There is only one instance of this service and it is used by all SSPs.						By default, this account runs as the Local System account. If you want to crawl remote content by changing the default content access account or by using crawl rules, change this to a domain user account. If you do not change this account to a domain user account, you cannot change the default content access account to a domain user account or add crawl rules to crawl this content. This restriction is designed to prevent elevation of privilege for any other process running as the Local System account.	Must be a domain user account. Must not be a member of the Farm Administrators group. The following are automatically configured: Access to read from the configuration database.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. NOT a member of the Administrators group on any server in the farm, including the computer running SQL Server. NOT a SQL Server login.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. After the configuration database and the Central Administration content databases are created, add this account to the following for these databases: Users group WSS_Content_Application_Pools role After the SSP database and the SSP search database are created, add this account to the following for each of these databases: Users group db_owner role
Search Default Content Access Account (SPSSP#ContentAccess)	When a shared service provider crawls content, this is the default account used if a specific account (see below) is not specified for the content source being crawled. This account is specific for each individual SSP. This account should be a Domain Account & have read access to the content sources it needs to crawl.	The default account used within a specific SSP to crawl content, unless a different authentication method is specified by a crawl rule for a URL or URL pattern.		App	Windows SharePoint Services 3.0 Search service	SSP Creation	Must be a domain account, but must not be a member of the farm administrators group. It requires read access to external or secure content sources that you want to crawl using this account. Additional permissions for this account are automatically configured when SharePoint is installed.	No manual configuration is necessary if this account is only crawling local farm content. If you want to crawl remote content by using crawl rules, change this to a domain user account, and apply the requirements listed for a server farm.	Must be a domain user account. Must not be a member of the Farm Administrators group. Read access to external or secure content sources that you want to crawl by using this account. For sites that are not a part of the server farm, this account must explicitly be granted Full Read permissions on the Web applications that host the sites. The following are automatically configured: Full Read permissions are automatically granted to content databases hosted by the server farm.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. By default, in a server farm environment, the Office SharePoint Server Search service account is used until a different account is specified. After completing Setup and running the configuration wizard, change this account to a domain user account. Do not grant the default content access account access to the directory service. For added security, use a different default content access account for each SSP.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. NOT a member of the Administrators group on any server in the farm, including the computer running SQL Server. NOT a SQL Server login on the SQL Server Host.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. By default, in a server farm environment, the Office SharePoint Server Search service account is used until a different account is specified. After completing Setup and running the configuration wizard, change this account to a domain user account. Do not give the default content access account access to the directory service. For added security, use a separate default content access account for each SSP. After the configuration database and the Central Administration content databases are created, add this account to the following for these databases: Users group WSS_Content_Application_Pools database role
Search Specific Content Access Account (SPXXXContentAccess)	If you have specific content sources that need to be crawled, and you do not want to allow the default content access account to crawl them, then you specify an individual content access account (specified at the time a Crawl Rule is setup). This account is a Domain Account with read permissions specifically on the content source it crawls.	A specific account that is configured to access a content source. This account is optional and is specified when you create a new crawl rule. For example, content sources that are external to Office SharePoint Server (such as a file share) might require a different content access account.		Rule	Windows SharePoint Services 3.0 Search service	Create a new crawl rule	Read access to external or secure content sources that this account is configured to access.	Same as the SSP default content access account listed previously.	Read access to external or secure content sources that this account is configured to access. For Web sites that are not a part of the server farm, this account must explicitly be granted Full Read permissions on the Web applications that host the sites.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. NOT a member of the Administrators group on any server in the farm, including the computer running SQL Server. NOT a SQL Server login.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account.
User Profile and Properties Content Access Account		Used to: Connect to a directory service, such as the Active Directory directory service, a Lightweight Directory Access Protocol (LDAP) directory, a Business Data Catalog application, or other directory source. Import profile data from a directory service. If no account is specified, the search default content access account is used. If the search default content access account does not have read access to the directory or directories that you want to import data from, use a different account. You can plan up to one account per directory connection.		App	Profile Import	SSP Creation	Read access to the directory service. For an Active Directory service connection that enables Server Side Incremental, the account must have the Replicate Changes permissions for Active Directory directory services provided by Windows 2000 Server. This permission is not required for Windows 2003 Active Directory. Manage user profiles right. View rights on entities used in Business Data Catalog import connections.	Same requirements as server farm.	Read access to the directory service. If Enable Server Side Incremental is selected for an Active Directory connection and the environment is Windows 2000 Server, the account must have the Replicate Changes permission in Active Directory. This permission is not required for Windows Server 2003 Active Directory environments. Manage User Profiles personalization services permission. View permissions on entities used in Business Data Catalog import connections.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. This account can be the same account as the default content access account, or you can use a separate account. Read access to the directory service. Manage User Profiles personalization services permission. This account should not be a member of the Administrators group on any computer in the server farm.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. NOT a member of the Administrators group on any server in the farm, including the computer running SQL Server. NOT a SQL Server login.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. This account can be the same account as the default content access account or you can use a separate account. Use an account that has read access to the directory service and the Manage User Profiles personalization services permission. This account should not be a member of the Administrators group on any computer in the server farm.
Excel Services Unattended Service Account		The account that Excel Calculation Services uses to connect to external data sources that require a non-Windows user name and password string for authentication. If this account is not configured, Excel Services will not attempt to connect to these types of data sources. Although the account credentials are used to connect to non-Windows data sources, the account must be a member of the domain in order for Excel Calculation Services to use it. The SSP App Pool account is used if none is specified. For security, plan to use a low-privileged account that does not have the database privileges of the SSP App Pool Account.		App	Excel Services Service	SSP Creation	Read/write access to the Excel data sources.	Must be a domain user account.	Must be a domain user account.	Must be a domain user account.	Must be a domain user account.	Must be a domain user account.
Windows SharePoint Services Search accounts
Windows SharePoint Services Search Service Account (WSSSearch)	The WSS Services Search is used only to provide search capabilities within the Help content. If this search feature is desired, then this account should be configured as a Domain Account with no specific permissions.	Used as the service account for the Windows SharePoint Services Help Search service. There is only one instance of this service in a farm, and it is used by all SSPs.	Do NOT use the Network Service account (KB927012).	Farm	Windows SharePoint Services 3.0 Search service	SSP Creation	Must be a domain account, but must not be a member of the farm administrators group. Permissions automatically configured for this account when SharePoint is installed include the following: read/write permissions for content databases for Web applications, read permissions for the configuration database, and read/write permissions for the Windows SharePoint Services Search database	By default, this account runs as the Local System account.	Must be a domain user account. Must not be a member of the Farm Administrators group. The following are automatically configured: Access to read from the configuration database and the SharePoint_Admin Content database. Membership in the db_owner role for the Windows SharePoint Services Search database.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. NOT a member of the Administrators group on any server in the farm, including the computer running SQL Server. NOT a SQL Server login.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. After the SSP database and the SSP search database are created, add this account to the following for each of these databases: Users group db_owner role When running the Psconfig command-line tool to start the Windows SharePoint Services Search service, membership is automatically configured in the following: Users group and db_owner role for the WSS_Search database. Users group in the configuration database. Users group in the Central Administration content database.
Windows SharePoint Services Search Content Access Account		Used by the Windows SharePoint Services Search application server role to crawl content across sites.	Use the WSS Search Service account as the content access account if error with event ID 2424 is logged to the Application Log.					Must not be a member of the Farm Administrators group. The following are automatically configured: Added to the Web application Full Read policy for the farm.	Same requirements as the Windows SharePoint Services Search service account. The following are automatically configured: Added to the Web application Full Read policy for the farm.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. NOT a member of the Administrators group on any server in the farm, including the computer running SQL Server. NOT a SQL Server login.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. When running the Psconfig command-line tool to start the Windows SharePoint Services Search service, membership is automatically configured in the following: Users group and the db_owner role in the WSS— Search database. Users group in the configuration database. Users group in the Central Administration content database.
Additional application pool identity accounts
App Pool Identity (XXXPool)	When each application pool is setup, you must specify an account that will be used for that specific application pool’s identity. This account will be used to access the content databases associated with the web application. It is recommended that a new service account is created for each application pool. This should be a Domain Account with no specific permissions. When the account is specified & SharePoint creates the application pool, it automatically grants the account additional needed permissions.	The user account that the worker processes that service the application pool use as their process identity. This account is used to access content databases associated with the Web applications that reside in the application pool. Plan one for each application pool.	If DCOM Error with event ID 10016 is logged to the System Log use the Component Services MMC to assign local activation permission for the IIS WAMREG admin Service to this account.	App	Web Applications	App Pool Creation	No configuration is necessary. SQL Server privileges that are automatically assigned to this account are member of Database Owners Group for content databases associated with the Web application, read/write access to the associated SSP database only, and read permission for the configuration database. Additional privileges for this account on WFE servers and application servers are automatically configured by SharePoint.	No manual configuration is necessary. The Network Service account is used for the default Web site that is created during Setup and configuration.	No manual configuration is necessary. The following are automatically configured: Membership in the db_owner role for content databases and search databases associated with the Web application. Access to read from the configuration and the SharePoint_AdminContent databases. Access to read from and write to the associated SSP database. Additional permissions for this account to front-end Web servers and application servers are automatically granted.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account for each application pool. This account should not be a member of the Administrators group on any computer in the server farm.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. NOT a member of the Administrators group on any server in the farm, including the computer running SQL Server. NOT a SQL Server login.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account for each application pool. This account should not be a member of the Administrators group on any computer in the server farm. After the SSP database and the SSP search database are created, add this account to the following for each of these databases: Users group db_owner role

Sources: