Impact of "The server farm account should not be used for other services" rule

Michele DuBose 131 Reputation points
2020-09-17T16:03:33.307+00:00

Hello,

I have SharePoint 2016 standard on premise installed. From the SharePoint Health Analyzer, I get "The server farm account should not be used for other services". I understand to remedy the security issue, I need to change from the farm account to different service account from the Service Accounts page in Central Administration. I have many registered standard service accounts assigned to other services. Is there any negative impact with changing the account for Distributed Cache Service(Windows Service) and SPSearchHostController(Windows Service)? Can this error be ignored?

Should a backup or snapshot be taken before making this change? Thank you.

SharePoint Server Management
SharePoint Server Management
SharePoint Server: A family of Microsoft on-premises document management and storage systems.Management: The act or process of organizing, handling, directing or controlling something.
2,941 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Trevor Seward 11,701 Reputation points
    2020-09-17T16:07:59.667+00:00

    You should change those to another account. In general, all service applications + search services + DC to the same account. See https://learn.microsoft.com/en-us/SharePoint/install/account-permissions-and-security-settings-in-sharepoint-server-2016.

    1 person found this answer helpful.

  2. ChelseaWu-MSFT 6,326 Reputation points
    2020-09-18T09:04:39.79+00:00

    To answer your questions:

    1. There is no negative impact with changing the account running the mentioned Windows Services, as long as you follow the correct steps to change those service accounts.
      Here is the document for how to change service account of the AppFabric Caching service for your reference:
      https://learn.microsoft.com/en-us/sharepoint/administration/manage-the-distributed-cache-service#change-the-service-account
      1. This rule is meant for recommendation on configuring service accounts as the farm is highly privileged and should be carefully considered. It is safe to ignore.
        Also quoting the document:

        You can ignore this event if using the User Profile Synchronization service. The User Profile Synchronization service must run as the farm account in SharePoint Server.


    If an Answer is helpful, please click "Accept Answer" and upvote it.
    **Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread. **

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.