All posts in Guides

Service Accounts are a very big part of installing almost every version of SharePoint, however everyone has a different way of setting them up. And once you install your SharePoint with a set of service accounts, it’s easier to do a clean install than to change them all.

Every SharePoint admin you ask will probably have a different view of how many service accounts you need, how you should name them , and what permissions you need to give each one of them. Depending on the level of security you want to achieve in your SharePoint Farm, you can install everything with only one account (please don’t) , and you can make as many as 10 to 15 accounts.   Even if all the SharePoint administrators have different views and different ways , it doesn’t mean one of them is wrong and one of them has the golden solution for every SharePoint farm.

To get to the subject, which is Service Accounts for the newly released version of SharePoint, SharePoint 2013, I recently read an article on TechNet that suggests a set of “best practices” service accounts. I read the accounts and the permissions multiple times, and although they weren’t wrong.. I didn’t think it was right. You can read the original article here, however I will do a little summary. Here are the proposed accounts:

  • SQL_Service, for the SQL Server service.
  • SQL_Admin, for the SQL Server administrator.
  • SP_Admin, for the SharePoint administrator and setup user.
  • SP_Farm, for the SharePoint farm service.
  • SP_WebApps, for the user-facing web application app pool.
  • SP_ServiceApps, for the service application app pool.
  • SP_Crawl, default content access account.
  • SP_UserSync, user profile synchronization account.
  • SP_EnterpriseAdmin, powerful account for handling all kinds of high privileg operations.
  • Farm administrators, normal admin user accounts are used as SharePoint Farm Administrators.

Here is my opinion on this:

Although this set of service accounts isn’t wrong, I think that it isn’t well balanced. Let me explain:

I think there is a lot of security on the “farm admin” (SP_Admin, SP_Farm, SP_EnterpriseAdmin, Farm administrators), and there is some pretty basic stuff missing ex: Having an account for the windows search service, and a different one for the crawl.

Then, I asked myself what would I do to make it better. How could we define a real set of service accounts that could fit any scenario, from a small development farm to a huge multi-tier farm.  The answer is simply, you can’t! There is not one single set of Service Accounts that could be used because the security requirements for each scenario are different. But how can we define a set of Service account that while it keeps a certain standard of security, it also doesn’t use too many  service accounts for what we need and respects the requirements of the client?

Some clients and companies will ask you explicitly to install and configure their  SharePoint infrastructure according to Best Practices without even knowing what they are!

So this is what I came out with: I made three different sets of Service Accounts that can be used for reference. Every set is for a level of security, Low Security, Medium Security and High Security. As you probably guessed, as you go higher on the security chart, you add more accounts and each of them has less privileges on the farm.

I made this PDF (doing tables with Blogger is a real mess) and embedded it into the page (if you can’t see it, scroll to the end of the post, there is a download link). Please read it, and tell me what you think. I am really open to suggestions and want to hear your opinions on this delicate matter.

If you don’t see the document, or want to download it, you can get it from my SkyDrive  here:  Download

Please spread the word about this post using the buttons at the end  so we can get the most visibility and most opinions on the very delicate subject of Service Accounts in SharePoint 2013.

Please leave a comment to let me know what you think about this  and don’t forget to like us on Facebook here and to follow me on Google+ here and on Twitter here  for the latest news and technical articles on SharePoint.


Give Me +K on Klout

4.8/5 (20)

Please rate this

This guide is a step by step guide with Screenshots to give the “Replicating Directory changes” rights to the SharePoint user profile account that will be used to synchronize the user profiles.The screenshots were taken in Windows Server 2012, however the steps are identical or  very similar in Windows Server 2008 and 2008 R2.

The Guide

In Active Directory Users and Computers, right-click the domain, and then click Delegate Control.

On the first page of the Delegation of Control Wizard, click next.

On the Users or Groups page, click Add.

Type the name of the synchronization account, and then click OK.

Click Next.

On the Tasks to Delegate page, select create a custom task to delegate, and then click Next.

On the Active Directory Object Type page, select this folder, existing objects in this folder, and creation of new objects in this folder, and then click next.

On the Permissions page, in the Permissions box, select Replicating Directory and then click Next.

Click Finish.

If you need to send the Guide to somebody, or download it for future reference, I also made it in PDF and you can download it here:  Step By Step Guide to configure Replicating Directory Changes
Leave a comment and don’t forget to like the Absolute SharePoint Blog Page   on Facebook and to follow me on Twitter here  for the latest news and technical articles on SharePoint.  I am also a Pluralsight author, and you can view all the courses I created on my author page.
5/5 (2)

Please rate this