Account permissions and security settings in SharePoint 2013

APPLIES TO: yes-img-132013 no-img-162016 no-img-192019 no-img-seSubscription Edition no-img-sopSharePoint in Microsoft 365

This article describes SharePoint administrative and services account permissions for the following areas: Microsoft SQL Server, the file system, file shares, and registry entries.

Important

Do not use service account names that contain the symbol $ with the exception of using a Group Managed Service Account for SQL Server.

About account permissions and security settings

The SharePoint Configuration Wizard (psconfig) and the Farm Creation Wizard, both of which are run during a Complete installation, configure many of the SharePoint baseline account permissions and security settings.

SharePoint administrative accounts

One of the following SharePoint components automatically configures most of the SharePoint administrative account permissions during the setup process:

  • The SharePoint Configuration Wizard (Psconfig).

  • The Farm Creation Wizard.

  • The SharePoint Central Administration web site.

  • PowerShell.

Farm administrator user account

This account is a uniquely identifiable account assigned to the SharePoint admin and is used to set up each server in your farm by running the SharePoint Configuration Wizard, the initial Farm Creation Wizard, and PowerShell. The account must be a domain user. For the examples in this article, the farm administrator account is used for farm administration, and you can use Central Administration to manage it. Some configuration options such as configuration of the SharePoint 2013 Search query server require local administration permissions. The farm administrator user account requires the following permissions:

  • It must be a member of the Local Administrators group on each server in the SharePoint farm.

  • This account must have access to the SharePoint databases.

  • If you use any PowerShell operations that affect a database, the setup user administrator account must be a member of the db_owner role or sysadmin fixed server role.

  • This account must be assigned to the securityadmin and dbcreator fixed server roles during setup and configuration or the sysadmin fixed server role in SQL Server.

Note

The securityadmin and dbcreator SQL Server security roles might be required for this account during a complete version-to-version upgrade because new databases might have to be created and secured for services.

After you run the configuration wizards, machine-level permissions for the setup user administrator account include:

  • Membership in the WSS_ADMIN_WPG Windows security group.

  • Membership in the WSS_WPG role.

After you run the configuration wizards, database permissions include:

  • db_owner on the SharePoint server farm configuration database.

  • db_owner on the SharePoint Central Administration content database.

Caution

If the account that you use to run the configuration wizards does not have the appropriate special SQL Server role membership or access as db_owner on the databases, the configuration wizards will not run correctly.

SharePoint farm service account

The server farm account, which is also referred to as the database access account, is used as the application pool identity for Central Administration and as the process account for the SharePoint Foundation 2013 Timer service. The server farm account must be a domain user account.

Permissions are automatically granted to the server farm account on web servers and application servers that are joined to a server farm.

After you run the configuration wizards, SQL Server and database permissions include:

  • Membership in the WSS_ADMIN_WPG Windows security group for the SharePoint Foundation 2013 Timer service.

  • Membership in WSS_RESTRICTED_WPG for the Central Administration and Timer service application pools.

  • Membership in WSS_WPG for the Central Administration application pool.

  • Dbcreator fixed server role.

  • Securityadmin fixed server role.

  • db_owner for all SharePoint databases.

  • Membership in the WSS_CONTENT_APPLICATION_POOLS role for the SharePoint server farm configuration database.

  • Membership in the WSS_CONTENT_APPLICATION_POOLS role for the SharePoint_Admin content database.

SharePoint service application accounts

This section describes the service application accounts that are set up by default during installation.

Application pool account

The application pool account is used for application pool identity. The application pool account must be a domain user account.

The following machine-level permission is configured automatically:

  • The application pool account is a member of WSS_WPG.

The following SQL Server and database permissions for this account are configured automatically:

  • The application pool accounts for Web applications are assigned to the SP_DATA_ACCESS role for the content databases.

  • This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the farm configuration database.

  • This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the SharePoint_Admin content database.

Default content access account

Important

Information in this section applies to SharePoint Server 2016 only.

The default content access account is used within a specific service application to crawl content, unless a different authentication method is specified by a crawl rule for a URL or URL pattern. This account requires the following permission configuration settings:

  • The default content access account must be a domain user account that has read access to external or secure content sources that you want to crawl by using this account.

  • For SharePoint Server sites that are not part of the server farm, you have to explicitly grant this account full read permissions to the web applications that host the sites.

  • This account must not be a member of the Farm Administrators group.

Content access accounts

Important

Information in this section applies to SharePoint Server 2016 only.

Content access accounts are configured to access content by using the Search administration crawl rules feature. This type of account is optional and you can configure it when you create a new crawl rule. For example, external content (such as a file share) might require this separate content access account. This account requires the following permission configuration settings:

  • The content access account must have read access to external or secure content sources that this account is configured to access.

  • The content access account must hold the Manage auditing and security log right in the Local User Policy on Windows file servers it is configured to crawl.

  • For SharePoint Server sites that are not part of the server farm, you have to explicitly grant this account full read permissions to the web applications that host the sites.

Excel Services unattended service account

Important

Information in this section applies to SharePoint Server 2016 only.

Excel Services uses the Excel Services unattended service account to connect to external data sources that require a user name and password that are based on operating systems other than Windows for authentication. If this account is not configured, Excel Services will not attempt to connect to these types of data sources. Although account credentials are used to connect to data sources of operating systems other than Windows, if the account is not a member of the domain, Excel Services cannot access them. This account must be a domain user account.

My Sites application pool account

Important

Information in this section applies to SharePoint Server 2016 only.

The My Sites application pool account must be a domain user account. This account must not be a member of the Farm Administrators group.

The following machine-level permission is configured automatically:

  • This account is a member of WSS_WPG.

The following SQL Server and database permissions are configured automatically:

  • This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role that is associated with the farm configuration database.

  • This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role that is associated with the SharePoint_Admin content database.

  • The application pool accounts for web applications are assigned to the SP_DATA_ACCESS role for the content databases

Other application pool accounts

The other application pool account must be a domain user account. This account must not be a member of the Administrators group on any computer in the server farm.

The following machine-level permission is configured automatically:

  • This account is a member of WSS_WPG.

The following SQL Server and database permissions are configured automatically:

  • This account is assigned to the SP_DATA_ACCESS role for the content databases.

  • This account is assigned to the SP_DATA_ACCESS role for search database that is associated with the web application.

  • This account must have read and write access to the associated service application database.

  • This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role that is associated with the farm configuration database.

  • This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role that is associated with the SharePoint_Admin content database.

Note

We strongly recommend you use a single Web Application Pool account for all Web Applications in the farm, including the My Sites Web Application. The exception is the Central Administration Web Application which uses the Farm service account.

SharePoint database roles

This section describes the database roles that installation sets up by default or that you can configure optionally.

WSS_CONTENT_APPLICATION_POOLS database role

The WSS_CONTENT_APPLICATION_POOLS database role applies to the application pool account for each web application that is registered in a SharePoint farm. This enables web applications to query and update the site map and have read-only access to other items in the configuration database. Setup assigns the WSS_CONTENT_APPLICATION_POOLS role to the following databases:

  • The SharePoint_Config database (the configuration database).

  • The SharePoint_Admin content database.

Members of the WSS_CONTENT_APPLICATION_POOLS role have the execute permission for a subset of the stored procedures for the database. In addition, members of this role have the select permission to the Versions table (dbo.Versions) in the SharePoint_Admin content database. For other databases, the accounts planning tool indicates that access to read these databases is automatically configured. In some cases, limited access to write to a database is also automatically configured. To provide this access, permissions for stored procedures are configured.

WSS_SHELL_ACCESS database role

The secure WSS_SHELL_ACCESS database role on the configuration database replaces the need to add an administration account as a db_owner on the configuration database. By default, the farm administrator account which initially ran the Configuration Wizard is assigned to the WSS_SHELL_ACCESS database role. You can use a PowerShell command to grant or remove memberships to this role. Setup assigns the WSS_SHELL_ACCESS role to the following databases:

  • The SharePoint_Config database (the configuration database).

  • One or more of the SharePoint Content databases. This is configurable by using the PowerShell command that manages membership and the object that is assigned to this role.

Members of the WSS_SHELL_ACCESS role have the execute permission for all stored procedures for the database. In addition, members of this role have the read and write permissions on all of the database tables.

SP_READ_ONLY database role

The SP_READ_ONLY role should be used for setting the database to read only mode instead of using sp_dboption. This role as its name suggests should be used when only read access is required for data such as usage and telemetry data.

Note

The sp_dboption stored procedure is not available in SQL Server 2012. For more information about sp_dboption see sp_dboption (Transact-SQL).

The SP_READ_ONLY SQL role will have the following permissions:

  • Grant SELECT on all SharePoint stored procedures and functions

  • Grant SELECT on all SharePoint tables

  • Grant EXECUTE on user-defined type where schema is dbo

SP_DATA_ACCESS database role

The SP_DATA_ACCESS role is the default role for database access and should be used for all object model level access to databases. Add the application pool account to this role during upgrade or new deployments.

Note

The SP_DATA_ACCESS role replaces the db_owner role in SharePoint 2013.

The SP_DATA_ACCESS role will have the following permissions:

  • Grant EXECUTE or SELECT on all SharePoint stored procedures and functions

  • Grant SELECT on all SharePoint tables

  • Grant EXECUTE on User-defined type where schema is dbo

  • Grant INSERT on AllUserDataJunctions table

  • Grant UPDATE on Sites view

  • Grant UPDATE on UserData view

  • Grant UPDATE on AllUserData table

  • Grant INSERT and DELETE on NameValuePair tables

  • Grant create table permission

Group permissions

This section describes permissions of groups that the SharePoint 2013 setup and configuration tools create.

WSS_ADMIN_WPG

WSS_ADMIN_WPG has read and write access to local resources. The application pool accounts for the Central Administration and Timer services are in WSS_ADMIN_WPG. The following table shows the WSS_ADMIN_WPG registry entry permissions.

Key name Permissions Inherit Description
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS
Full control
Not Applicable
Not Applicable
HKEY_LOCAL_MACHINE\Software\Microsoft\Office\15.0\Registration{90150000-110D-0000-1000-0000000FF1CE}
Read, write
Not Applicable
Not Applicable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office Server
Read
No
This key is the root of the SharePoint 2013 registry settings tree. If this key is altered, SharePoint 2013 functionality will fail.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office Server\15.0
Full control
No
This key is the root of the SharePoint 2013 registry settings.
HKEY_LOCAL_MACHINE\Software\Microsoft\Office Server\15.0\LoadBalancerSettings
Read, write
No
This key contains settings for the document conversion service. Altering this key will break document conversion functionality.
HKEY_LOCAL_MACHINE\Software\Microsoft\Office Server\15.0\LauncherSettings
Read, write
No
This key contains settings for the document conversion service. Altering this key will break document conversion functionality.
HKEY_LOCAL_MACHINE\Software\Microsoft\Office Server\15.0\Search
Full control
Not Applicable
Not Applicable
HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\15.0\Search
Full control
Not Applicable
Not Applicable
HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\15.0\Secure
Full control
No
This key contains the connection string and the ID of the configuration database to which the machine is joined. If this key is altered, the SharePoint 2013 installation on the machine will not function.
HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\15.0\WSS
Full control
Yes
This key contains settings used during setup. If this key is altered, diagnostic logging may fail and setup or post-setup configuration may fail.

The following table shows the WSS_ADMIN_WPG file system permissions.

File system path Permissions Inherit Description
%AllUsersProfile%\ Microsoft\SharePoint
Full control
No
This directory contains the file-system-backed cache of the farm configuration. Processes might fail to start and the administrative actions might fail if this directory is altered or deleted.
C:\Inetpub\wwwroot\wss
Full control
No
This directory (or the corresponding directory under the Inetpub root on the server) is used as the default location for IIS Web sites. SharePoint sites will be unavailable and administrative actions might fail if this directory is altered or deleted, unless custom IIS Web site paths are provided for all IIS Web sites extended with SharePoint 2013.
%ProgramFiles%\Microsoft Office Servers\15.0
Full control
No
This directory is the installation location for SharePoint 2013 binaries and data. The directory can be changed during installation. All SharePoint 2013 functionality will fail if this directory is removed, altered, or removed after installation. Membership in the WSS_ADMIN_WPG Windows security group is required for some SharePoint 2013 services to be able to store data on disk.
%ProgramFiles%\Microsoft Office Servers\15.0\WebServices
Read, write
No
This directory is the root directory where back-end Web services are hosted, for example, Excel and Search. The SharePoint 2013 features that depend on these services will fail if this directory is removed or altered.
%ProgramFiles%\Microsoft Office Servers\15.0\Data
Full control
No
This directory is the root location where local data is stored, including search indexes. Search functionality will fail if this directory is removed or altered. WSS_ADMIN_WPG Windows security group permissions are required to enable search to save and secure data in this folder.
%ProgramFiles%\Microsoft Office Servers\15.0\Logs
Full control
Yes
This directory is the location where the run-time diagnostic logging is generated. Logging functionality will not function properly if this directory is removed or altered.
%ProgramFiles%\Microsoft Office Servers\15.0\Data\Office Server
Full control
Yes
Same as the parent folder.
%windir%\System32\drivers\etc\HOSTS
Read, write
Not Applicable
Not Applicable
%windir%\Tasks
Full control
Not Applicable
Not Applicable
%COMMONPROGRAMFILES%Microsoft Shared\Web Server Extensions\15
Modify
Yes
This directory is the installation directory for core SharePoint 2013 files. If the access control list (ACL) is modified, feature activation, solution deployment, and other features will not function correctly.
%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\15\ADMISAPI
Full control
Yes
This directory contains the SOAP services for Central Administration. If this directory is altered, remote site creation and other methods exposed in the service will not function correctly.
%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\15\CONFIG
Full control
Yes
This directory contains files used to extend IIS Web sites with SharePoint 2013. If this directory or its contents are altered, web application provisioning will not function correctly.
%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\15\LOGS
Full control
No
This directory contains setup and runtime tracing logs. If the directory is altered, diagnostic logging will not function correctly.
%windir%\temp
Full control
Yes
This directory is used by platform components on which SharePoint 2013 depends. If the access control list is modified, Web Part rendering and other deserialization operations might fail.
%windir%\System32\logfiles\SharePoint
Full control
No
This directory is used by SharePoint Server usage logging. If this directory is modified, usage logging will not function correctly.
This registry key applies only to SharePoint Server.
%systemdrive\program files\Microsoft Office Servers\15 folder on Index servers
Full control
Not Applicable
This permission is granted for a %systemdrive\program files\Microsoft Office Servers\15 folder on Index servers.

WSS_WPG

WSS_WPG has read access to local resources. All application pool and services accounts are in WSS_WPG. The following table shows WSS_WPG registry entry permissions.

Key name Permissions Inherit Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office Server\15.0
Read
No
This key is the root of the SharePoint 2013 registry settings.
HKEY_LOCAL_MACHINE\Software\Microsoft\Office Server\15.0\Diagnostics
Read, write
No
This key contains settings for the SharePoint 2013 diagnostic logging. Altering this key will break the logging functionality.
HKEY_LOCAL_MACHINE\Software\Microsoft\Office Server\15.0\LoadBalancerSettings
Read, write
No
This key contains settings for the document conversion service. Altering this key will break document conversion functionality.
HKEY_LOCAL_MACHINE\Software\Microsoft\Office Server\15.0\LauncherSettings
Read, write
No
This key contains settings for the document conversion service. Altering this key will break document conversion functionality.
HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\15.0\Secure
Read
No
This key contains the connection string and the ID of the configuration database to which the machine is joined. If this key is altered, the SharePoint 2013 installation on the machine will not function.
HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\15.0\WSS
Read
Yes
This key contains settings that are used during setup. If this key is altered, diagnostic logging may fail and setup or post-setup configuration may fail.

The following table shows the WSS_WPG file system permissions.

File system path Permissions Inherit Description
%AllUsersProfile%\ Microsoft\SharePoint
Read
No
This directory contains the file-system-backed cache of the farm configuration. Processes might fail to start and the administrative actions might fail if this directory is altered or deleted.
C:\Inetpub\wwwroot\wss
Read, execute
No
This directory (or the corresponding directory under the Inetpub root on the server) is used as the default location for IIS Web sites. SharePoint sites will be unavailable and administrative actions might fail if this directory is altered or deleted, unless custom IIS Web site paths are provided for all IIS Web sites extended with SharePoint 2013.
%ProgramFiles%\Microsoft Office Servers\15.0
Read, execute
No
This directory is the installation location for the SharePoint 2013 binaries and data. It can be changed during installation. All SharePoint 2013 functionality will fail if this directory is removed, altered, or moved after installation. WSS_WPG read and execute permissions are required to enable IIS sites to load SharePoint 2013 binaries.
%ProgramFiles%\Microsoft Office Servers\15.0\WebServices
Read
No
This directory is the root directory where back-end Web services are hosted, for example, Excel and Search. The SharePoint 2013 features that depend on these services will fail if this directory is removed or altered.
%ProgramFiles%\Microsoft Office Servers\15.0\Logs
Read, write
Yes
This directory is the location where the runtime diagnostic logging is generated. Logging functionality will not function properly if this directory is removed or altered.
%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\15\ADMISAPI
Read
Yes
This directory contains the SOAP services for Central Administration. If this directory is altered, remote site creation and other methods exposed in the service will not function correctly.
%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\15\CONFIG
Read
Yes
This directory contains files used to extend IIS Web sites with SharePoint 2013. If this directory or its contents are altered, web application provisioning will not function correctly.
%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\15\LOGS
Modify
No
This directory contains setup and runtime tracing logs. If the directory is altered, diagnostic logging will not function correctly.
%windir%\temp
Read
Yes
This directory is used by platform components on which SharePoint 2013 depends. If the access control list is modified, Web Part rendering, and other deserialization operations may fail.
%windir%\System32\logfiles\SharePoint
Read
No
This directory is used by SharePoint Server usage logging. If this directory is modified, usage logging will not function correctly.
The registry key applies only to SharePoint Server.
%systemdrive\program files\Microsoft Office Servers\15
Read, execute
Not Applicable
The permission is granted for %systemdrive\program files\Microsoft Office Servers\15 folder on Index servers.

Local service

The following table shows the local service registry entry permission:

Key name Permissions Inherit Description
HKEY_LOCAL_MACHINE\Software\Microsoft\Office Server\15.0\LoadBalancerSettings
Read
No
This key contains settings for the document conversion service. Altering this key will break document conversion functionality.

The following table shows the local service file system permission:

File system path Permissions Inherit Description
%ProgramFiles%\Microsoft Office Servers\15.0\Bin
Read, execute
No
This directory is the installed location of the SharePoint 2013 binaries. All the SharePoint 2013 functionality will fail if this directory is removed or altered.

Local system

The following table shows the local system registry entry permissions:

Key name Permissions Inherit Description
HKEY_LOCAL_MACHINE\Software\Microsoft\Office Server\15.0\LauncherSettings
Read
No
This key contains settings for the document conversion service. Altering this key will break document conversion functionality.
This registry key applies only to SharePoint Server.
HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\15.0\Secure
Full control
No
This key contains the connection string and the ID of the configuration database to which the machine is joined. If this key is altered, the SharePoint 2013 installation on the machine will not function.
HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\15.0\Secure\FarmAdmin
Full control
No
This key contains the encryption key that is used to store secrets in the configuration database. If this key is altered, service provisioning and other features will fail.
HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\15.0\WSS
Full control
Yes
This key contains settings that are used during setup. If this key is altered, diagnostic logging may fail and setup or post-setup configuration may fail.

The following table shows the local file system permissions:

File system path Permissions Inherit Description
%AllUsersProfile%\ Microsoft\SharePoint
Full control
No
This directory contains the file-system-backed cache of the farm configuration. Processes might fail to start and administrative actions might fail if this directory is altered or deleted.
C:\Inetpub\wwwroot\wss
Full control
No
This directory (or the corresponding directory under the Inetpub root on the server) is used as the default location for IIS Web sites. SharePoint sites will be unavailable and administrative actions might fail if this directory is altered or deleted, unless custom IIS Web site paths are provided for all IIS Web sites extended with SharePoint 2013.
%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\15\ADMISAPI
Full control
Yes
This directory contains the SOAP services for Central Administration. If this directory is altered, remote site creation and other methods exposed in the service will not function correctly.
%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\15\CONFIG
Full control
Yes
If this directory or its contents are altered, Web Application provisioning will not function correctly.
%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\15\LOGS
Full control
No
This directory contains setup and run-time tracing logs. If the directory is altered, diagnostic logging will not function correctly.
%windir%\temp
Full control
Yes
This directory is used by platform components on which SharePoint 2013 depends. If the access control list is modified, Web Part rendering, and other deserialization operations might fail.
%windir%\System32\logfiles\SharePoint
Full control
No
This directory is used by SharePoint Server for usage logging. If this directory is modified, usage logging will not function correctly.
This registry key applies only to SharePoint Server.

Network service

The following table shows the network service registry entry permission:

Key name Permissions Inherit Description
HKEY_LOCAL_MACHINE\Software\Microsoft\Office Server\15.0\Search\Setup
Read
Not Applicable
Not Applicable

Administrators

The following table shows the administrators registry entry permissions:

Key name Permissions Inherit Description
HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\15.0\Secure
Full control
No
This key contains the connection string and the ID of the configuration database to which the machine is joined. If this key is altered, the SharePoint 2013 installation on the machine will not function.
HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\15.0\Secure\FarmAdmin
Full control
No
This key contains the encryption key that is used to store secrets in the configuration database. If this key is altered, service provisioning and other features will fail.
HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\15.0\WSS
Full control
Yes
This key contains settings that are used during setup. If this key is altered, diagnostic logging may fail and setup or post-setup configuration may fail.

The following table shows the administrators file system permissions:

File system path Permissions Inherit Description
%AllUsersProfile%\ Microsoft\SharePoint
Full control
No
This directory contains the file-system-backed cache of the farm configuration. Processes might fail to start and administrative actions might fail if this directory is altered or deleted.
C:\Inetpub\wwwroot\wss
Full Control
No
This directory (or the corresponding directory under the Inetpub root on the server) is used as the default location for IIS Web sites. SharePoint sites will be unavailable and administrative actions might fail if this directory is altered or deleted, unless custom IIS web site paths are provided for all IIS web sites that are extended with SharePoint 2013.
%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\15\ADMISAPI
Full control
Yes
This directory contains the SOAP services for Central Administration. If this directory is altered, remote site creation and other methods exposed in the service will not function correctly.
%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\15\CONFIG
Full control
Yes
If this directory or its contents are altered, web application provisioning will not function correctly.
%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\15\LOGS
Full control
No
This directory contains setup and runtime tracing logs. If the directory is altered, diagnostic logging will not function correctly.
%windir%\temp
Full control
Yes
This directory is used by platform components on which SharePoint 2013 depends. If the ACL is modified, Web Part rendering, and other deserialization operations might fail.
%windir%\System32\logfiles\SharePoint
Full control
No
This directory is used by SharePoint Server for usage logging. If this directory is modified, usage logging will not function correctly.
This registry key applies only to SharePoint Server.

WSS_RESTRICTED_WPG

WSS_RESTRICTED_WPG can read the encrypted farm administration credential registry entry. WSS_RESTRICTED_WPG is only used for encryption and decryption of passwords that are stored in the configuration database. The following table shows the WSS_RESTRICTED_WPG registry entry permission:

Key name Permissions Inherit Description
HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\15.0\Secure\FarmAdmin
Full control
No
This key contains the encryption key that is used to store secrets in the configuration database. If this key is altered, service provisioning and other features will fail.

Users group

The following table shows the users group file system permissions:

File system path Permissions Inherit Description
%ProgramFiles%\Microsoft Office Servers\15.0
Read, execute
No
This directory is the installation location for SharePoint 2013 binaries and data. It can be changed during installation. All SharePoint 2013 functionality will fail if this directory is removed, altered, or moved after installation.
%ProgramFiles%\Microsoft Office Servers\15.0\WebServices\Root
Read, execute
No
This directory is the root directory where back-end root Web services are hosted. The only service initially installed on this directory is a search global administration service. Some search administration functionality that uses the server-specific Central Administration Settings page will not work if this directory is removed or altered.
%ProgramFiles%\Microsoft Office Servers\15.0\Logs
Read, write
Yes
This directory is the location where the run-time diagnostic logging is generated. Logging will not function properly if this directory is removed or altered.
%ProgramFiles%\Microsoft Office Servers\15.0\Bin
Read, execute
No
This directory is the installed location of SharePoint 2013 binaries. All of the SharePoint 2013 functionality will fail if this directory is removed or altered.

All SharePoint 2013 service accounts

The following table shows the all SharePoint 2013 service accounts file system permission:

File system path Permissions Inherit Description
%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\15\LOGS
Modify
No
This directory contains setup and runtime tracing logs. If this directory is altered, diagnostic logging will not function correctly. All SharePoint 2013 service accounts must have write permission to this directory.

See also

Concepts

Install SharePoint Server