Plan for administrative and service accounts (Search Server 2008)

Applies To: Microsoft Search Server 2008

 

Topic Last Modified: 2008-02-27

Note

Unless otherwise noted, the information in this article applies to both Microsoft Search Server 2008 and Microsoft Search Server 2008 Express.

This information in this article describes the roles of the planning teams who might be involved in deploying and managing Microsoft Search Server 2008, and then it explains the various administrative and service accounts that are used in installing and maintaining Search Server 2008.

In this article:

  • About the search planning team

  • About administrative and service accounts

  • Standard account requirements

  • Planning recommendations for accounts

About the search planning team

Before you begin planning the features and deployment of Search Server 2008, you should understand the role of the search planning team. Planning for search might require some or all of the following team members depending on the size of your organization and deployment plans:

  • A search services administrator to manage the configuration of the search service. This responsibility includes defining the content sources to be crawled, setting up crawl rules, and scheduling crawls. In addition, the search services administrator monitors the indexes to ensure that the content sources are being crawled successfully.

  • At least one site collection administrator to manage the default site collection that contains the search center site. This administrator manages the end-user experience at the site and site collection level. This responsibility includes defining keywords, Best Bets, and scopes. If there are additional site collections in the farm hosting SharePoint sites, additional site collection administrators might be necessary.

  • IT administrators who plan architecture and topology for one or more server farms in the organization based on content needs. Typically, IT administrators are not concerned with content except as it affects IT operations such as availability, reliability, and capacity planning.

About administrative and service accounts

Administrative and service accounts are used throughout Search Server 2008 to provide access and security. The information in the following sections provides guidance by describing the purpose of each account, the standard account requirements for single-server and multi-server installations, and planning recommendations.

Server farm-level accounts

The following table describes the accounts that are used to configure Microsoft SQL Server and to install Search Server 2008.

Account Purpose

SQL Server service account

SQL Server prompts for this account during SQL Server installation.

This account is used as the service account for the following SQL Server services:

  • MSSQLSERVER

  • SQLSERVERAGENT

If you are not using the default instance, these services are shown as:

  • MSSQL$InstanceName

  • SQLAgent$InstanceName

Setup user account

The account of the person who is logged on while installing Search Server 2008.

Server farm account

This account is also referred to as:

  • Database access account

This account is:

  • The application pool account for the Central Administration site

  • The process account for the Windows SharePoint Services Timer (sptimerV3) service

  • Security account for the SSP

Shared Services Provider (SSP) accounts

The following table describes the accounts that are used in the SSP, for the search service, and to crawl content.

Account Purpose Location

SSP service credentials

Used by the following:

  • SSP Web services for inter-server communication

  • SSP Timer service to run timer jobs

During an Advanced installation of Search Server 2008, you can specify this account under Search Services Administration Account in the optional section of the Search Server Configuration page.

To change the account, go to the Central Administration Web site, and then click Application Management. Under Office SharePoint Server Shared Services, click Create or configure this farm's shared services. On the Manage this Farm's Shared Services page, click the arrow next to the name of the SSP account you want to change, and then click Edit Properties. Under SSP Service Credentials, type the new account information in the Username and Password boxes.

Office SharePoint Server Search

Used as the service account for the Office SharePoint Server search service. There is only one instance of this service.

During an Advanced installation of Search Server 2008, you define this account under Search Service Account on the Search Server Configuration page.

To change the account after installation, go to the Central Administration Web site, and then click Operations. Under Topology and Services, click Services on server. Under Service, click Office SharePoint Server Search. On the Configure Office SharePoint Server Search Service Settings page, under Farm Search Service Account, type the new account information in the User name and Password boxes.

Default content access account

Used to crawl content and is the default account. When a specific account is not provided, the default content access account is used.

To change this account, go to the Central Administration Web site, and then under Shared Services Administration, click SharedServices. On the Search Administration page, under Crawling, click the Default content access account. On the Default Content Access Account page, type the new account information in the Account and Password boxes.

Content access account

Used in a crawl rule that is used to crawl specific content and is an optional account. For example, content that is external to Search Server 2008, such as a file share, might require a different access account from the default.

To change this account, go to the Central Administration Web site, and then under Shared Services Administration, click SharedServices. On the Search Administration page, under Crawling, click Crawl rules. Set the credentials in a new or existing crawl rule.

Windows SharePoint Services Search accounts

The following table describes the accounts that are used to set up and configure Windows SharePoint Services search. In Search Server 2008, this service is referred to as the Windows SharePoint Services Help Search service, because this service is used to provide search capability for Help. When you install Search Server 2008, the accounts are automatically predefined to run as Local services.

Account Purpose Location

Windows SharePoint Services Search service account

Used as the service account for the Windows SharePoint Services Search service. There is only one instance of this service in a farm.

During an Advanced installation of Search Server 2008, you define this account under Help Search Service Account on the Search Server Configuration page.
To change it after installation, go to the Central Administration Web site, and then click Operations. Under Topology and Services, click Services on server. On the Services on Server page, under Service, click Windows SharePoint Services Search. On the Configure Windows SharePoint Services Search Service Settings page, under Service Account, type the new account information in the User name and Password boxes.

Windows SharePoint Services Search content access account

Used by the Windows SharePoint Services Search application server role to crawl Help content across sites.

This account is automatically configured during installation.

To change it after installation, go to the Central Administration Web site, and then click Operations. On the Operations page, under Topology and Services, click Services on server. On the Services on Server page, under Service, click Windows SharePoint Services Search. On the Configure Windows SharePoint Services Search Service Settings page, under Content Access Account, type the new account information in the User name and Password boxes.

Application pool accounts

The following table describes the application pool account. Plan one application pool account for each application pool you plan to implement.

When Search Server 2008 is installed, two application pools are automatically created. One is for Central Administration, which uses the server farm account, and the other is for the search center Web application, or the SSP.

Account Purpose Location

Application Pool process account

Used to access content databases associated with the Web application.

Defined when you create the Web application and can be changed in Internet Information Server (IIS).

Standard account requirements

This section provides the requirements for each of the accounts in both single-server (Basic installation) and multiple-server (Advanced installation) deployments. Listed in the requirements are permissions you might need to grant prior to installation. In some cases, additional permissions that are automatically granted during installation are noted.

Note

This article does not include account requirements for environments that use SQL authentication.

Server farm-level accounts

The following table describes the standard account requirements for server farm-level accounts.

Account Single server requirements Server farm requirements

SQL Server service account

  • Local system account (default)

  • Database system administrator

Setup user account

  • Member of the Administrators group on the local computer

  • Domain user account

  • Member of the Administrators group on each server on which Search Server 2008 is installed.

  • Member of the following SQL Server security roles:

    • Logins

    • Securityadmin

    • Dbcreator

Server farm account

  • Network Service (default)

  • No manual configuration is necessary

  • Domain user account

  • Additional permissions are automatically granted for this account when Search Server 2008 is installed and when additional computers are added to the farm, including additional permissions on Web front-end servers (WFE) and application servers

  • This account is automatically added to the following SQL Server security roles:

    • Logins

    • Dbcreator

    • Securityadmin

    • Database owner (db_owner) for all databases

SSP accounts

The following table describes the standard account requirements for SSP accounts.

Account Single server requirements Server farm requirements

SSP service account

  • No manual configuration is necessary.

No manual configuration is necessary.

The following permissions are automatically granted for this account when Search Server 2008 is installed:

  • Database owner for the SSP content database

  • Read/write to the SSP content database

  • Read/write to content databases for Web applications that are associated with the SSP

  • Read from the configuration database

  • Read from the Central Administration content database

  • Additional permissions on WFEs and application servers

Office SharePoint Server Search account

  • By default, this account runs as the local service account

  • To crawl remote content by using crawl rules, change this account to a domain account, so that you can change the default content access account

  • Must be a domain account

  • Should not be a member of the Farm Administrators group

Permissions are automatically granted for this account when Search Server 2008 is installed:

  • Read/write to content databases for Web applications

  • Read from the configuration database

  • Read/write to the Windows SharePoint Services Search database

Default content access account

  • No manual configuration is necessary for this account to crawl local content

  • To crawl remote content, change the account to a domain account, use a crawl rule, and apply the requirements described for a server farm

  • Must be a domain account

  • Should not be a member of the Farm Administrators group

  • Read access to external or secure content sources that you want to crawl by using this account

Additional permissions for this account are automatically granted when Search Server 2008 is installed.

Content access account

  • No manual configuration is necessary for this account to crawl local content

  • To crawl remote content, change the account to a domain account, use a crawl rule, and apply the requirements described for a server farm

  • Read access to external or secure content sources that you want to crawl by using this account

  • Full read access to external SharePoint sites

Windows SharePoint Services Search accounts

The following table describes the standard account requirements for Windows SharePoint Services Search accounts. In Search Server 2008 these accounts are used only to search and index the Help contents.

Account Single server requirements Server farm requirements

Windows SharePoint Services Search service account

  • By default, this account runs as the local service account.

  • Must be a domain account

  • Need not be a member of the Farm Administrators group

Permissions are automatically granted for this account when Search Server 2008 is installed:

  • Read/write to content databases for Web applications

  • Read from the configuration database

  • Read/write to the Windows SharePoint Services Search database

Windows SharePoint Services Search Content access account

  • Should not be a member of the Farm Administrators group

  • Read access to Web applications

  • Same requirements as the Windows SharePoint Services Search service account

  • Read access to Web applications

Permissions are automatically granted for this account when Search Server 2008 is installed:

  • Added to the Web application Full Read policy for your farm

Application pool accounts

The following table describes the standard account requirements for application pool accounts.

Account Single server requirements Server farm requirements

Application pool process account

  • No manual configuration is necessary.

No manual configuration is necessary.

The following SQL Server roles and permissions are automatically assigned to this account:

  • Database owner role for content databases associated with the Web application

  • Read/write access to the associated SSP database

  • Read from the configuration database

Additional permissions for this account on WFEs and application servers are automatically granted by Search Server 2008.

Planning recommendations for accounts

This section describes practical planning recommendations suitable for implementing accounts in most environments in the following two deployment scenarios:

  • Secure farm environment

  • Single-server environment

Secure farm environment

These planning recommendations are for individual accounts in a secure farm environment.

Server farm-level accounts

The following table describes the planning recommendations for server farm-level accounts in a secure farm environment.

Account Recommendation

SQL Server service account

  • A domain account is recommended rather than a SQL Server account or a local account. To do this, you might need to set up a valid Service Principal Name (SPN) in Active Directory Domain Services for the domain user account

  • Do not use the server farm account for this account

Setup user account

  • A domain account is recommended

  • For a workgroup environment, this can be a local Windows account

Server farm account

  • A domain account is recommended

SSP accounts

The following table describes the planning recommendations for SSP accounts in a secure farm environment.

Account Recommendation

SSP service account

  • The default account for services is used by default

  • After completing installation, change this account to a domain account

Office SharePoint Server Search account

  • The default account for services is used by default

  • After completing installation, change this account to a domain account

Default content access account

  • By default, the Network Service account is used. After completing installation, change this account to a domain account

  • Do not give the default content access account access to the directory service

Windows SharePoint Services Search accounts

The following table describes the planning recommendations for Windows SharePoint Services Search accounts in a secure farm environment. In Search Server 2008 these accounts are used to crawl and index Help.

Account Recommendation

Windows SharePoint Services Search service account

  • The local service account is used by default.

  • After completing installation, change this account to a domain account.

Windows SharePoint Services Search content access account

  • The local service account is used by default.

Application pool accounts

The following table describes the planning recommendations for application pool accounts in a secure farm environment.

Account Recommendation

Application pool process account

  • Plan a unique domain account for each application pool.

  • Select a unique user account that does not have administrative rights on your front-end servers or on your back-end database servers.

Single-server environment

The following table describes the planning recommendations for using Search Server 2008 in single-server environments. A single-server environment is one where one server hosts all server roles.

Scenario Recommendation

Search Server 2008 Express

Note

This information applies only to Search Server 2008 Express.

  • Use the standard administrator account to run the installation.

  • Use the default accounts assigned by the installation.

  • Assign to the Network Service account the necessary permissions to SQL Server.

SQL Server in a domain environment

  • Use the recommendations provided for a secure farm environment.

SQL Server in a workgroup environment

  • Use the recommendations provided for a secure farm environment, except use Windows accounts instead of domain accounts.