Install Office SharePoint Server 2007 with least privilege administration by using the command line
Applies To: Office SharePoint Server 2007
This Office product will reach end of support on October 10, 2017. To stay supported, you will need to upgrade. For more information, see , Resources to help you upgrade your Office 2007 servers and clients.
Topic Last Modified: 2017-01-24
In this article:
Install software requirements
Determine required accounts for least-privilege administration
Install Microsoft Office SharePoint Server 2007 by using least-privilege administration
Configure the server by using the Psconfig command-line tool
Perform additional configuration tasks
Create a Shared Services Provider by using the Stsadm command-line tool
Create a site collection by using the Stsadm command-line tool
Configure the trace log
This article discusses how to install Microsoft Office SharePoint Server 2007 on a stand-alone server or on a server farm by using least-privilege administration.
The Office SharePoint Server 2007 standard configuration uses a set of user accounts and installation settings for both stand-alone servers and server farms to simplify the installation process. However, enterprises are often required to use least-privilege administration in which each service or user is provided with only the minimum permissions and group memberships that they need to accomplish the tasks that they are authorized to perform. Installing Office SharePoint Server 2007 with least-privilege administration requires additional preparation and configuration steps. We strongly recommend that you use least-privilege administration.
To install Office SharePoint Server 2007 by using least-privilege administration on either a stand-alone server or a server farm, you complete the following steps:
Plan the deployment and ensure that you have installed all the software requirements.
Determine the required accounts that are used during installation.
Use the least-privilege Setup user account to install Office SharePoint Server 2007 by using Setup at a command prompt and specifying a configuration file.
Configure the server by using the Psconfig command-line tool with the appropriate options.
Create a Shared Services Provider (SSP) by using the Stsadm command-line tool (only applies on server-farm installations).
Create a site collection by using the Stsadm command-line tool (only applies on server-farm installations).
Install software requirements
Before running Setup, you must perform several actions to prepare the deployment. For more information about the complete list of actions you must perform before installation, see Chapter overview: Install Office SharePoint Server 2007 in a server farm environment. Ensure that you have the following software requirements before you run Setup in any deployment:
Office SharePoint Server 2007 on a clean installation of the Windows Server 2003 operating system with the most recent service pack. To install Office SharePoint Server 2007 on Windows Server 2008, see Installing Microsoft Office SharePoint Server 2007 on Windows Server 2008 (https://go.microsoft.com/fwlink/?LinkID=122586&clcid=0x409).
Note
All the instances of Office SharePoint Server 2007 in the farm must be in the same language. For example, you cannot have both English versions and Japanese versions of Office SharePoint Server 2007 in the same farm.
The Microsoft .NET Framework version 3.0. The .NET Framework version 3.0 download contains the Windows Workflow Foundation technology, which is required by workflow features.
You can also use the Microsoft .NET Framework version 3.5. You can download the .NET Framework version 3.5 from the Microsoft Download Center (https://go.microsoft.com/fwlink/?LinkId=110508).
ASP.NET 2.0 enabled in the Internet Information Services (IIS) Manager on all Office SharePoint Server 2007 servers.
Microsoft SQL Server 2005 or Microsoft SQL Server 2000 with the most recent service pack running on at least one database server before you install Office SharePoint Server 2007 on the Web servers.
Note
To deploy a server farm, you must have at least one server computer acting as a Web server and an application server, and one server computer acting as a database server.
Determine required accounts for least-privilege administration
Before installing Office SharePoint Server 2007 by using least-privilege administration in any security configuration, you should understand the three-tier security model for Office SharePoint Server 2007 and the detailed account permissions that are required for each configuration. For more information, see the following topics:
Many requirements and configuration steps for installing Office SharePoint Server 2007 by using least-privilege administration resemble the standard farm installation. For more information about the standard farm installation, see Chapter overview: Install Office SharePoint Server 2007 in a server farm environment.
The following table describes the accounts that are used to install Office SharePoint Server 2007 for least-privilege administration compared to the standard account requirements for farm installation.
| Account | Purpose | Server farm standard requirement | Least-privilege administration using domain user accounts requirements |
|---|---|---|---|
Setup user account |
The Setup user account is used to run the following:
|
If you run Stsadm command-line commands that read from or write to a database, the Setup user account must be a member of the db_owner fixed database role for the database. |
Server farm standard requirements with the following additions or exceptions:
|
Server farm account or database access account |
The server farm account is used to:
|
Additional permissions are automatically granted for the server farm account on Web servers and application servers that are joined to a server farm. The server account is automatically added as a SQL Server login on the computer that is running SQL Server and added to the following SQL Server security roles:
|
Server farm standard requirements with the following additions or exceptions:
The server farm account does not require permissions to SQL Server before you create the configuration database. |
The minimum requirements to achieve least-privilege administration include the following:
Separate accounts are used for different services and processes.
No executing service or process account is running with local administrator permissions.
By using separate service accounts for each service and limiting the permissions assigned to each account, you reduce the opportunity for a malicious user or process to compromise the environment.
Least-privilege administration can be implemented in many ways, depending on the security configuration of each scenario. The configurations for least-privilege administration include:
Separate domain user accounts
SQL Server authentication
Domain user accounts connecting to existing databases
Install Microsoft Office SharePoint Server 2007 by using least-privilege administration
After you have determined the required accounts for the installation, you can install Office SharePoint Server 2007. The product DVD contains examples of configuration (Config.xml) files. These example files are stored under the \Files folder in the root directory of the DVD, in folders that correspond to different scenarios. These example files are described in the following table.
| Configuration file | Description |
|---|---|
Setup\Config.xml |
Stand-alone server installation, using Microsoft SQL Server 2005 Express Edition |
SetupFarm\Config.xml |
Server farm installation |
SetupFarmSidebySide\Config.xml |
Gradual upgrade of an existing farm |
SetupFarmSilent\Config.xml |
Server farm installation in silent mode |
SetupFarmUpgrade\Config.xml |
In-place upgrade of an existing farm |
SetupSilent\Config.xml |
Stand-alone server installation, using SQL Server 2005 Express Edition, in silent mode |
SetupSingleUpgrade\Config.xml |
In-place upgrade of an existing single-server installation |
Important
The example configuration files that are included with Office SharePoint Server 2007 omit the <Setting Id="SETUP_REBOOT" Value="Never"/> setting. You must include this setting if you want to suppress restarts during a command-line installation.
Example
The following example shows the configuration for setting up a single server in silent mode (SetupSilent).
<Configuration>
<Package Id="sts">
<Setting Id="LAUNCHEDFROMSETUPSTS" Value="Yes"/>
<Setting Id="REBOOT" Value="ReallySuppress"/>
<Setting Id="SETUPTYPE" Value="CLEAN_INSTALL"/>
</Package>
<Package Id="spswfe">
<Setting Id="SETUPCALLED" Value="1"/>
<Setting Id="REBOOT" Value="ReallySuppress"/>
<Setting Id="OFFICESERVERPREMIUM" Value="1" />
</Package>
<Logging Type="verbose" Path="%temp%" Template="Office Server Setup(*).log"/>
<Display Level="none" CompletionNotice="no" />
<PIDKEY Value="Enter PID Key Here" />
<Setting Id="SERVERROLE" Value="SINGLESERVER"/>
<Setting Id="USINGUIINSTALLMODE" Value="0"/>
</Configuration>
Run Setup with a Config.xml file at a command prompt
On the drive on which the Office SharePoint Server 2007 product DVD is located, change to the root directory to locate the setup.exe file.
Run Setup with the selected Config.xml file.
setup /config <path and file name>
Note
You can select one of the example files, or customize your own configuration file.
Press ENTER.
Setup is now complete.
Example
To run Setup in silent mode, type the following command at a command prompt, and then press ENTER:
setup /config Files\SetupSilent\config.xml (for a single server deployment)
setup /config Files\SetupFarmSilent\config.xml (for a farm deployment)
You can also customize the configuration file. To control the installation, first edit the Config.xml file in a text editor to include the elements that you want with the appropriate settings for those elements. Then run setup /config <path and file name> to specify that Setup runs and uses the options that you set in the Config.xml file.
Some typical configuration options include:
Bypassing the prompt for the product key by providing the key as a value, <PIDKEY Value="Enter PID Key Here" />, in the Config.xml file.
Adding a location for a log file, <Logging Type="off" | "standard"(default) | "verbose" Path="path name" Template="file name.log"/>, which you can view if command-line installation fails.
Important
Use a text editor, such as Notepad, to edit Config.xml. Do not use a general-purpose XML editor such as Microsoft Office Word 2007.
For more information about the options available for customizing the configuration file, see Config.xml reference (Office SharePoint Server).
For more information about the command-line options for Setup, see Setup.exe command-line reference (Office SharePoint Server).
For more information about command-line installation, see Install Office SharePoint Server 2007 by using the command line.
Configure the server by using the Psconfig command-line tool
You use the Psconfig command-line tool to configure Office SharePoint Server 2007 after Setup has finished. The tool is located at %COMMONPROGRAMFILES%\Microsoft shared\Web server extensions\12\Bin. The configuration options are different depending on whether you install Office SharePoint Server 2007 on a stand-alone server or on a server farm.
For more information about the Psconfig command-line tool and its operations and parameters, see Command-line reference for the SharePoint Products and Technologies Configuration Wizard (Office SharePoint Server). For more information about the services and features that are registered during the configuration, see Using PSConfig.exe command-line options to complete SharePont Server Configuration (https://go.microsoft.com/fwlink/?LinkId=122627&clcid=0x409).
Configure SharePoint Server 2007 on a stand-alone server
In stand-alone server deployments that use least-privilege administration, you can run the Psconfig command-line tool with the setup command.
After you have logged on by using the Setup user account that you previously created and configured, you configure Office SharePoint Server 2007.
Configure SharePoint Server 2007 by using the Psconfig command-line tool
On the drive on which SharePoint Products and Technologies is installed, change to the following directory: %COMMONPROGRAMFILES%\Microsoft shared\Web server extensions\12\Bin.
Type the following command, and then press ENTER:
psconfig -cmd
The Psconfig command-line tool describes the configuration steps as they occur, and notes the successful completion of configuration. For a stand-alone-server installation, this is the final step in a command-line installation.
Configure SharePoint Server 2007 on a farm
In server farm deployments that use least-privilege administration, you use the Psconfig command-line tool to create a new farm or connect to an existing farm. The Psconfig command-line tool installs the SharePoint Central Administration Web site on the first server in the farm. Therefore, we recommend that the first server on which you install Office SharePoint Server 2007 is a server from which you want to run the Central Administration Web site.
The following procedure describes how to configure the first server in the farm.
Note
Ensure that you follow the procedure in the order that it is written to avoid configuration problems.
Configure SharePoint Server 2007 on a farm by using the Psconfig command-line tool
Log on by using the Setup user account that you previously created and configured.
On the drive on which SharePoint Products and Technologies is installed, change to the following directory: %COMMONPROGRAMFILES%\Microsoft shared\Web server extensions\12\Bin.
Create the configuration database:
psconfig -cmd configdb -create -server <database server name> -database <database name>
-dbuser <domain\user name> -dbpassword <password>
-user <domain\user name> -password <password>
-addomain <domain name> -adorgunit <org unit>
-admincontentdatabase <Central Administration Web application content database name>
Note
The dbuser and dbpassword parameters are only used in deployments that use SQL Server authentication. If you are using Windows authentication, these parameters are not required.
Install all Help collections:
psconfig -cmd helpcollections installall
Perform resource security enforcement:
psconfig -cmd secureresources
Register services in the server farm:
psconfig -cmd services -install
Note
After installing services, you must start and configure two services, Windows SharePoint Services Search and Office SharePoint Server Search, by using the Stsadm command-line tool:
stsadm -o spsearch -action start -farmserviceaccount <domain\user name> -farmservicepassword <password> [-database name <content database name>] [-database server <server instance>] [-search server*<search server name>*]
For more information, see Spsearch: Stsadm operation (Windows SharePoint Services).
Note
Use the domain and user account information for the server farm account that you previously created and configured.
stsadm -o osearch -action start -role IndexQuery -farmserviceaccount <domain\user name> -farmservicepassword <password> -farmcontactemail <user@domain.com>
For more information, see Osearch: Stsadm operation (Office SharePoint Server).
Note
Use the domain and user account information for the server farm account that you created and configured previously.
Provision the services of the farm:
psconfig -cmd services -provision
Register all features:
psconfig -cmd installfeatures
Provision the SharePoint Central Administration Web application:
psconfig -cmd adminvs -provision -port <port>-windowsauthprovider onlyusentlm
Install shared application data:
psconfig -cmd applicationcontent -install
The Central Administration Web site has now been created.
We recommend that you install and configure Office SharePoint Server 2007 on all of the farm servers before you create sites.
Note
If any of these commands fail, look in the post-Setup configuration log files. The log files are available at %COMMONPROGRAMFILES%\Microsoft shared\Web server extensions\12\Logs. They can be identified by a file name starting with “PSC” and the .log file name extension.
To connect to an existing configuration database and join the server to an existing server farm, you must run the configdb command together with the -connect parameter instead of the -create parameter.
psconfig -cmd configdb -connect -server <server name> -database <database name>
Note
Omit the -admincontentdatabase command because you have already included this command when you created the configuration database.
Use the psconfig -cmd adminvs -provision -port <port> -windowsauthprovider onlyusentlm command if you want to provision the SharePoint Central Administration Web application on additional servers, which reduces the risk if the server that is running the SharePoint Central Administration Web application fails.
To successfully complete command-line installation on a server farm, you must use the Stsadm command-line tool to create an SSP, and then a site collection for the farm. However, before you create a Shared Services Provider and a site collection, we recommend that you first perform some additional configuration tasks.
Perform additional configuration tasks
After you have installed Office SharePoint Server 2007, we recommend that you perform the following administrative tasks:
Create a Shared Services Provider by using the Stsadm command-line tool
After you create and configure Office SharePoint Server 2007 on a farm, you must use the Stsadm command-line tool to create the SSP and site collection for the farm.
Important
To run the Stsadm command-line tool, you must be a member of the Administrators group on the local computer.
The recommended procedure for creating an SSP is to create a Web application for the My Sites host location, and a separate Web application for the Shared Services Administration Web site.
Create a Web application by using the Stsadm command-line tool
On the drive on which SharePoint Products and Technologies is installed, change to the following directory: %COMMONPROGRAMFILES%\Microsoft shared\Web server extensions\12\Bin.
Type the following command, and then press ENTER:
stsadm -o extendvs
-url <URL name>
-ownerlogin <domain\user name>
-owneremail <e-mail address>
[-exclusivelyusentlm]
[-ownername <display name>]
[-databaseuser <database user name>]
[-databaseserver <database server name>]
[-databasename <new content database name>]
[-databasepassword <database password>]
[-lcid <language>]
[-sitetemplate <site template>]
[-donotcreatesite]
[-description]
[-sethostheader]
[-apidname <application pool name>]
[-apidtype {configurableID | NetworkService}]
[-apidlogin <domain\user name>]
[-apidpwd <application pool password>]
[-allowanonymous]
For more information, see Stsadm command-line tool (Office SharePoint Server).
The extendvs operation creates the Web application. The donotcreatesite parameter creates the Web application without creating a site collection on the Web application.
After creating the Web applications for the My Sites host location and for the Shared Services Administration Web site, you create the SSP.
Create an SSP by using the Stsadm command-line tool
On the drive on which SharePoint Products and Technologies is installed, change to the following directory: %COMMONPROGRAMFILES%\Microsoft shared\Web server extensions\12\Bin.
Type the following command, and then press ENTER:
stsadm -o createssp
-title <SSP name>
-url <Web application URL>
-mysiteurl <My Sites Web application URL>
-ssplogin <user name>
-ssppassword <password>
-sspdatabaseserver <SSP database server>
-sspdatabasename <SSP database name>
-indexserver <index server name>
-indexlocation*<index file path>*
[-ssppassword <SSP password> ]
[-sspdatabaseserver <SSP database server name> ]
[-sspdatabasename <SSP database name> ]
[-sspsqlauthlogin <SQL user name> ]
[-sspsqlauthpassword <SQL password> ]
[-searchdatabaseserver <search database server name> ]
[-searchdatabasename <search database name> ]
[-searchsqlauthlogin <SQL user name> ]
[-searchsqlauthpassword <SQL password> ]
[-ssl {Yes | No}]
Example
The following command creates a Web application with the URL http://intranet:8080 that can be used to host the SSP Administration site.
stsadm -o extendvs -url http://intranet:8080 -ownerlogin <domain\user name> -owneremail <user@domain.com> -exclusivelyusentlm -databaseserver <database server name > -databasename <SSP content database name> -donotcreatesite -apidname <SSP application pool> -apidtype configurableID -apidlogin <domain\user name> -apidpwd <password>
Similarly, you can create another Web application as the My Sites host location by using the following command:
stsadm -o extendvs -url http://intranet:8090 -ownerlogin <domain\user name> -owneremail <user@domain.com> -exclusivelyusentlm -databaseserver <SQL Server> -databasename <site content database name> -donotcreatesite -apidname <site application pool> -apidtype configurableID -apidlogin <domain\user name> -apidpwd <password>
Then you create the SSP, named MySSP1_db:
stsadm -o createssp -title MySSP1 -url http://intranet -mysiteurl http://intranet:8090 -ssplogin <domain\user name> -ssppassword <password> -sspdatabaseserver <database server name > -sspdatabasename MySSP1_db -indexserver <index server name> -indexlocation "D:\Program Files\Microsoft Office Servers\12.0\Data\Office Server\Applications" -searchdatabaseserver <search database server name> -searchdatabasename <search database name>
For more information, see Extendvs: Stsadm operation (Office SharePoint Server) and Createssp: Stsadm operation (Office SharePoint Server).
Create a site collection by using the Stsadm command-line tool
You create the top-level site collection by using the same extendvs operation that you used to create the Web applications for My Sites and the Shared Services Administration Web site.
Important
To run the Stsadm command-line tool, you must be a member of the Administrators group on the local computer.
Create a site collection by using the Stsadm command-line tool
On the drive on which SharePoint Products and Technologies is installed, change to the following directory: %COMMONPROGRAMFILES%\Microsoft shared\Web server extensions\12\Bin.
Type the following command, and then press ENTER:
stsadm -o extendvs
-url <URL name>
-ownerlogin <domain\user name>
-owneremail <e-mail address>
[-exclusivelyusentlm]
[-ownername <display name>]
[-databaseuser <database user name>]
[-databaseserver <database server name>]
[-databasename <new content database name>]
[-databasepassword <database password>]
[-lcid <language>]
[-sitetemplate <site template>]
[-donotcreatesite]
[-description]
[-sethostheader]
[-apidname <application pool name>]
[-apidtype {configurableID | NetworkService} ]
[-apidlogin <domain\user name>]
[-apidpwd <application pool password>]
[-allowanonymous]
For more information about how to create a site collection, see Createsite: Stsadm operation (Office SharePoint Server).
Example
The following example creates a site collection at http://intranet that uses the corporate intranet site template.
stsadm -o extendvs -url http://intranet -ownerlogin <domain\user name> -owneremail <user@domain.com> -exclusivelyusentlm -sitetemplate SPSPORTAL -apidname "SharePoint AppPool" -apidtype configurableID -apidlogin <domain\user name> -apidpwd <password>
This command can also be used to add other site collections and sites.
If you do not specify the site template to use, the site collection administrator can choose the site template when he or she first browses to the site.
The extendvs operation also enables you to specify the language of the site collection by using the Locale ID (LCID) parameter. If you do not specify an LCID, the language of the server is used for the top-level site collection. For more information about the available LCID values, see List of Locale ID (LCID) Values as Assigned by Microsoft (https://go.microsoft.com/fwlink/?LinkId=63028&clcid=0x409).
For more information about the Stsadm command-line tool, see Stsadm command-line tool (Office SharePoint Server).
After creating sites, you might want to configure alternate access mappings. Alternate access mappings direct users to the correct URLs during their interaction with Office SharePoint Server 2007 (while browsing to the home page of a Office SharePoint Server 2007 Web site, for example). Alternate access mappings enable Office SharePoint Server 2007 to map Web requests to the correct Web applications and sites, and they enable Office SharePoint Server 2007 to serve the correct content back to the user. For more information, see Plan alternate access mappings.
Configure the trace log
The trace log can be useful for analyzing problems that might occur. You can use events that are written to the trace log to determine what configuration changes were made in Office SharePoint Server 2007 before the problem occurred.
By default, Office SharePoint Server 2007 saves two days of events in the trace log files. This means that trace log files that contain events that are older than two days are deleted. When you are using the Windows SharePoint Services Search service, we recommend that you configure the trace log to save seven days of events.
You can use the Diagnostic Logging page in Central Administration to configure the maximum number of trace log files to maintain, and how long (in minutes) to capture events to each log file. By default, 96 log files are kept, each one containing 30 minutes of events.
96 log files * 30 minutes of events per file = 2880 minutes or two days of events.
You can also specify where the log files are written or accept the default path.
Trace log files can help you troubleshoot issues related to configuration changes of the Windows SharePoint Services Search service. Because problems related to configuration changes are not always immediately discovered, we recommend that you save all trace log files that the system creates on any day that you make any configuration changes. Store these log files for an extended period of time in a safe location that will not be overwritten. We recommend that you store log files on a hard disk drive partition that is used to store log files only.
Download this book
This topic is included in the following downloadable book for easier reading and printing:
See the full list of available books at Downloadable books for Office SharePoint Server 2007 (https://go.microsoft.com/fwlink/?LinkID=122600&clcid=0x409).
See Also
Concepts
Plan for security roles (Office SharePoint Server)
Plan for administrative and service accounts (Office SharePoint Server)