This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 30%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
I have read most of the security literature and it seems I cant wrap my head around if the servers I own have the correct provisions as far as local server groups and security is concerned.
The server farm uses the high availability (2) Application with Search Servers and (2) Distributed Cache and Web Front ends. as per page 34 in the "Deploying SharePoint 2019" book. Actual service account names are not used only referenced.
QUESTION: Does the below look normal by that I mean security wise.
STATEMENT: I have not in anyway placed the accounts in the groups, I know WSS is for SharePoint I am not sure about the "Performance Log Users" and "Performance Monitor Users". Nothing is broken everything in the Farm is running fine.
Group: IIS_IUSRS
SharePoint Farm Account.svc
SharePoint Service Account.svc
LOCAL SERVICE
Group: Performance Log Users
SharePoint Farm Account.svc
SharePoint Service Account.svc
Group: Performance Monitor Users
SharePoint Farm Account.svc
SharePoint Service Account.svc
Group: WSS_ADMIN_WPG
SharePoint Farm Account.svc
SharePoint Sync Account.svc
Group: WSS_RESTRICTED_WPG_V4
SharePoint Farm Account.svc
Group: WSS_WPG
SharePoint Farm Account.svc
SharePoint Service Account.svc
LOCAL SERVICE
WSS_ADMIN_WPG should only contain the Farm Admin account and any assigned farm admins.
You are missing an account dedicated to web application(s).
Official docs (which are really based off of my book/best practices) are at:
Yes thank you I am using your book for reference. I so far have things running except for UPS that is another story as our environment is not ordinary to say the least. I do thank you for your work with out it, my life would be a bit more difficult.
I created the "S-Web" account as mentioned on page 84 although I have yet to used it.
Question do you know of a place in the book that would ask me to use the S-Web account?
I can look there and see if I mistakenly used an alternative account.
I created the Service Application Pool and used the "s-svc" account from page 85.
When you create your Web Application, that is the account you'd use for the App Pool.
Thanks @Trevor Seward for the answer.
Hi @Art , additional to the Trevor’s reply:
Performance Log Users members can access and log performance counter data locally and remotely (create, manipulate, and view logs).
Performance Monitor Users members can access performance counter data locally and remotely (view logs).
These two groups are the default Active Directory Security Groups, your current settings would be fine.
Reference: Active Directory Security Groups.
And for the Application pool identity:
A single account should be used for all Web Applications, named Web Application pool account. This allows the administrator to use a single IIS Application Pool for all Web Applications which increases performance and reduces memory usage on the server.
----------
If an Answer is helpful, please click "Accept Answer" and upvote it.
**Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread. **
I wanted to accept your answer as well but I accepted the first one. I thank you for your answer and the time you took to help me.
@Art . You’re welcome! I'm glad that your problem got solved.
You can also give the answers you find helpful an upvote if you want to.