.png)
Plan for administrative and service accounts in SharePoint 2013
Published: September 4, 2012
Summary: Learn about the accounts to use to manage SharePoint Server 2013 deployment scenarios and services.
Applies to: SharePoint Foundation 2013 | SharePoint Server 2013
To install SharePoint 2013, you have to have appropriate administrative and service accounts on servers running SharePoint 2013 and SQL Server. After installation, you need to have appropriate administrative and service accounts to modify and maintain the environment. The accounts that you require to complete these groups of tasks are not necessarily the same. This article describes the accounts that you require after installation for a single server environment and a server farm environment.
In this article:
Use this article along with Initial deployment administrative and service accounts in SharePoint 2013.
The initial deployment administrative and service accounts article describes the specific account and permissions that you need to grant prior to running Setup.
This article does not describe the account requirements for using Secure Store service in SharePoint Server 2013. For more information, see Plan the Secure Store Service in SharePoint Server 2013.
This article does not describe security roles and permissions required to administer in SharePoint 2013.
About administrative and service accounts
This section lists and describes the accounts that you must plan for to manage servers running SQL Server or SharePoint 2013. The accounts are grouped according to scope.
After you complete installation and configuration of accounts, ensure that you do not use the Local System account to perform administration tasks or to browse sites.
Server farm-level accounts
The following table describes the accounts that are used to configure SQL Server database software and to install SharePoint 2013.
| Account | Purpose |
|---|---|
|
SQL Server service account |
SQL Server prompts for this account during SQL Server Setup. This account is used as the service account for the following SQL Server services:
If you are not using the default instance, these services will be shown as:
|
|
Setup user account |
The user account that is used to run: If you run Windows PowerShell cmdlets that affect a database, this account must be a member of the db_owner fixed database role for the database.
|
|
Server farm account |
This account is also referred to as the database access account. This account has the following properties:
|
Service application accounts
The following table describes the accounts that are used to set up and configure a service application. Plan one set of an application pool and proxy group for each service application that you plan to implement.
For more information about service application endpoints, see Using Service Endpoints.
| Account | Service | Purpose | Requirements | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Service Application Endpoint |
|
This account is used as the identity for the service application endpoint application pool. Unless there are specific isolation requirements, the application pool can be used to host multiple service application endpoints. |
|
||||||||||||||||||||||||
|
Service Application Endpoint |
|
This account is used as the identity for the service endpoint application pool. Unless there are specific isolation requirements, the application pool can be used to host multiple service application endpoints. |
Must be a domain user account. |
||||||||||||||||||||||||
|
Service Application Endpoint |
|
This account is used as the identity for the service application endpoint application pool. This account must be the Farm Service Account and the SharePoint Products Configuration Wizard automatically creates the application pool. |
|
||||||||||||||||||||||||
|
Unattended Service |
|
Used with workbooks to refresh data. It is required when workbook connections specify "None" for authentication, or when any credentials that are notWindows credentials are used to refresh data. |
Must be a domain user account. |
||||||||||||||||||||||||
|
Unattended Service |
|
Used for authenticating with data sources. |
Must be a domain user account. |
||||||||||||||||||||||||
|
Unattended Service |
|
Used with documents to refresh data. It is required when connecting to data sources that are external to SharePoint Server 2013, such as SQL Server. |
|
||||||||||||||||||||||||
|
Default Content Access |
|
The default account for crawling content. A Search service application administrator can create crawl rules to specify other accounts to crawl specific content. |
Must have Read Access to the content being crawled. Full Read permissions must be granted explicitly to content that is outside the local farm. Full Read permissions are automatically configured for content databases in the local farm. |
||||||||||||||||||||||||
|
Search Service |
|
The Windows service account for the SharePoint Server Search service. This setting affects all Search service applications in the farm. |
Must be a domain user account. |
||||||||||||||||||||||||
|
User Profile Synchronization Service |
|
This is the Windows service account for the User Profile Synchronization Service. |
Requires Log on Locally permission on the computer running the instance of the User Profile Synchronization Service. |
||||||||||||||||||||||||
|
Synchronization Connection |
|
This is the account used to perform synchronization with the remote directory service. There can be one account per synchronization connection. |
Replicating Directory Changes permissions on the domains being synchronized. Replicating Directory Changes permissions on the configuration partition of the domains being synchronized if the NetBIOS and fully qualified domain name (FQDN) names do not match. |
||||||||||||||||||||||||
|
App Management Service |
|
This account permits you to install SharePoint apps from the SharePoint Store or the App Catalog. |
|
||||||||||||||||||||||||
|
PowerPoint Conversion Service |
|
This account converts Microsoft PowerPoint presentations into various formats. |
|
||||||||||||||||||||||||
|
SharePoint Translation service |
|
This account performs automated machine translation. |
|
||||||||||||||||||||||||
|
Access Services 2013 |
|
This account views, edits, and interacts with Access 2010 databases in a browser. |
|
||||||||||||||||||||||||
|
Work Management |
|
This account provides task aggregation across work management systems, including SharePoint products, Microsoft Exchange Server, and Microsoft Project Server. |
|
Additional application pool identity accounts
If you create additional application pools to host sites, plan for additional application pool identity accounts. The following table describes the application pool identity account. Plan one application pool account for each application pool that you plan to implement.
| Account | Purpose |
|---|---|
|
Application pool identity |
The user account that the worker processes that service the application pool use as their process identity. This account is used to access content databases that are associated with the web applications that reside in the application pool. |
Single server standard requirements
If you are deploying to a single server computer, account requirements are greatly reduced. In an evaluation environment, you can use a single account for all of the account purposes. In a production environment, ensure that the accounts that you create have the appropriate permissions for their purposes.
For a list of account permissions for single server environments, see Initial deployment administrative and service accounts in SharePoint 2013.
Server farm requirements
If you are deploying to more than one server computer, use the server farm standard requirements to ensure that accounts have the appropriate permissions to perform their processes across multiple computers. The server farm standard requirements detail the minimum configuration that is necessary to operate in a server farm environment.
For a list of standard requirements for server farm environments, see the requirements listed in the Technical reference: Account requirements by scenario section of this article.
For some accounts, additional permissions or access to databases are configured when you run Setup. These are noted in the accounts planning tool. An important configuration for database administrators to be aware of is the addition of the WSS_Content_Application_Pools database role. Setup adds this role to the following databases:
-
SharePoint_Config database (configuration database)
-
SharePoint_AdminContent database
Members of the WSS_Content_Application_Pools database role are granted the Execute permission to a subset of the stored procedures for the database. Additionally, members of this role are granted the Select permission to the Versions table (dbo.Versions) in the SharePoint_AdminContent database.
For other databases, the accounts planning tool indicates that access to read from these databases is automatically configured. In some cases, limited access to write to a database is also automatically configured. To provide this access, permissions to stored procedures are configured.
Technical reference: Account requirements by scenario
This section lists account requirements by scenario:
Single server standard requirements
Server farm-level accounts
| Account | Requirements |
|---|---|
|
SQL Server service |
Local System account (default) |
|
Setup user |
Member of the Administrators group on the local computer |
|
Server farm |
Network Service (default) No manual configuration is necessary. |
Service application accounts
Important:
|
|---|
|
Accounts in this table apply only to SharePoint Server. |
| Account | Requirements |
|---|---|
|
SharePoint Server Search Service |
By default, this account runs as the Local System account. If you want to crawl remote content by changing the default content access account or by using crawl rules, change this to a domain user account. If you do not change this account to a domain user account, you cannot change the default content access account to a domain user account or add crawl rules to crawl this content. This restriction is designed to prevent elevation of privilege for any other process running as the Local System account. |
|
Default Content Access |
No manual configuration is necessary if this account is only crawling local farm content. If you want to crawl remote content by using crawl rules, change this to a domain user account, and apply the requirements listed for a server farm. |
|
Content Access |
Same requirement as the default content access account. |
|
Profile import Default Access |
Same requirements as server farm. |
|
Excel Services Unattended Service |
Must be a domain user account. |
Additional application pool identity accounts
| Account | Requirements |
|---|---|
|
Application pool identity |
No manual configuration is necessary. The Network Service account is used for the default web site that is created during Setup and configuration. |
Server farm standard requirements
Server farm-level accounts
|
Important:
|
|---|
|
The accounts in this table apply only to SharePoint Server |
| Account | Requirements | ||
|---|---|---|---|
|
SQL Server service account |
Use either a Local System account or a domain user account. If a domain user account is used, this account uses Kerberos authentication by default, which requires additional configuration in your network environment. If SQL Server uses a service principal name (SPN) that is not valid (that is, that does not exist in the Active Directory Domain Services (AD DS)service environment), Kerberos authentication fails, and then NTLM is used. If SQL Server uses an SPN that is valid but is not assigned to the appropriate container in AD DS, authentication fails. Authentication will always try to use the first SPN that it finds, so ensure that there are no SPNs assigned to inappropriate containers in AD DS. If you plan to back up to or restore from an external resource, permissions to the external resource must be granted to the appropriate account. If you use a domain user account for the SQL Server service account, grant permissions to that domain user account. However, if you use the Network Service or the Local System account, grant the machine account ((<domain_name>\<SQL_hostname>) permissions to the external resource. |
||
|
Setup user account |
If you run Stsadm commands that affect a database, this account must be a member of the db_owner fixed database role for the database. |
||
|
Server farm account |
Additional permissions are automatically granted for this account on web servers and application servers that are joined to a server farm. This account is automatically added as a SQL Server login on the computer running SQL Server and added to the following SQL Server security roles:
|
Note:
Service application service accounts
|
Important:
|
|---|
|
The accounts in this table apply only to SharePoint Server |
| Account | Requirements |
|---|---|
|
SharePoint Server Search service account |
The following are automatically configured:
|
|
Default content access account |
The following are automatically configured:
|
|
Content access account |
|
|
Profile import default access account |
|
|
Excel Services unattended service account |
Must be a domain user account. |
Additional application pool identity accounts
| Account | Requirements |
|---|---|
|
Application pool identity |
No manual configuration is necessary. The following are automatically configured:
|
