Saturday, 4 October 2008

MOSS Service accounts

I recently attended a great 2 day event at MSFT, the UK User Groups came together and had 2 full days of presentations, demo's and discussions, I found it very beneficial, the SUGUK sessions were great and I thought Mark Wilson's session on Hyper-V was excellent...

 

There were several questions raised in the SharePoint track chalk and talk sessions about service accounts so I thought I'd clarify things a little bit... I'll also see if a SUGUK session on Content DB's and Licensing is warranted, there were a few questions around these topics and I was asked about them by several people during the breaks, watch this space...

 

MOSS requires several service accounts, fact. Running everything as one user isn't good practice and isn't a good idea, even for dev/demo - IMO at least, Colin and Nick don't completely agree...

So, how many accounts do you need to run MOSS? The answer: "it depends..."

(yes, I am a technical consultant, since when did you expect me to actually answer a question?)

 

Seriously though, it does depend on your scenario, but at least 6...

 

Here a table that breaks down what you need:

 

Account Type

Purpose

Suggested Service Account

MOSS Farm Account

Server Farm Account

This account needs some SQL permissions granting: dbcreator and security admin (do not grant this account SA!)

If using ADACM this is the account used for creating objects in the OU specified - so you'll need to delagate permissions on the OU to this user.

_Serv_MOSSFarm1

MOSS App Pool

Identity for the any MOSS Web App Application Pool(s)A separate process identity should be used for each content Web App (this allows for greater security and auditing). Using the site name in the naming is not advisable as although this may make troubleshooting and auditing easier it reduces security by showing the relationship between App Pools and Web Apps.

_Serv_MOSSAppPool1
_Serv_MOSSAppPool2
_Serv_MOSSAppPool3

SSP Service Account

SSP service account

_Serv_MOSSSSP1

SSP App Pool

Identity for the SSP Web App Application Pool

_Serv_MOSSSSPAppPool1

MOSS Search

Account under which the Office SharePoint Server Search runs under

_Serv_MOSSSearch1

MOSS Content Access

Account used to access content sources to be crawled and indexed. Need to grant this account permission to any NON-MOSS content sources (e.g. NTFS file share, Exchange public folder, websites etc...)Separate accounts may be configured for access to specific content sources using crawl rules.

_Serv_MOSSCrawl1

User profile & Properties Access Account

Account used to access Active Directory for the Profile import

_Serv_MOSSDSA1

WSS Search

Account which the Windows SharePoint Services Search service runs under. Due to the fact the Office SharePoint Server Search service is running this will only index the WSS Help files.

_Serv_MOSSWSSSearch1

WSS Content Access

Account used by WSS search service to crawl content.

_Serv_MOSSWSSCrawl1

MOSS Install Account

Account used to install MOSS and perform all the required configuration changes.As this account will be used to install and configure the SharePoint servers it must be granted local admin on all farms members and have permissions to the SQL instance.This account can be disabled after installation and configuration is complete (it is not advised to delete it).

_Serv_MOSSInstall1

SQL Services

Used to run MS SQL Services

_Serv_SQLSVC1
_Serv_SQLRS1
_Serv_SQLAS1

 

 

Hope this helps!

 

Useful reading:

http://technet.microsoft.com/en-us/library/cc263445.aspx

http://support.microsoft.com/kb/934838

No comments:

Post a Comment

Please feel free to comment on this post, I want to hear your feedback!