SharePoint 2016 Service Accounts Recommendations

SharePoint 2016 Service Accounts Recommendations

Service Accounts are a very big part of installing every version of SharePoint, however everyone has a different way of setting them up. And once you install your SharePoint with a set of service accounts, it’s not always easy to change them. Let’s take a look at the SharePoint 2016 Service Accounts that I reccomend.

SharePoint 2016 Service Accounts

Every SharePoint administrator you ask, will have a different opinion on how many service accounts you need and whether you should have dedicated service accounts for some Service Applications or certain administration tasks. Even if all SharePoint Administrators have different opinions, it doesn’t mean some are wrong and some are right, there is no real “golden” solution that will be good for every SharePoint farm out there. From my experience with SharePoint, here are the Service Accounts that I recommend for your SharePoint 2016 implementation.

SharePoint 2016 Service Accounts

The following Service Accounts can be named according to your companies naming convention. Local Security Policies only need to be configured if you have Group Policies that will take those away.

Account

Description

Local / Application Permissions

Local Security Policy

SP_Admin

This account will be used to Install and configure the SharePoint farm initially. After the initial setup, you can grant the farm administrator rights to your SharePoint Administrators account so they can log in and manage SharePoint with their own account.

  • Domain User
  • Local Administrator on the SharePoint Servers
  • Member of the following SQL Roles
    • DB Creator
    • Security Admin
Back up files and directories

Debug Programs

Manage auditing and Security log

Restore files and directories

Take ownership of files or other objects

SP_Farm

Runs the SharePoint Timer and Administration Service

  • Domain User
  • Member of the following SQL Roles
    • DB Creator
    • Security Admin

Allow log on locally

Adjust memory quotas for a process

Impersonate a client after authentication

Log on as a batch job

Log on as a service

Replace a process level token

SP_Services

Runs the Application Pool for most of your Service Applications. There are some service applications that require more rights and a dedicated Service Account is recommended. We’re converting those a bit lower in this blog post!

  • Domain User

Adjust memory quotas for a process

Log on as a batch job

Log on as a service

Replace a process level token

Impersonate a client after authentication

SP_Pool

Runs the Application Pool for your Web Applications.

  • Domain User

Impersonate a client after authentication

Log on as a batch job

Lon as a service

SP_Crawl

The Default Content Access Account for the Search Service Application. This account is sued to crawl the content of your SharePoint Web Applications.

  • Domain User
  • This account needs to have Read Access on all your Web Applications (given automatically)
SP_Sync

Used to synchronize profiles between AD and SharePoint Server 2016

  • Domain User
  • Needs to have “Replicate Directory Changes” in the Active Directory >> Tutorial here
SP_C2WTS

Used to run the Claims to Windows Token

Service

  • Domain User
  • Local Administrator on all SharePoint Servers running the C2WTS service

Act as part of the operating system

Impersonate a client after authentication

Log on as a service

SP_SU

Object cache account (Super User). Must not be an account that will ever be used to log in to the site.

  • Domain User
  • Full Control on your Web Applications
SP_SR

Object cache account (Super Reader). Must not be an account that will ever be used to log in to the site.

  • Domain User
  • Full Read on your Web Applicationss

SQL Service Accounts

The following Service Accounts are recommended for your dedicated SQL Server hosting SharePoint databases and can be named according to your companies naming convention. Local Security Policies only need to be configured if you have Group Policies that will take those away.

Account

Description

Local / Application Permissions

Local Security Policy

SP_SQLAdmin

This account will be used to Install and configure the SQL Server initially. After the initial setup, you can grant the SQL Admin rights to your SQL Administrators account so they can log in and manage SQL with their own account.

  • Domain User
  • Local Administrator on the SQL Server
Back up files and directories

Debug Programs

Manage auditing and Security log

Restore files and directories

Take ownership of files or other objects

SP_SQLEngine

This account will run the Database Engine service

  • Domain User
Log on as a service

Replace a process-level token

Bypass traverse checking

Adjust memory quotas for a process

Perform Volume Maintenance Tasks (Only If you want to enable Instant File Initialization)

SP_SQLAgent

This account will run the SQL Server Agent Service

  • Domain User
Log on as a service

Replace a process-level token

Bypass traverse checking

Adjust memory quotas for a process

Other Accounts Depending on your Scenario

Depending on what features you plan to use in your SharePoint 2016 implementation, here are some other Service Accounts that I recommend:

Account

Description

Local / Application Permissions

Local Security Policy

SP_WFM

This account would be used as the RunAs account for the Workflow Manager and Service Bus Farms. If you want, you could create a dedicated account for each.

  • Domain User
  • Local Administrator on the WFM Servers
  • Full Control to the Web Applications where Workflow Manager will be used

Impersonate a client after authentication

Log on as a service

Log on as a batch job

SP_Access

This account would be used to run the Service Application Pool for the Access Apps for SharePoint Service Application. The reason of a dedicated service account is that this account requires special permissions in SQL as well as special settings on the Access App Services Service Application

  • Domain User
  • Member of the following SQL Roles
    • DB Creator
    • Security Admin
  • Read/Write permission to the config cache folder located at C:\ProgramData\Microsoft\SharePoint\Config
  • The IIS Application Pool running the Access App Services Service Application needs to have “Load User Profile” at True. Navigate to the IIS Application Pools , and from Advanced Settings, change “Load User Profile” to True.

Adjust memory quotas for a process

Log on as a batch job

Log on as a service

Replace a process level token

Impersonate a client after authentication

SP_PowerPivot

The PowerPivot unattended data refresh account is a designated account for running PowerPivot data refresh jobs in a SharePoint farm.

  • Domain User
  • Read permissions to external data sources

General Recommendations for SharePoint 2016 Service Accounts

Whatever accounts you choose, here are some recommendations that you need to follow for your SharePoint 2016 service accounts.

First of all, the length of your Service Accounts Username should be less than 20 (including domain name). This is due to the SAM-Account-Name attribute (also known as the pre–Windows 2000 user logon name) which is limited to 20 characters in the AD Schema. For example, CORP\SP16Prod_SuperReader is 25 characters and would be too long.

My second recommendation is to use different service accounts for each environment. For example, your production might have a SP_Services, while your QA account would be SPQ_Services. This makes sure that nothing in a farm can affect the other one, and if you ever want to test for example changing the password of the managed account, or giving the password of the QA account to someone else, you will not compromise the security and stability of your production SharePoint farm.

Follow me on Social Media and Share this article with your friends!

Leave a comment and don’t forget to like the Absolute SharePoint Blog Page   on Facebook and to follow me on Twitter here  for the latest news and technical articles on SharePoint.  I am also a Pluralsight author, and you can view all the courses I created on my author page.
4.88/5 (41)

Please rate this

 
Comments

Do you know if ‘Log on as a batch job’ is still required with Windows Server 2016? the default domain security policy picks this up and produces scecli 1202 events when I add users to this. I can see the need if in a mixed domain but perhaps it’s not needed with servers all Windows 2016. Or is there a step I have missed?

Hi,

The SP_Crawl account should have the Manage auditing and security log on the server that host the files.

https://support.microsoft.com/en-us/help/2817731/sharepoint-server-2013-crawler-has-insufficient-permissions-to-crawl-file-shares

Great stuff for file shares!

Where would Managed and Virtual service accounts fit into this, as those are the recommended sql accounts?
https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-windows-service-accounts-and-permissions

Can dbcreator and securityadmin be granted on as needed basis? Do SP_Admin and SP_Farm need those roles for daily operation? After a database has been created, all the database roles/users haven been created/granted right after the database created, and any backup and restore will be done through 3rd party tool like CommVault, why any SP accounts need dbcreator and securityadmin?

Hi Peter,

Technically it’s something that would work.. but it’s not reccomended to do so. You would need to grant those rights everytime you create a Web Application, a Content Database, A Service Application, etc.

Thanks Vlad. I assume this is not recommended due to the inconvenience.

Another issue we discovered is that Workflow Manager is using BUILTIN\Administrators which is the group Microsoft has intentionally not added to SQL Server since SQL Server 2008 due to its security risk. I’m DBA not SharePoint administrator so I wonder whether this can be configured when Workflow Manager is installed.

Why would the SP_SQLAdmin need to be a local administrator on the SQL Server, and not just on the instance? I’m working for a client with a SQL team that manages these servers, and I suspect there will be some pushback when I request them to add this account. What can I tell them is the reason for this? Thank you

This is only needed for the Install / Patching of SQL Server. If you have a DBA team taking care of this, you don’t need it to be a Local admin on the SQL Server!

Hi Vlad,

Back in SP2010 some sites (E.g :https://nikpatel.net/2010/12/24/sharepoint-2010-service-account-references-for-least-privileged-installation/) suggested to use a specific account for MySite and another for the WebApp Pools. In SP2016 I only see the Pool account. What changed this recommandation ? Thx

Hi Sam, great question!

While having multiple App Pool accounts is definetly supported, if we follow the performance best practices, we should only have one Application Pool (therefore one account) for all our Web Applications unless there is a business reason to do otherwise. This will limit the ram taken by the Web Front End.

Other limitations if you use multiple App Pool accounts is you might have problems deploying Apps (Add-ins now) >https://absolute-sharepoint.com/2013/10/sharepoint-2013-apps-load-css-properly-403-defaultcss-ashx.html

Can I suggest adding a reference to specific articles that support your recommendations. I know Microsoft scatters this information, but it would be nice if you had an additional column with supporting references. Hopefully this is something you can add.

Great job by the way, this information is extremely beneficial and easy to read.

Daniel Westerdale

Vlad , thanks for the post. I am in the process of replacing the Search Service Application with a Hybrid Search Application. Am I correct in thinking I should be using an sp_farm for the search service account?

I would use the SP_Services to run the Search Service! SP_Crawl for the crawling!

Can the Sync AD account be part of the Group Manage Service Account GMSA ?

Vlad – In your very helpful and well written book “Deploying SharePoint 2016: Best Practices for Installing, Configuring, and Maintaining SharePoint Server 2016” it is stated “This book will use a minimal service accounts to maintain the best possible performance by creating the least number of Application Pools in SharePoint.” In most cases do you recommend the minimal approach covered in the book?

Leave a Reply