Export (0) Print
Expand All

Plan for administrative and service accounts (Project Server)

Updated: May 7, 2009

 

Topic Last Modified: 2009-04-27

In this article:

Use this article to plan for the account requirements and recommendations for accounts that are required to install, configure, and use Microsoft Office Project Server 2007.

You must provide credentials for these accounts when you run Setup and during configuration. This article does not discuss accounts for which you do not need to configure or provide credentials.

This section lists and describes the accounts that you must plan for. The accounts are grouped according to scope. If an account has a limited scope, you might need to plan multiple accounts for this category.

For example, if you are implementing multiple Shared Services Providers (SSPs), you must designate multiple SSP accounts.

NoteNote:
All Office Project Server 2007 and SharePoint Products and Technologies service accounts must be granted interactive logon permissions for the computer where the service is running. Such permissions are normally granted by default when a new account is set up, but you may need to make manual adjustments if your organization normally denies interactive logon permissions for service accounts. For more information about configuring interactive logon access, see Allow log on locally (http://go.microsoft.com/fwlink/?LinkId=129546&clcid=0x409) in the Windows Server 2003 Product Help on Microsoft TechNet.

The following table describes the accounts that are used to configure Microsoft SQL Server and to install Office Project Server 2007.

 

Account Purpose

SQL Server service account

SQL Server prompts for this account during SQL Server Setup. This account is used as the service account for the following SQL Server services:

  • MSSQLSERVER

  • SQLSERVERAGENT

If you are not using the default instance, these services will be shown as:

  • MSSQL$InstanceName

  • SQLAgent$InstanceName

Setup user account

The user account that is used to run Setup on each server

Server farm account

This account is also referred to as:

  • Database access account

This account is:

  • The application pool account for the SharePoint Central Administration Web site

  • The process account for the Windows SharePoint Services Timer (SPAdmin) service

The following table describes the accounts that are used to set up and configure an SSP.

 

Account Purpose

SSP application pool security account

Security account for the application pool that the SSP resides in.

SSP service account

Used by the following:

  • SSP Web services for inter-server communication

  • SSP Timer service to run timer jobs

The following table describes the accounts that are used to set up and configure Windows SharePoint Services Search. In Office Project Server 2007, this service is referred to as the Windows SharePoint Services Help Search service because this service is used to provide search capability for Help. If you are installing Office Project Server 2007, plan for these accounts only if you plan to implement the service to search Help content.

 

Account Purpose

Windows SharePoint Services Search service account

Used as the service account for the Windows SharePoint Services Search service. There is only one instance of this service in a farm.

Windows SharePoint Services Search content access account

Used by the Windows SharePoint Services Search application server role to crawl content across sites.

The following table describes the application pool account. Plan one application pool account for each application pool you plan to implement.

 

Account Purpose

Application Pool process account

Used to access content databases associated with the Web application

This section details the requirements for each of the accounts. The specific requirements for each account depend on whether you are configuring a single server environment or a server farm environment. The account requirements detail the specific permissions that you need to grant prior to running Setup. In some cases, additional permissions that are automatically granted by running Setup are noted.

At this time, this article does not include account requirements for environments that use SQL authentication.

The following table describes the standard account requirements for server farm-level accounts.

 

Account Single server requirements Server farm requirements

SQL Server service account

Local system account (default)

  • Database system administrator

Setup user account

Member of the Administrators group on the local computer

  • Domain user account

  • Member of the Administrators group on each server on which Setup is run

Server farm account

Network Service (default)

No manual configuration is necessary.

  • Domain user account

  • Additional permissions are automatically granted for this account when Office Project Server 2007 is installed and when additional computers are added to the farm, including additional permissions on front-end Web servers and application servers.

  • This account is automatically added to the following SQL Server security roles:

    • Logins

    • Dbcreator

    • Securityadmin

    • Database owner (db_owner) for all databases

The following table describes the standard account requirements for SSP accounts.

 

Account Single server requirements Server farm requirements

SSP application pool account

No manual configuration is necessary.

The following permissions are automatically granted for this account when Office Project Server 2007 is installed:

  • Database owner for the SSP content database

  • Read/write to the SSP content database

  • Read/write to content databases for Web applications that are associated with the SSP

  • Read from the configuration database

  • Read from the Central Administration content database

  • Additional permissions on front-end Web servers and application servers

SSP service account

No manual configuration is necessary.

The same permissions as the SSP application pool account are automatically granted.

The following table describes the standard account requirements for Windows SharePoint Services Search accounts.

 

Account Single server requirements Server farm requirements

Windows SharePoint Services Search service account

By default, this account runs as the local service account. If you want to crawl remote content by using crawl rules, change this to a domain account. If you do not change this account to a domain account, you cannot change the default content access account to a domain account. This behavior is designed to prevent elevation of privilege for any other process running as the local service account.

  • Must be a domain account

  • Must not be a member of the Farm Administrators group

Permissions are automatically granted for this account when Office Project Server 2007 is installed:

  • Read/write to content databases for Web applications

  • Read from the configuration database

  • Read/write to the Windows SharePoint Services Search database

Windows SharePoint Services Search Content access account

Must not be a member of the Farm Administrators group

Read access to Web applications

  • Same requirements as the Windows SharePoint Services Search service account

  • Read access to Web applications

Permissions are automatically granted for this account when Office Project Server 2007 is installed:

  • Added to the Web application Full Read policy for your farm

The following table describes the standard account requirements for application pool accounts.

 

Account Single server requirements Server farm requirements

Application pool process account

No manual configuration is necessary.

The following SQL Server roles and permissions are automatically assigned to this account:

  • Database owner role for content databases associated with the Web application

  • Read/write access to the associated SSP database

  • Read from the configuration database

Additional permissions for this account on front-end Web servers and application servers are automatically granted by Office Project Server 2007.

This section describes planning recommendations for implementing accounts in the following two deployment scenarios:

These recommendations are practical for most environments.

These planning recommendations are for individual accounts in a secure farm environment.

The following table describes the planning recommendations for server farm-level accounts in a secure farm environment.

 

Account Recommendation

SQL Server service account

A domain account is recommended over a SQL Server account or a local account. No special domain permissions are required.

Do not use the server farm account for this account.

Setup user account

A domain account is recommended.

For a workgroup environment, this can be a local Windows account.

NoteNote:
Using a local Windows account is only valid in a single-server environment.

Server farm account

A domain account is recommended.

The following table describes the planning recommendations for SSP accounts in a secure farm environment.

 

Account Recommendation

SSP Application Pool account

A domain account is recommended. Use a domain account that is unique (different from the farm or content application pool accounts).

SSP service account

Use the SSP application pool account.

The following table describes the planning recommendations for Windows SharePoint Services Search accounts in a secure farm environment.

 

Account Recommendation

Windows SharePoint Services Search service account

The local service account is used by default. After completing Setup, change this account to a domain account.

Windows SharePoint Services Search content access account

The local service account is used by default. After completing Setup, change this account to a domain account. You can use the same account used by the Windows SharePoint Services Search service. However, if you implement multiple search servers for isolation, use a separate account. It is recommended that you select a unique user account that cannot modify content and is not a member of the Administrators group on your front-end Web servers or on your database servers.

The following table describes the planning recommendations for application pool accounts in a secure farm environment.

 

Account Recommendation

Application pool process account

Plan a unique domain account for each application pool. We recommend that you select a unique user account that does not have administrative rights on any server or resource in the server farm.

The following table describes the planning recommendations for several different single-server environments. These are environments where a single server hosts all server roles.

 

Scenario Recommendation

Microsoft SQL Server 2005 Express Edition

Use the standard administrator account to run Setup.

Use the default accounts assigned by Setup.

Assign to the Network Service account the necessary permissions to SQL Server.

SQL Server in a domain environment

Use the recommendations provided for a secure farm environment.

SQL Server in a workgroup environment

Use the recommendations provided for a secure farm environment, except use Windows accounts instead of domain accounts.

This topic is included in the following downloadable book for easier reading and printing:

See the full list of available books at Downloadable content for Project Server 2007.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft