Saturday, 4 October 2008

MOSS Service accounts

I recently attended a great 2 day event at MSFT, the UK User Groups came together and had 2 full days of presentations, demo's and discussions, I found it very beneficial, the SUGUK sessions were great and I thought Mark Wilson's session on Hyper-V was excellent...


There were several questions raised in the SharePoint track chalk and talk sessions about service accounts so I thought I'd clarify things a little bit... I'll also see if a SUGUK session on Content DB's and Licensing is warranted, there were a few questions around these topics and I was asked about them by several people during the breaks, watch this space...


MOSS requires several service accounts, fact. Running everything as one user isn't good practice and isn't a good idea, even for dev/demo - IMO at least, Colin and Nick don't completely agree...

So, how many accounts do you need to run MOSS? The answer: "it depends..."

(yes, I am a technical consultant, since when did you expect me to actually answer a question?)


Seriously though, it does depend on your scenario, but at least 6...


Here a table that breaks down what you need:


Account Type


Suggested Service Account

MOSS Farm Account

Server Farm Account

This account needs some SQL permissions granting: dbcreator and security admin (do not grant this account SA!)

If using ADACM this is the account used for creating objects in the OU specified - so you'll need to delagate permissions on the OU to this user.


MOSS App Pool

Identity for the any MOSS Web App Application Pool(s)A separate process identity should be used for each content Web App (this allows for greater security and auditing). Using the site name in the naming is not advisable as although this may make troubleshooting and auditing easier it reduces security by showing the relationship between App Pools and Web Apps.


SSP Service Account

SSP service account


SSP App Pool

Identity for the SSP Web App Application Pool


MOSS Search

Account under which the Office SharePoint Server Search runs under


MOSS Content Access

Account used to access content sources to be crawled and indexed. Need to grant this account permission to any NON-MOSS content sources (e.g. NTFS file share, Exchange public folder, websites etc...)Separate accounts may be configured for access to specific content sources using crawl rules.


User profile & Properties Access Account

Account used to access Active Directory for the Profile import


WSS Search

Account which the Windows SharePoint Services Search service runs under. Due to the fact the Office SharePoint Server Search service is running this will only index the WSS Help files.


WSS Content Access

Account used by WSS search service to crawl content.


MOSS Install Account

Account used to install MOSS and perform all the required configuration changes.As this account will be used to install and configure the SharePoint servers it must be granted local admin on all farms members and have permissions to the SQL instance.This account can be disabled after installation and configuration is complete (it is not advised to delete it).


SQL Services

Used to run MS SQL Services




Hope this helps!


Useful reading:

No comments:

Post a Comment

Please feel free to comment on this post, I want to hear your feedback!