Account permissions and security se...

Account permissions and security settings (Office SharePoint Server)

Updated: 2008-06-12

In this article:

About account permissions and security settings
Administrative and service accounts
Shared services accounts
Group permissions

This article describes Microsoft Office SharePoint Server administrative and services account permissions. It covers the following areas: Microsoft SQL Server, the file system, file shares, and registry entries.

About account permissions and security settings

Many of the Office SharePoint Server 2007 baseline account permissions and security settings are configured by the Post Setup Configuration (PSC) tool. These permissions are the post-PSC permissions. There are also permissions that are required by accounts before setting up and configuring Office SharePoint Server 2007 and that need to be configured manually. These are the pre-PSC permissions.

Administrative and service accounts

Most of the Office SharePoint Server 2007 administrative and service account permissions are configured automatically during the setup process by one of the following Office SharePoint Server 2007 components:

The SharePoint Products and Technologies Configuration Wizard (or Psconfig, the command-line equivalent of the configuration wizard), both of which are referred to in this article as the PSC tool.
The SharePoint Central Administration Web site.
The Shared Services Provider (SSP) administration site Web application.
The Stsadm command-line tool.

Setup user administrator account

This account is used to set up each server in your farm by running the SharePoint Products and Technologies Configuration Wizard, the Psconfig command-line tool, and the Stsadm command-line tool. For the examples in this article, the setup user administrator account is used for farm administration, and it can be managed using Central Administration. Some configuration options require local administration permissions: for example, configuration of the Office SharePoint Server 2007 Search query server. The setup user administrator account requires the following permissions:

It must have domain user account permissions.
It must be a member of the local administrators group on each server in the Office SharePoint Server 2007 farm, excluding SQL Server and the Simple Mail Transfer Protocol (SMTP) server.
This account must be able to log in to the computer running SQL Server.
This account must be assigned to the securityadmin and dbcreator SQL Server security roles.
If you use any Stsadm operations that affect a database, the administrator account must be a member of the db_owner role.

After you run the PSC tool, machine-level permissions for the administrator account include:

Membership in the WSS_ADMIN_WPG Windows security group.
Membership in the IIS_WPG role.

After you run the PSC tool, database permissions include:

db_owner on the Office SharePoint Server 2007 server farm configuration database.
db_owner on the Office SharePoint Server 2007 server farm content database.

Warning:
If the setup user administrator account is removed from the computer running SQL Server, the PSC tool will not run correctly. If you run the PSC tool using an account other than the account under which the PSC tool was first run, the PSC tool will not run correctly.

SQL Server service account

Microsoft SQL Server prompts for the SQL Server service account during SQL Server setup. This account is used as the service account for the following SQL Server services:

MSSQLSERVER
SQLSERVERAGENT

If you do not use the default instance of SQL Server setup, these services will be listed as:

MSSQL$InstanceName
SQLAGENT$InstanceName

Use either a local system account or a domain user account.

Server farm account

The server farm account is also referred to as the database access account and is used as the application pool identity for Central Administration, and as the process account for the Windows SharePoint Services 3.0 Timer service. The server farm account requires the following permissions:

It must have domain user account permissions.
If the server farm is a child farm with Web applications that consume shared services from a parent farm, the server farm account must be a member of the db_owner fixed database role associated with the configuration database of the parent farm.

Additional permissions are automatically granted to the server farm account on Web servers and application servers that are joined to a server farm.

After you run the PSC tool, machine-level permissions include:

Membership in the WSS_ADMIN_WPG Windows security group for the Windows SharePoint Services 3.0 Timer service.
Membership in IIS_RESTRICTED_WPG for the Central Administration application pool.
Membership in IIS_WPG for the Central Administration application pool.

After you run the PSC tool, SQL Server and database permissions include:

Dbcreator fixed server role.
Securityadmin fixed server role.
db_owner for all Office SharePoint Server 2007 databases.
Membership in the WSS_CONTENT_APPLICATION_POOLS role for the Office SharePoint Server 2007 server farm configuration database.
Membership in the WSS_CONTENT_APPLICATION_POOLS role for the Office SharePoint Server 2007 SharePoint_Admin content database.

Windows SharePoint Services 3.0 search service account

The Windows SharePoint Services 3.0 search service account is used as the service account for the Windows SharePoint Services 3.0 Search service. The Windows SharePoint Services 3.0 search service account requires the following permission configuration settings:

This account must have domain user account permissions.
If you are using Least Privilege mode, this account must not be a member of the farm administrators group.

The following machine-level permission is configured automatically: The search service account is a member of the WSS_WPG role.

The following SQL Server and database permissions are configured automatically:

Read access to the server farm configuration database.
Read access to the SharePoint_Admin content database.
This account is assigned the db_owner role for the Windows SharePoint Services 3.0 search database.

Windows SharePoint Services 3.0 search content access account

The Windows SharePoint Services 3.0 search content access account is used by the Windows SharePoint Services 3.0 Search service to crawl content across sites. The Windows SharePoint Services 3.0 search content access account requires the following permission configuration settings:

This account must have domain user account permissions.
This account must not be a member of the farm administrators group.

The following SQL Server and database permissions are configured automatically:

Read access to the server farm configuration database.
Read access to the SharePoint_Admin content database.
This account is assigned to the db_owner role for the Windows SharePoint Services 3.0 search database.

A full Read policy for the Windows SharePoint Services 3.0 search content access account is created on all Web applications.

Shared services accounts

This section describes the accounts that are used to set up and configure a Shared Services Provider (SSP).

SSP application pool account

The SSP application pool account is used for application pool identity for the Shared Services Administration Web site. The SSP application pool account requires the following permission configuration settings:

The following machine-level permission is configured automatically: The SSP application pool account is a member of the WSS_WPG role.

The following SQL Server and database permissions for this account are configured automatically:

Read and write access to the SSP content database.
Read access to the farm configuration database.
Read access to the Central Administration content database.
This account is a member of the user group in the SSP search database.
This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the farm configuration database.
This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the SharePoint_Admin content database.

SSP service account

The SSP service account is used by the following services:

SSP Web services for inter-server communication.
The SSP Timer service to run scheduled jobs.
The application pool that is associated with the virtual directory of the SSP.

The SSP service account requires the following permission configuration setting: Domain user account permissions.

The following machine-level permission is configured automatically: The SSP service account is a member of the WSS_WPG role.

The following SQL Server and database permissions are configured automatically:

This account is assigned to the db_owner role for the SSP content database.
Read and write access to the SSP content database.
Read and write access to content databases for Web applications that are associated with the SSP.
Read access to the configuration database.
Read access to the Central Administration content database.
This account is a member of the user group in the SSP search database.
This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the farm configuration database.
This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the SharePoint_Admin content database.

Office SharePoint Server search service account

The Office SharePoint Server 2007 Search service account is used as the service account for the Office SharePoint Server 2007 Search service. The Office SharePoint Server 2007 Search service is used by all SSPs. For any given server, there is only one instance of this service. The Office SharePoint Server 2007 search service account requires the following permission configuration setting: The Office SharePoint Server 2007 search service account is granted access to the propagation location share (or shares) on all search query servers in a farm.

The following machine-level permission is configured automatically: The Office SharePoint Server 2007 search service account is a member of the WSS_WPG role.

The following SQL Server and database permissions are configured automatically:

This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the farm configuration database.
This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the SharePoint_Admin content database.

Default content access account

The default content access account is used within a specific SSP to crawl content, unless a different authentication method is specified by a crawl rule for a URL or URL pattern. This account requires the following permission configuration settings:

The default content access account must be a domain user account and it must have read access to external or secure content sources that you want to crawl by using this account.
For Office SharePoint Server sites that are not part of the server farm, this account must be explicitly granted full read permissions to the Web applications that host the sites.
This account must not be a member of the farm administrators group.

The following SQL Server and database permission is configured automatically: Full read permissions are automatically granted to content databases hosted by the server farm.

Content access accounts

Content access accounts are accounts that are configured to access content from the crawl rules UI, or from the Object Model (OM). This type of account is optional and can be configured when you create a new crawl rule. For example, external content (such as a file share) might require this separate content access account. This account requires the following permission configuration settings:

The content access account must have read access to external or secure content sources that this account is configured to access.
For Office SharePoint Server sites that are not part of the server farm, this account must be explicitly granted full read permissions to the Web applications that host the sites.

Profile import default access account

The profile import default access account is used to connect to a directory service, such as the Active Directory directory service, a Lightweight Directory Access Protocol (LDAP) directory, a Business Data Catalog application, or another directory source. This account is also used to import profile data from a directory service.

Note:
If no account is specified, the default content access account is used.

This account requires the following permission configuration settings:

This account must have read access to the directory service.
This account must have permissions to manage user profile personalization services.
This account must have read permissions to entities used in BDC Business Data Catalog import connections.

Excel Services unattended service account

The Excel Services unattended service account is used by Excel Services to connect to external data sources that require a user name and password that are based on operating systems other than Windows for authentication. If this account is not configured, Excel Services will not attempt to connect to these types of data sources. Although account credentials are used to connect to data sources of operating systems other than Windows, if the account is not a member of the domain, Excel Services cannot access it. This account must be a domain user account.

MySites application pool account

The MySites application pool account must be a domain user account. This account must not be a member of the farm administrators group.

The following machine-level permission is configured automatically: This account is a member of WSS_WPG.

The following SQL Server and database permissions are configured automatically:

This account must be a member of the db_owner role for My Site search databases that are associated with the Web application (for example, the SSP search database).
This account must have read and write access to the associated SSP database.
This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the farm configuration database.
This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the SharePoint_Admin content database.

Other application pool accounts

The other application pool account must be a domain user account. This account must not be a member of the administrators group on any computer in the server farm.

The following machine-level permission is configured automatically: This account is a member of the WSS_WPG role.

The following SQL Server and database permissions are configured automatically:

This account is assigned to the db_owner role for the content databases.
This account is assigned to the db_owner role for search databases associated with the Web application.
This account must have read and write access to the associated SSP database.
This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the farm configuration database.
This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the SharePoint_Admin content database.

Group permissions

This section describes permissions of groups that are created by the Office SharePoint Server 2007 setup and configuration tools.

WSS_CONTENT_APPLICATION_POOLS database role

Setup assigns the WSS_CONTENT_APPLICATION_POOLS role to the following databases:

The SharePoint_Config database (the configuration database).
The SharePoint_AdminContent database.

Members of the WSS_CONTENT_APPLICATION_POOLS role are granted the execute permission for a subset of the stored procedures for the database. In addition, members of this role are granted the select permission to the Versions table (dbo.Versions) in the SharePoint_AdminContent database. For other databases, the accounts planning tool indicates that access to read these databases is automatically configured. In some cases, limited access to write to a database is also automatically configured. To provide this access, permissions for stored procedures are configured. For the SharePoint_Config database, for example, access to the following stored procedures is automatically configured:

proc_dropEmailEnabledList
proc_dropEmailEnabledListsByWeb
proc_dropSiteMap
proc_markForDeletionEmailEnabledList
proc_markForDeletionEmailEnabledListsBySite
proc_markForDeletionEmailEnabledListsByWeb
proc_putDistributionListToDelete
proc_putEmailEnabledList
proc_putSiteMap

WSS_ADMIN_WPG

The following table shows the WSS_ADMIN_WPG registry entry permissions.

Key name	Permissions	Inherit	Description
HKEY_CLASSES_ROOT\APPID\{58F1D482-A132-4297-9B8A-F8E4E600CDF6}	Full control	N/A	This is the Office SharePoint Server 2007 Search service COM Application.
HKEY_CLASSES_ROOT\APPID\{6002D29F-1366-4523-88C1-56D59BFEF8CB}	Full control	N/A	This is the Windows SharePoint Services 3.0 Search service COM Application.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS	Full control	N/A	N/A
HKEY_LOCAL_MACHINE\Software\Microsoft\Office\12.0\Registration\{90120000-110D-0000-0000-0000000FF1CE}	Read, write	N/A	N/A
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office Server	Read	No	This key is the root of the Office SharePoint Server 2007 registry settings tree. If this key is altered, Office SharePoint Server 2007 functionality will fail.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office Server\12.0	Full control	No	This key is the root of the Office SharePoint Server 2007 registry settings.
HKEY_LOCAL_MACHINE\Software\Microsoft\Office Server\12.0\LoadBalancerSettings	Read, write	No	This key contains settings for the document conversion service. Altering this key will break document conversion functionality.
HKEY_LOCAL_MACHINE\Software\Microsoft\Office Server\12.0\LauncherSettings	Read, write	No	This key contains settings for the document conversion service. Altering this key will break document conversion functionality.
HKEY_LOCAL_MACHINE\Software\Microsoft\Office Server\12.0\Search	Full control	N/A	N/A
HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\12.0\Search	Full control	N/A	N/A
HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\12.0\Secure	Full control	No	This key contains the connection string and the ID of the configuration database to which the machine is joined. If this key is altered, the Office SharePoint Server installation on the machine will not function.
HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\12.0\WSS	Full control	Yes	This key contains settings used during setup. If this key is altered, diagnostic logging may fail and setup or post-setup configuration may fail.

The following table shows the WSS_ADMIN_WPG file system permissions.

File system path	Permissions	Inherit	Description
%AllUsersProfile%\Application Data\Microsoft\Sharepoint	Full control	No	This directory contains the file-system-backed cache of the farm configuration. Processes might fail to start and the administrative actions might fail if this directory is altered or deleted.
C:\Inetpub\wwwroot\wss	Full control	No	This directory (or the corresponding directory under the Inetpub root on the server) is used as the default location for IIS Web sites. SharePoint sites will be unavailable and administrative actions might fail if this directory is altered or deleted, unless custom IIS Web site paths are provided for all IIS Web sites extended with Office SharePoint Server.
%ProgramFiles%\Microsoft Office Servers\12.0	Full control	No	This directory is the installation location for Office SharePoint Server 2007 binaries and data. The directory can be changed during installation. All Office SharePoint Server 2007 functionality will fail if this directory is removed, altered, or removed after installation. Membership in the WSS_ADMIN_WPG Windows security group is required for some Office SharePoint Server 2007 services to be able to store data on disk.
%ProgramFiles%\Microsoft Office Servers\12.0\WebServices	Read, write	No	This directory is the root directory where back-end SSP Web services are hosted, for example, Excel and Search. The Office SharePoint Server 2007 features that depend on these services will fail if this directory is removed or altered.
%ProgramFiles%\Microsoft Office Servers\12.0\Data	Full control	No	This directory is the root location where local data is stored, including search indexes. Search functionality will fail if this directory is removed or altered. WSS_ADMIN_WPG Windows security group permissions are required to enable search to save and secure data in this folder.
%ProgramFiles%\Microsoft Office Servers\12.0\Logs	Full control	Yes	This directory is the location where the run-time diagnostic logging is generated. Logging functionality will not function properly if this directory is removed or altered.
%ProgramFiles%\Microsoft Office Servers\12.0\Data\Office Server	Full control	Yes	Same as the parent folder.
%windir%\System32\drivers\etc\HOSTS	Read, write	N/A	N/A
%windir%\Tasks	Full control	N/A	N/A
%COMMONPROGRAMFILES%Microsoft Shared\Web Server Extensions\12	Modify	Yes	This directory is the installation directory for core Office SharePoint Server files. If the access control list (ACL) is modified, feature activation, solution deployment, and other features will not function correctly.
%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\12\ADMISAPI	Full control	Yes	This directory contains the soap services for Central Administration. If this directory is altered, remote site creation and other methods exposed in the service will not function correctly.
%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\12\CONFIG	Full control	Yes	This directory contains files used to extend IIS Web sites with Office SharePoint Server. If this directory or its contents are altered, Web application provisioning will not function correctly.
%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\12\LOGS	Full control	No	This directory contains setup and run-time tracing logs. If the directory is altered, diagnostic logging will not function correctly.
%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\12\Data	Full control	Yes	N/A
%windir%\temp	Full control	Yes	This directory is used by platform components on which Office SharePoint Server depends. If the ACL is modified, Web Part rendering and other deserialization operations might fail.
%windir%\System32\logfiles\SharePoint	Full control	No	This directory is used by Office SharePoint Server usage logging. If this directory is modified, usage logging will not function correctly.
%systemdrive\program files\Microsoft Office Servers\12 folder on Index servers	Full control	N/A	This permission is granted for a %systemdrive\program files\Microsoft Office Servers\12 folder on Index servers.

WSS_WPG

The following table shows WSS_WPG registry entry permissions.

Key name	Permissions	Inherit	Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office Server\12.0	Read	No	This key is the root of the Office SharePoint Server 2007 registry settings.
HKEY_LOCAL_MACHINE\Software\Microsoft\Office Server\12.0\Diagnostics	Read, write	No	This key contains settings for the Office SharePoint Server 2007 diagnostic logging. Altering this key will break the logging functionality.
HKEY_LOCAL_MACHINE\Software\Microsoft\Office Server\12.0\LoadBalancerSettings	Read, write	No	This key contains settings for the document conversion service. Altering this key will break document conversion functionality.
HKEY_LOCAL_MACHINE\Software\Microsoft\Office Server\12.0\LauncherSettings	Read, write	No	This key contains settings for the document conversion service. Altering this key will break document conversion functionality.
HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\12.0\Secure	Read	No	This key contains the connection string and the ID of the configuration database to which the machine is joined. If this key is altered, the Office SharePoint Server installation on the machine will not function.
HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\12.0\WSS	Read	Yes	This key contains settings used during setup. If this key is altered, diagnostic logging may fail and setup or post-setup configuration may fail.

The following table shows the WSS_WPG file system permissions.

File system path	Permissions	Inherit	Description
%AllUsersProfile%\Application Data\Microsoft\Sharepoint	Read	No	This directory contains the file-system-backed cache of the farm configuration. Processes might fail to start and the administrative actions might fail if this directory is altered or deleted.
C:\Inetpub\wwwroot\wss	Read, execute	No	This directory (or the corresponding directory under the Inetpub root on the server) is used as the default location for IIS Web sites. SharePoint sites will be unavailable and administrative actions might fail if this directory is altered or deleted, unless custom IIS Web site paths are provided for all IIS Web sites extended with Office SharePoint Server.
%ProgramFiles%\Microsoft Office Servers\12.0	Read, execute	No	This directory is the installation location for the Office SharePoint Server 2007 binaries and data. It can be changed during installation. All Office SharePoint Server 2007 functionality will fail if this directory is removed, altered, or moved after installation. WSS_WPG read and execute permissions are required to enable IIS sites to load Office SharePoint Server 2007 binaries.
%ProgramFiles%\Microsoft Office Servers\12.0\WebServices	Read	No	This directory is the root directory where back-end SSP Web services are hosted, for example, Excel and Search. The Office SharePoint Server 2007 features that depend on these services will fail if this directory is removed or altered.
%ProgramFiles%\Microsoft Office Servers\12.0\Logs	Read, write	Yes	This directory is the location where the run-time diagnostic logging is generated. Logging functionality will not function properly if this directory is removed or altered.
%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\12\ADMISAPI	Read	Yes	This directory contains the soap services for Central Administration. If this directory is altered, remote site creation and other methods exposed in the service will not function correctly.
%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\12\CONFIG	Read	Yes	This directory contains files used to extend IIS Web sites with Office SharePoint Server. If this directory or its contents are altered, Web application provisioning will not function correctly.
%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\12\LOGS	Modify	No	This directory contains setup and run-time tracing logs. If the directory is altered, diagnostic logging will not function correctly.
%windir%\temp	Read	Yes	This directory is used by platform components on which Office SharePoint Server depends. If the ACL is modified, Web Part rendering, and other deserialization operations may fail.
%windir%\System32\logfiles\SharePoint	Read	No	This directory is used by Office SharePoint Server usage logging. If this directory is modified, usage logging will not function correctly.
%systemdrive\program files\Microsoft Office Servers\12	Read, execute	N/A	The permission is granted for %systemdrive\program files\Microsoft Office Servers\12 folder on Index servers.

Local service

The following table shows the local service registry entry permission:

Key name	Permissions	Inherit	Description
HKEY_LOCAL_MACHINE\Software\Microsoft\Office Server\12.0\LoadBalancerSettings	Read	No	This key contains settings for the document conversion service. Altering this key will break document conversion functionality.

The following table shows the local service file system permission:

File system path	Permissions	Inherit	Description
%ProgramFiles%\Microsoft Office Servers\12.0\Bin	Read, execute	No	This directory is the installed location of the Office SharePoint Server 2007 binaries. All the Office SharePoint Server 2007 functionality will fail if this directory is removed or altered.

Local system

The following table shows the local system registry entry permissions:

Key name	Permissions	Inherit	Description
HKEY_LOCAL_MACHINE\Software\Microsoft\Office Server\12.0\LauncherSettings	Read	No	This key contains settings for the document conversion service. Altering this key will break document conversion functionality.
HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\12.0\Secure	Full control	No	This key contains the connection string and the ID of the configuration database to which the machine is joined. If this key is altered, the Office SharePoint Server installation on the machine will not function.
HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\12.0\Secure\FarmAdmin	Full control	No	This key contains the encryption key used to store secrets in the configuration database. If this key is altered, service provisioning and other features will fail.
HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\12.0\WSS	Full control	Yes	This key contains settings used during setup. If this key is altered, diagnostic logging may fail and setup or post-setup configuration may fail.

The following table shows the local file system permissions:

File system path	Permissions	Inherit	Description
%AllUsersProfile%\Application Data\Microsoft\Sharepoint	Full control	No	This directory contains the file-system-backed cache of the farm configuration. Processes might fail to start and administrative actions might fail if this directory is altered or deleted.
C:\Inetpub\wwwroot\wss	Full control	No	This directory (or the corresponding directory under the Inetpub root on the server) is used as the default location for IIS Web sites. SharePoint sites will be unavailable and administrative actions might fail if this directory is altered or deleted, unless custom IIS Web site paths are provided for all IIS Web sites extended with Office SharePoint Server.
%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\12\ADMISAPI	Full control	Yes	This directory contains the soap services for Central Administration. If this directory is altered, remote site creation and other methods exposed in the service will not function correctly.
%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\12\CONFIG	Full control	Yes	If this directory or its contents are altered, Web Application provisioning will not function correctly.
%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\12\LOGS	Full control	No	This directory contains setup and run-time tracing logs. If the directory is altered, diagnostic logging will not function correctly.
%windir%\temp	Full control	Yes	This directory is used by platform components on which Office SharePoint Server depends. If the ACL is modified, Web Part rendering, and other deserialization operations might fail.
%windir%\System32\logfiles\SharePoint	Full control	No	This directory is used by Office SharePoint Server for usage logging. If this directory is modified, usage logging will not function correctly.

Network service

The following table shows the network service registry entry permission:

Key name	Permissions	Inherit	Description
HKEY_LOCAL_MACHINE\Software\Microsoft\Office Server\12.0\Search\Setup	Read	N/A	N/A

Administrators

The following table shows the administrators registry entry permissions:

Key name	Permissions	Inherit	Description
HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\12.0\Secure	Full control	No	This key contains the connection string and the ID of the configuration database to which the machine is joined. If this key is altered, the Office SharePoint Server installation on the machine will not function.
HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\12.0\Secure\FarmAdmin	Full control	No	This key contains the encryption key used to store secrets in the configuration database. If this key is altered, service provisioning and other features will fail.
HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\12.0\WSS	Full control	Yes	This key contains settings used during setup. If this key is altered, diagnostic logging may fail and setup or post-setup configuration may fail.

The following table shows the administrators file system permissions:

File system path	Permissions	Inherit	Description
%AllUsersProfile%\Application Data\Microsoft\Sharepoint	Full control	No	This directory contains the file-system-backed cache of the farm configuration. Processes might fail to start and administrative actions might fail if this directory is altered or deleted.
C:\Inetpub\wwwroot\wss	Full control	No	This directory (or the corresponding directory under the Inetpub root on the server) is used as the default location for IIS Web sites. SharePoint sites will be unavailable and administrative actions might fail if this directory is altered or deleted, unless custom IIS Web site paths are provided for all IIS Web sites extended with Office SharePoint Server.
%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\12\ADMISAPI	Full control	Yes	This directory contains the soap services for Central Administration. If this directory is altered, remote site creation and other methods exposed in the service will not function correctly.
%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\12\CONFIG	Full control	Yes	If this directory or its contents are altered, Web application provisioning will not function correctly.
%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\12\LOGS	Full control	No	This directory contains setup and run-time tracing logs. If the directory is altered, diagnostic logging will not function correctly.
%windir%\temp	Full control	Yes	This directory is used by platform components on which Office SharePoint Server depends. If the ACL is modified, Web Part rendering, and other deserialization operations might fail.
%windir%\System32\logfiles\SharePoint	Full control	No	This directory is used for Office SharePoint Server usage logging. If this directory is modified, usage logging will not function correctly.

WSS_RESTRICTED_WPG

The following table shows the WSS_RESTRICTED_WPG registry entry permission:

Key name	Permissions	Inherit	Description
HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\12.0\Secure\FarmAdmin	Full control	No	This key contains the encryption key used to store secrets in the configuration database. If this key is altered, service provisioning and other features will fail.

Users group

The following table shows the users group file system permissions:

File system path	Permissions	Inherit	Description
%ProgramFiles%\Microsoft Office Servers\12.0	Read, execute	No	This directory is the installation location for Office SharePoint Server 2007 binaries and data. It can be changed during installation. All Office SharePoint Server 2007 functionality will fail if this directory is removed, altered, or moved after installation.
%ProgramFiles%\Microsoft Office Servers\12.0\WebServices\Root	Read, execute	No	This directory is the root directory where back-end root Web services are hosted. The only service initially installed on this directory is a search global administration service. Some of the search administration functionality using the server-specific Central Administration Search Settings page will not work if this directory is removed or altered.
%ProgramFiles%\Microsoft Office Servers\12.0\Logs	Read, write	Yes	This directory is the location where the run-time diagnostic logging is generated. Logging will not function properly if this directory is removed or altered.
%ProgramFiles%\Microsoft Office Servers\12.0\Bin	Read, execute	No	This directory is the installed location of Office SharePoint Server 2007 binaries. All of the Office SharePoint Server 2007 functionality will fail if this directory is removed or altered.

All Office SharePoint Server service accounts

The following table shows the all Office SharePoint Server service accounts file system permission:

File system path	Permissions	Inherit	Description
%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\12\LOGS	Modify	No	This directory contains setup and run-time tracing logs. If this directory is altered, diagnostic logging will not function correctly. All Office SharePoint Server service accounts must have write permission to this directory.

Tags

: Add a tag

Community Content

Add new content

Annotations

can you provide a script or powershell package to verify the permission

Peruri Srinivasulu | Edit | Show History

It is helpful to see the details are documented here. Can Microsoft help community to make this information more useful by providing the tool that translates the above information into a tool that will verify the settings against the above defaults and print a report or log file.

Tags

: Add a tag

Flag as ContentBug

A Permission validation tool is needed

Allison B | Edit | Show History

Agree it is helpful to see it all documented however it points out how easy it is to have things go wrong. Frequently we find ourselves troubleshooting errors that turn out to be a permission issue on a SharePoint Farm that was running fine the day before. It seems when anything new is installed from OS patches, new tools, monitoring software, even if someone sneezes close to a server, some setting will reset that will then take days to determine. At least with a checklist like this we might get thru checking all the possibilities sooner but a tool or script would be extremely helpful.

Tags

: enhancement (x) request (x) Add a tag

Flag as ContentBug

IIS_RESTRICTED_WPG must be: WSS_RESTRICTED_WPG ?

AdWeterings | Edit | Show History

I'm assuming the mentioned IIS_RESTRICTED_WPG is a typo, and it must be:
WSS_RESTRICTED_WPG as those are the Machine groups that are actually present on the SharePoint machine(s).

Tags

: Add a tag

Flag as ContentBug