Planifier des comptes d’administration et de service (Office SharePoint Server)

Article
06/12/2012

Mise à jour : 2009-04-23

In this article:

About administrative and service accounts
Single server standard requirements
Server farm standard requirements
Least-privilege administration requirements when using domain user accounts
Least-privilege administration requirements when using SQL authentication
Least-privilege administration requirements when connecting to pre-created databases
Technical reference: Account requirements by scenario

This article describes the accounts that that you must plan for and describes the deployment scenarios that affect account requirements.

Use this article with the following planning tool: Office SharePoint Server security account requirements (https://go.microsoft.com/fwlink/?LinkID=92883&clcid=0x409). This planning tool lists the requirements for each account based on the deployment scenario. The requirements are also listed in the Technical reference: Account requirements by scenario section of this article.

The account requirements detail the specific permissions that you need to grant prior to running Setup. In some cases, additional permissions that are automatically granted by running Setup are noted in the planning tool.

This article does not describe the account requirements for using single sign-on (SSO) in Microsoft Office SharePoint Server 2007. For more information, see Planifier l’authentification unique.

This article does not describe security roles and permissions required to administer Office SharePoint Server 2007. For more information, see Planifier les rôles de sécurité (Office SharePoint Server).

About administrative and service accounts

This section lists and describes the accounts that you must plan for. The accounts are grouped according to scope. If an account has a limited scope, you might need to plan multiple accounts for this category.

For example, if you are implementing multiple Shared Services Providers (SSPs), you must designate multiple SSP accounts.

After you complete installation and configuration of accounts, ensure that you do not use the Local System account to perform administration tasks or to browse sites. For example, do not use the same account that is used to run Setup to perform administration tasks.

Server farm-level accounts

The following table describes the accounts that are used to configure Microsoft SQL Server database software and to install Office SharePoint Server 2007.

Account	Purpose
SQL Server service account	SQL Server prompts for this account during SQL Server Setup. This account is used as the service account for the following SQL Server services: MSSQLSERVER SQLSERVERAGENT If you are not using the default instance, these services will be shown as: MSSQL$InstanceName SQLAgent$InstanceName
Setup user account	The user account that is used to run: Setup on each server computer The SharePoint Products and Technologies Configuration Wizard The Psconfig command-line tool The Stsadm command-line tool
Server farm account	This account is also referred to as the database access account. This account is: The application pool identity for the SharePoint Central Administration Web site. The process account for the Windows SharePoint Services Timer service.

SQL Server service account

SQL Server prompts for this account during SQL Server Setup. This account is used as the service account for the following SQL Server services:

MSSQLSERVER
SQLSERVERAGENT

If you are not using the default instance, these services will be shown as:

MSSQL$*InstanceName*
SQLAgent$*InstanceName*

Setup user account

The user account that is used to run:

Setup on each server computer
The SharePoint Products and Technologies Configuration Wizard
The Psconfig command-line tool
The Stsadm command-line tool

Server farm account

This account is also referred to as the database access account.

This account is:

The application pool identity for the SharePoint Central Administration Web site.
The process account for the Windows SharePoint Services Timer service.

SSP accounts

The following table describes the accounts that are used to set up and configure an SSP. Plan one set of SSP accounts for each SSP that you plan to implement.

Account	Purpose
SSP application pool account	SSP administration site application pool account. This account is used to run the application pool for the Web Application that hosts the SSP administration site.
SSP service account	Used by the following: SSP Web services for inter-server communication Application pool identity of the application pool that is associated with the virtual directory associated with a given SSP
Office SharePoint Server Search Service account	Used as the service account for the Office SharePoint Server Search service. There is only one instance of this service and it is used by all SSPs to write content index files to the index location on index servers and to propagate the searchable index to all query servers in a Microsoft Office SharePoint Server 2007 farm.
Default content access account	The default account used within a specific SSP to crawl content, unless a different authentication method is specified by a crawl rule for a URL or URL pattern.
Content access account	A specific account that is configured to access a content source. This account is optional and is specified when you create a new crawl rule. For example, content sources that are external to Office SharePoint Server 2007 (such as a file share) might require a different access account.
Profile import default access account	Used to: Connect to a directory service, such as the Active Directory directory service, a Lightweight Directory Access Protocol (LDAP) directory, a Business Data Catalog application, or other directory source. Import profile data from a directory service. If no account is specified, the default content access account is used. If the default content access account does not have read access to the directory or directories that you want to import data from, plan to use a different account. You can plan up to one account per directory connection.
Excel Services unattended service account	The account that Excel Calculation Services uses to connect to external data sources that require a non-Windows user name and password string for authentication. If this account is not configured, Excel Services will not attempt to connect to these types of data sources. Although the account credentials are used to connect to non-Windows data sources, the account must be a member of the domain in order for Excel Calculation Services to use it.

Windows SharePoint Services Search accounts

The following table describes the accounts that are used to set up and configure Windows SharePoint Services Search. In Office SharePoint Server 2007, this service is referred to as the Windows SharePoint Services Help Search service because this service is used to provide search capability for Help. If you are installing Office SharePoint Server 2007, plan for these accounts only if you plan to implement the service to search Help content.

Account	Purpose
Windows SharePoint Services Search service account	Used as the service account for the Windows SharePoint Services Help Search service. There is only one instance of this service in a farm and it is used to write content index files to the index location on index servers and to propagate the searchable index to all query servers in a Office SharePoint Server 2007 farm.
Windows SharePoint Services Search content access account	Used by the Windows SharePoint Services Search application server role to crawl content across sites.

Additional application pool identity accounts

If you create additional application pools to host sites, plan for additional application pool identity accounts. The following table describes the application pool identity account. Plan one application pool account for each application pool you plan to implement.

Account	Purpose
Application pool identity	The user account that the worker processes that service the application pool use as their process identity. This account is used to access content databases associated with the Web applications that reside in the application pool.

Single server standard requirements

If you are deploying to a single server computer, account requirements are greatly reduced. In an evaluation environment, you can use a single account for all of the account purposes. In a production environment, ensure that the accounts you create have the appropriate permissions for their purposes.

For a list of account permissions for single server environments, see the Office SharePoint Server security account requirements (https://go.microsoft.com/fwlink/?LinkID=92883&clcid=0x409) planning tool, or view the requirements listed in the Technical reference: Account requirements by scenario section of this article.

Server farm requirements

If you are deploying to more than one server computer, use the server farm standard requirements to ensure that accounts have the appropriate permissions to perform their processes across multiple computers. The server farm standard requirements detail the minimum configuration that is necessary to operate in a server farm environment. For a more secure environment, consider using the least privilege administration requirements using domain user accounts.

For a list of standard requirements for server farm environments, see the Office SharePoint Server security account requirements (https://go.microsoft.com/fwlink/?LinkID=92883&clcid=0x409) planning tool, or view the requirements listed in the Technical reference: Account requirements by scenario section of this article.

For some accounts, additional permissions or access to databases are configured when you run Setup. These are noted in the accounts planning tool. An important configuration for database administrators to be aware of is the addition of the WSS_Content_Application_Pools database role. Setup adds this role to the following databases:

SharePoint_Config database (configuration database)
SharePoint_AdminContent database

Members of the WSS_Content_Application_Pools database role are granted the Execute permission to a subset of the stored procedures for the database. Additionally, members of this role are granted the Select permission to the Versions table (dbo.Versions) in the SharePoint_AdminContent database.

For other databases, the accounts planning tool indicates that access to read from these databases is automatically configured. In some cases, limited access to write to a database is also automatically configured. To provide this access, permissions to stored procedures are configured. For the SharePoint_Config database, for example, access to the following stored procedures is automatically configured:

proc_dropEmailEnabledList
proc_dropEmailEnabledListsByWeb
proc_dropSiteMap
proc_markForDeletionEmailEnabledList
proc_markForDeletionEmailEnabledListsBySite
proc_markForDeletionEmailEnabledListsByWeb
proc_putDistributionListToDelete
proc_putEmailEnabledList
proc_putSiteMap

Least-privilege administration requirements when using domain user accounts

Least privilege administration is a recommended security practice in which each service or user is provided with only the minimum privileges needed to accomplish the tasks they are authorized to perform. This means that each service is granted access to only the resources that are necessary to its purpose. The minimum requirements to achieve this design goal include the following:

Separate accounts are used for different services and processes.
No executing service or process account is running with local administrator permissions.

By using separate service accounts for each service and limiting the permissions assigned to each account, you reduce the opportunity for a malicious user or process to compromise your environment.

Least privilege administration with domain user accounts is the recommended configuration for most environments.

For a list of least privilege administration requirements with domain user accounts, see the Office SharePoint Server security account requirements (https://go.microsoft.com/fwlink/?LinkID=92883&clcid=0x409) planning tool, or view the requirements listed in the Technical reference: Account requirements by scenario section of this article.

Least-privilege administration requirements when using SQL authentication

In environments where SQL authentication is a requirement, you can follow the principle of least privilege administration. In this scenario:

SQL authentication is used for every database that is created.
All other administration and service accounts are created as domain user accounts.

Setup and configuration

Using SQL authentication requires additional setup and configuration:

All database accounts must be created as SQL Server login accounts in SQL Server 2000 Enterprise Manager or SQL Server 2005 Management Studio. These accounts must be created before the creation of any databases, including the configuration database and the AdminContent database.
You must use the Psconfig command-line tool to create the configuration database and the SharePoint_AdminContent database. You cannot use the SharePoint Products and Technologies Configuration Wizard to create these databases. To create a farm or to join a computer to a farm, specify the SQL Server login that you created for these databases as the dbusername and dbpassword. The same SQL Server login is used to access both databases.
You can create additional content databases in Central Administration by selecting the SQL authentication option. However, you must first create the SQL Server login accounts in SQL Server 2000 Enterprise Manager or SQL Server 2005 Management Studio.
Secure all communication with the database servers by using Secure Sockets Layer (SSL) or Internet Protocol security (IPsec).

When SQL authentication is used:

SQL Server login accounts are encrypted in the registry of the Web servers and application servers.
The server farm account is not used to access the configuration database and the SharePoint_AdminContent database. The corresponding SQL Server login accounts are used instead.

Creating service and administration accounts

For a list of least privilege administration requirements with SQL authentication, see the Office SharePoint Server security account requirements (https://go.microsoft.com/fwlink/?LinkID=92883&clcid=0x409) planning tool, or view the requirements listed in the Technical reference: Account requirements by scenario section of this article.

Creating SQL Server logins

Before creating databases, create SQL Server logins for each of the databases. Two logins are created for the configuration and SharePoint_AdminContent databases. Create one login for each content database.

The following table lists the logins that must be created. The Login column indicates the account that is specified or created for the SQL Server login. For the first login, you must enter the Setup user account. For all other logins, you create a new SQL Server login account. For these logins, the Login column provides an example account name.

Login	Database	SQL Rights
Setup user account	Configuration and SharePoint_AdminContent databases	Specify Windows authentication when creating the login.
<ConfigAdminDBAcc>	Configuration and SharePoint_AdminContent databases	Specify SQL authentication when creating the login. Assign the dbcreator server role.
<SSP_DB_Acc>	SSP database	Specify SQL authentication when creating the login. Assign the dbcreator server role. Assign the securityadmin server role.
<SSPSearchDB_Acc>	SSP Search database	Specify SQL authentication when creating the login. Assign the dbcreator server role. Assign the securityadmin server role.
<WSSSearch_DB_Acc>	WSS_Search database	Specify SQL authentication when creating the login. Assign the dbcreator server role.
<Content_DB_Acc1>	Content databases	Specify SQL authentication when creating the login. Assign the dbcreator server role.

Least-privilege administration requirements when connecting to pre-created databases

In environments where databases are pre-created by a database administrator, you can follow the principle of least privilege administration. In this scenario:

Administration and service accounts are created as domain user accounts.
SQL Server logins are created for the accounts that are used to configure databases.
Databases are created by a database administrator.

For more information about deploying Office SharePoint Server 2007 using pre-created blank databases, see Déployer à l’aide de bases de données créées par des administrateurs de base de données (DBA) (Office SharePoint Server).

Creating service and administration accounts

For a list of least privilege administration requirements when connecting to an existing blank database, see the Office SharePoint Server security account requirements (https://go.microsoft.com/fwlink/?LinkID=92883&clcid=0x409) planning tool, or view the requirements listed in the Technical reference: Account requirements by scenario section of this article.

Creating SQL Server logins

Before creating databases, create SQL Server logins for each of the accounts that will access the databases. The accounts planning tool details the specific permissions that are configured for each account. For instructions on how to create and grant permissions to databases, see Déployer à l’aide de bases de données créées par des administrateurs de base de données (DBA) (Office SharePoint Server).

The following table lists the logins that must be created. The database column indicates which databases are configured with permissions for each login account. For each login, specify Windows authentication when creating the login.

Login	Database
Setup user account (run-as user for the Psconfig command-line tool)	All databases
Server farm account (Office SharePoint Server database access account)	SSP database SSP search database
SSP service account	Configuration database SharePoint_AdminContent database Shared Services Administration site content database SSP database SSP search database My Sites Web application content database Each additional content database
Office SharePoint Server Search account	Configuration database SharePoint_AdminContent database SSP database SSP search database
Default content access account	Configuration database SharePoint_AdminContent database
SSP application pool account (identity)	Content database for the SSP Admin Web application
Application pool identity for the My Sites Web Site Application Pool	Content database for the My Sites Web application
Windows SharePoint Services Search service account	SSP database SSP search database WSS_Search database Configuration database SharePoint_AdminContent database
Application pool identity for additional content databases	SSP database SSP search database Content databases associated with the application pool

Technical reference: Account requirements by scenario

This section lists account requirements by scenario:

Single server standard requirements
Server farm standard requirements
Least-privilege administration requirements when using domain user accounts
Least-privilege administration requirements when using SQL authentication
Least-privilege administration requirements when connecting to pre-created databases

Single server standard requirements

Server farm-level accounts

Account	Requirements
SQL Server service account	Local System account (default)
Setup user account	Member of the Administrators group on the local computer
Server farm account	Network Service (default) No manual configuration is necessary.

SQL Server service account

Local System account (default)

Setup user account

Member of the Administrators group on the local computer

Server farm account

Network Service (default)

No manual configuration is necessary.

SSP accounts

Account	Requirements
SSP application pool account	No manual configuration is necessary.
SSP service account	No manual configuration is necessary. This account should not be a member of the Administrators group on any computer in the server farm.
Office SharePoint Server Search Service account	By default, this account runs as the Local System account. If you want to crawl remote content by changing the default content access account or by using crawl rules, change this to a domain user account. If you do not change this account to a domain user account, you cannot change the default content access account to a domain user account or add crawl rules to crawl this content. This restriction is designed to prevent elevation of privilege for any other process running as the Local System account.
Default content access account	No manual configuration is necessary if this account is only crawling local farm content. If you want to crawl remote content by using crawl rules, change this to a domain user account, and apply the requirements listed for a server farm.
Content access account	Same as the SSP default content access account listed previously.
Profile import default access account	Same requirements as server farm.
Excel Services unattended service account	Must be a domain user account.

Windows SharePoint Services Search accounts

Account	Requirements
Windows SharePoint Services Search service account	By default, this account runs as the Local System account.
Windows SharePoint Services Search content access account	Must not be a member of the Farm Administrators group. The following are automatically configured: Added to the Web application Full Read policy for the farm.

Windows SharePoint Services Search service account

By default, this account runs as the Local System account.

Windows SharePoint Services Search content access account

Must not be a member of the Farm Administrators group.

The following are automatically configured:

Added to the Web application Full Read policy for the farm.

Additional application pool identity accounts

Account	Requirements
Application pool identity	No manual configuration is necessary. The Network Service account is used for the default Web site that is created during Setup and configuration.

Application pool identity

No manual configuration is necessary.

The Network Service account is used for the default Web site that is created during Setup and configuration.

Server farm standard requirements

Server farm-level accounts

Account	Requirements
SQL Server service account	Use either a Local System account or a domain user account. If a domain user account is used, this account uses Kerberos authentication by default, which requires additional configuration in your network environment. If SQL Server uses a service principal name (SPN) that is not valid (that is, that does not exist in the Active Directory directory service environment), Kerberos authentication fails, and then NTLM is used. If SQL Server uses an SPN that is valid but is not assigned to the appropriate container in Active Directory, authentication fails, resulting in a "Cannot generate SSPI context" error message. Authentication will always try to use the first SPN it finds, so ensure that there are no SPNs assigned to inappropriate containers in Active Directory. If you plan to back up to or restore from an external resource, permissions to the external resource must be granted to the appropriate account. If you use a domain user account for the SQL Server service account, grant permissions to that domain user account. However, if you use the Network Service or the Local System account, grant permissions to the external resource to the machine account (domain_name\SQL_hostname$).
Setup user account	Domain user account. Member of the Administrators group on each server on which Setup is run. SQL Server login on the computer running SQL Server. Member of the following SQL Server security roles: securityadmin fixed server role dbcreator fixed server role If you run Stsadm commands that affect a database, this account must be a member of the db_owner fixed database role for the database.
Server farm account	Domain user account. If the server farm is a child farm with Web applications that consume shared services from a parent farm, this account must be a member of the db_owner fixed database role on the configuration database of the parent farm. Additional permissions are automatically granted for this account on Web servers and application servers that are joined to a server farm. This account is automatically added as a SQL Server login on the computer running SQL Server and added to the following SQL Server security roles: dbcreator fixed server role securityadmin fixed server role db_owner fixed database role for all databases in the server farm Note if you configure the Microsoft Single Sign-On Service, the server farm account will not automatically be given db_owner access to the SSO database.

SQL Server service account

Use either a Local System account or a domain user account.

If a domain user account is used, this account uses Kerberos authentication by default, which requires additional configuration in your network environment. If SQL Server uses a service principal name (SPN) that is not valid (that is, that does not exist in the Active Directory directory service environment), Kerberos authentication fails, and then NTLM is used. If SQL Server uses an SPN that is valid but is not assigned to the appropriate container in Active Directory, authentication fails, resulting in a "Cannot generate SSPI context" error message. Authentication will always try to use the first SPN it finds, so ensure that there are no SPNs assigned to inappropriate containers in Active Directory.

If you plan to back up to or restore from an external resource, permissions to the external resource must be granted to the appropriate account. If you use a domain user account for the SQL Server service account, grant permissions to that domain user account. However, if you use the Network Service or the Local System account, grant permissions to the external resource to the machine account (*domain_name\SQL_hostname$*).

Setup user account

Domain user account.
Member of the Administrators group on each server on which Setup is run.
SQL Server login on the computer running SQL Server.
Member of the following SQL Server security roles:
- securityadmin fixed server role
- dbcreator fixed server role

If you run Stsadm commands that affect a database, this account must be a member of the db_owner fixed database role for the database.

Server farm account

Domain user account.
If the server farm is a child farm with Web applications that consume shared services from a parent farm, this account must be a member of the db_owner fixed database role on the configuration database of the parent farm.

Additional permissions are automatically granted for this account on Web servers and application servers that are joined to a server farm.

This account is automatically added as a SQL Server login on the computer running SQL Server and added to the following SQL Server security roles:

dbcreator fixed server role
securityadmin fixed server role
db_owner fixed database role for all databases in the server farm

Note if you configure the Microsoft Single Sign-On Service, the server farm account will not automatically be given db_owner access to the SSO database.

SSP accounts

Account	Requirements
SSP application pool account	No manual configuration is necessary. The following are automatically configured: Membership in the db_owner role for the SSP content database. Access to read from and write to the SSP content database. Access to read from and write to content databases for Web applications that are associated with the SSP. Access to read from the configuration database. Access to read from the Central Administration content database. Additional permissions to front-end Web servers and application servers are automatically granted.
SSP service account	Use a domain user account. No manual configuration is necessary. The same permissions as the SSP application pool account are automatically granted. This account should not be a member of the Administrators group on any computer in the server farm.
Office SharePoint Server Search Service account	Must be a domain user account. Should not be a member of the Farm Administrators group. The following are automatically configured: Access to read from the configuration database, the administration content database, the SSP database, and the Office Server Search database Full control access to the index file location on index servers and full control access to the Search propagation location on query servers in a Office SharePoint Server 2007 farm
Default content access account	Must be a domain user account. Must not be a member of the Farm Administrators group. Read access to external or secure content sources that you want to crawl by using this account. For sites that are not a part of the server farm, this account must explicitly be granted Full Read permissions on the Web applications that host the sites. The following are automatically configured: Full Read permissions are automatically granted to content databases hosted by the server farm.
Content access account	Read access to external or secure content sources that this account is configured to access. For Web sites that are not a part of the server farm, this account must explicitly be granted Full Read permissions on the Web applications that host the sites.
Profile import default access account	Read access to the directory service. If Enable Server Side Incremental is selected for an Active Directory connection and the environment is Windows 2000 Server, the account must have the Replicate Changes permission in Active Directory. This permission is not required for Windows Server 2003 Active Directory environments. Manage User Profiles personalization services permission. View permissions on entities used in Business Data Catalog import connections.
Excel Services unattended service account	Must be a domain user account.

Windows SharePoint Services Search accounts

Account	Requirements
Windows SharePoint Services Search service account	Must be a domain user account. Should not be a member of the Farm Administrators group. The following are automatically configured: Access to read from the configuration database and the SharePoint_Admin Content database. Membership in the db_owner role for the Windows SharePoint Services Search database.
Windows SharePoint Services Search content access account	Same requirements as the Windows SharePoint Services Search service account. The following are automatically configured: Added to the Web application Full Read policy for the farm.

Windows SharePoint Services Search service account

Must be a domain user account.
Should not be a member of the Farm Administrators group.

The following are automatically configured:

Access to read from the configuration database and the SharePoint_Admin Content database.
Membership in the db_owner role for the Windows SharePoint Services Search database.

Windows SharePoint Services Search content access account

Same requirements as the Windows SharePoint Services Search service account.

The following are automatically configured:

Added to the Web application Full Read policy for the farm.

Additional application pool identity accounts

Account	Requirements
Application pool identity	No manual configuration is necessary. The following are automatically configured: Membership in the db_owner role for content databases and search databases associated with the Web application. Access to read from the configuration and the SharePoint_AdminContent databases. Access to read from and write to the associated SSP database. Additional permissions for this account to front-end Web servers and application servers are automatically granted.

Application pool identity

No manual configuration is necessary.

The following are automatically configured:

Membership in the db_owner role for content databases and search databases associated with the Web application.
Access to read from the configuration and the SharePoint_AdminContent databases.
Access to read from and write to the associated SSP database.
Additional permissions for this account to front-end Web servers and application servers are automatically granted.

Least-privilege administration requirements when using domain user accounts

Server farm-level accounts

Account	Server farm standard requirements	Least-privilege using domain user accounts requirements
SQL Server service account	Use either a Local System account or a domain user account. If a domain user account is used, this account uses Kerberos authentication by default, which requires additional configuration in your network environment. If SQL Server uses a service principal name (SPN) that is not valid (that is, that does not exist in the Active Directory directory service environment), Kerberos authentication fails, and then NTLM is used. If SQL Server uses an SPN that is valid but is not assigned to the appropriate container in Active Directory, authentication fails, resulting in a "Cannot generate SSPI context" error message. Authentication will always try to use the first SPN it finds, so ensure that there are no SPNs assigned to inappropriate containers in Active Directory. If you plan to back up to or restore from an external resource, permissions to the external resource must be granted to the appropriate account. If you use a domain user account for the SQL Server service account, grant permissions to that domain user account. However, if you use the Network Service or the Local System account, grant permissions to the external resource to the machine account (domain_name\SQL_hostname$).	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account.
Setup user account	Domain user account. Member of the Administrators group on each server on which Setup is run. SQL Server login on the computer running SQL Server. Member of the following SQL Server security roles: securityadmin fixed server role dbcreator fixed server role If you run Stsadm commands that affect a database, this account must be a member of the db_owner fixed database role for the database.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. This account should NOT be a member of the Administrators group on the computer running SQL Server.
Server farm account	Domain user account. If the server farm is a child farm with Web applications that consume shared services from a parent farm, this account must be a member of the db_owner fixed database role on the configuration database of the parent farm. Additional permissions are automatically granted for this account on Web servers and application servers that are joined to a server farm. This account is automatically added as a SQL Server login on the computer running SQL Server and added to the following SQL Server security roles: dbcreator fixed server role securityadmin fixed server role db_owner fixed database role for all databases in the server farm. Note If you configure the Microsoft Single Sign-On Service, the server farm account will not automatically be given db_owner access to the SSO database.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. NOT a member of the Administrators group on any server in the server farm, including the computer running SQL Server. This account does not require permissions to SQL Server before creating the configuration database.

SQL Server service account

Use either a Local System account or a domain user account.

Server farm standard requirements with the following additions or exceptions:

Use a separate domain user account.

Setup user account

Domain user account.
Member of the Administrators group on each server on which Setup is run.
SQL Server login on the computer running SQL Server.
Member of the following SQL Server security roles:
- securityadmin fixed server role
- dbcreator fixed server role

If you run Stsadm commands that affect a database, this account must be a member of the db_owner fixed database role for the database.

Server farm standard requirements with the following additions or exceptions:

Use a separate domain user account.
This account should NOT be a member of the Administrators group on the computer running SQL Server.

Server farm account

Domain user account.
If the server farm is a child farm with Web applications that consume shared services from a parent farm, this account must be a member of the db_owner fixed database role on the configuration database of the parent farm.

Additional permissions are automatically granted for this account on Web servers and application servers that are joined to a server farm.

This account is automatically added as a SQL Server login on the computer running SQL Server and added to the following SQL Server security roles:

dbcreator fixed server role
securityadmin fixed server role
db_owner fixed database role for all databases in the server farm.

Note If you configure the Microsoft Single Sign-On Service, the server farm account will not automatically be given db_owner access to the SSO database.

Server farm standard requirements with the following additions or exceptions:

Use a separate domain user account.
NOT a member of the Administrators group on any server in the server farm, including the computer running SQL Server.
This account does not require permissions to SQL Server before creating the configuration database.

SSP accounts

Account	Server farm standard requirements	Least-privilege using domain user accounts requirements
SSP application pool account	No manual configuration is necessary. The following are automatically configured: Membership in the db_owner role for the SSP content database. Access to read from and write to the SSP content database. Access to read from and write to content databases for Web applications that are associated with the SSP. Access to read from the configuration database. Access to read from the Central Administration content database. Additional permissions to front-end Web servers and application servers are automatically granted.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. For security isolation, use a separate service account for each SSP.
SSP service account	Use a domain user account. No manual configuration is necessary. The same permissions as the SSP application pool account are automatically granted. This account should not be a member of the Administrators group on any computer in the server farm.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account.
Office SharePoint Server Search Service account	Must be a domain user account. Should not be a member of the Farm Administrators group. The following are automatically configured: Access to read from the configuration database, the administration content database, the SSP database, and the Office Server Search database. Full control access to the index file location on index servers and full control access to the Search propagation location on query servers in a MOSS farm.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account.
Default content access account	Must be a domain user account. Must not be a member of the Farm Administrators group. Read access to external or secure content sources that you want to crawl by using this account. For sites that are not a part of the server farm, this account must explicitly be granted Full Read permissions on the Web applications that host the sites. The following are automatically configured: Full Read permissions are automatically granted to content databases hosted by the server farm.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. By default, in a server farm environment, the Office SharePoint Server Search service account is used until a different account is specified. After completing Setup and running the configuration wizard, change this account to a domain user account. Do not grant the default content access account access to the directory service. For added security, use a different default content access account for each SSP.
Content access account	Read access to external or secure content sources that this account is configured to access. For Web sites that are not a part of the server farm, this account must explicitly be granted Full Read permissions on the Web applications that host the sites.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account.
Profile import default access account	Read access to the directory service. If Enable Server Side Incremental is selected for an Active Directory connection and the environment is Windows 2000 Server, the account must have the Replicate Changes permission in Active Directory. This permission is not required for Windows Server 2003 Active Directory environments. Manage User Profiles personalization services permission. View permissions on entities used in Business Data Catalog import connections.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. This account can be the same account as the default content access account, or you can use a separate account. Read access to the directory service. Manage User Profiles personalization services permission. This account should not be a member of the Administrators group on any computer in the server farm.
Excel Services unattended service account	Must be a domain user account.	Must be a domain user account.

Windows SharePoint Services Search accounts

Account	Server farm standard requirements	Least-privilege using domain user accounts requirements
Windows SharePoint Services Search service account	Must be a domain user account. Should not be a member of the Farm Administrators group. The following are automatically configured: Access to read from the configuration database and the SharePoint_Admin Content database. Membership in the db_owner role for the Windows SharePoint Services Search database.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account.
Windows SharePoint Services Search content access account	Same requirements as the Windows SharePoint Services Search service account. The following are automatically configured: Added to the Web application Full Read policy for the farm.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account.

Windows SharePoint Services Search service account

Must be a domain user account.
Should not be a member of the Farm Administrators group.

The following are automatically configured:

Access to read from the configuration database and the SharePoint_Admin Content database.
Membership in the db_owner role for the Windows SharePoint Services Search database.

Server farm standard requirements with the following additions or exceptions:

Use a separate domain user account.

Windows SharePoint Services Search content access account

Same requirements as the Windows SharePoint Services Search service account.

The following are automatically configured:

Added to the Web application Full Read policy for the farm.

Server farm standard requirements with the following additions or exceptions:

Use a separate domain user account.

Additional application pool identity accounts

Account	Server farm standard requirements	Least-privilege using domain user accounts requirements
Application pool identity	No manual configuration is necessary. The following are automatically configured: Membership in the db_owner role for content databases and search databases associated with the Web application. Access to read from the configuration and the SharePoint_AdminContent databases. Access to read from and write to the associated SSP database. Additional permissions for this account to front-end Web servers and application servers are automatically granted.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account for each application pool. This account should not be a member of the Administrators group on any computer in the server farm.

Application pool identity

No manual configuration is necessary.

The following are automatically configured:

Membership in the db_owner role for content databases and search databases associated with the Web application.
Access to read from the configuration and the SharePoint_AdminContent databases.
Access to read from and write to the associated SSP database.
Additional permissions for this account to front-end Web servers and application servers are automatically granted.

Server farm standard requirements with the following additions or exceptions:

Use a separate domain user account for each application pool.
This account should not be a member of the Administrators group on any computer in the server farm.

Least-privilege administration requirements when using SQL authentication

Server farm-level accounts

Account	Server farm standard requirement	Least-privilege using SQL authentication requirements
SQL Server service account	Use either a Local System account or a domain user account. If a domain user account is used, this account uses Kerberos authentication by default, which requires additional configuration in your network environment. If SQL Server uses a service principal name (SPN) that is not valid (that is, that does not exist in the Active Directory directory service environment), Kerberos authentication fails, and then NTLM is used. If SQL Server uses an SPN that is valid but is not assigned to the appropriate container in Active Directory, authentication fails, resulting in a "Cannot generate SSPI context" error message. Authentication will always try to use the first SPN it finds, so ensure that there are no SPNs assigned to inappropriate containers in Active Directory. If you plan to back up to or restore from an external resource, permissions to the external resource must be granted to the appropriate account. If you use a domain user account for the SQL Server service account, grant permissions to that domain user account. However, if you use the Network Service or the Local System account, grant permissions to the external resource to the machine account (domain_name\SQL_hostname$).	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. Notes All database accounts must be created as SQL Server login accounts in Microsoft SQL Server 2000 Enterprise Manager or SQL Server 2005 Management Studio. These accounts must be created before the creation of any content databases, including the configuration database and the SharePoint_AdminContent database. Create one SQL Server login for both the configuration database and the SharePoint_AdminContent database.
Setup user account	Domain user account. Member of the Administrators group on each server on which Setup is run. SQL Server login on the computer running SQL Server. Member of the following SQL Server security roles: securityadmin fixed server role dbcreator fixed server role If you run Stsadm commands that affect a database, this account must be a member of the db_owner fixed database role for the database.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. SQL Server login on the SQL Server computer. NOT a member of the following SQL Server security roles: securityadmin fixed server role dbcreator fixed server role NOT a member of the Administrators group on the computer running SQL Server. Notes You must use the Psconfig command-line tool to create the configuration database and the SharePoint_AdminContent database. You cannot use the SharePoint Products and Technologies Configuration Wizard to create these databases. To create a farm or to join a computer to a farm, specify the SQL Server login that you created for these databases as the dbusername and dbpassword. The same SQL Server login is used to access both databases. All other content databases can be created in Central Administration by selecting the SQL authentication option.
Server farm account	Domain user account. If the server farm is a child farm with Web applications that consume shared services from a parent farm, this account must be a member of the db_owner fixed database role on the configuration database of the parent farm. Additional permissions are automatically granted for this account on Web servers and application servers that are joined to a server farm. This account is automatically added as a SQL Server login on the computer running SQL Server and added to the following SQL Server security roles: dbcreator fixed server role securityadmin fixed server role db_owner fixed database role for all databases in the server farm	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. NOT a member of the Administrators group on any server in the server farm, including the computer running SQL Server. NOT a SQL Server login on the computer running SQL Server. This account does not require permissions to SQL Server before creating the configuration database.

SQL Server service account

Use either a Local System account or a domain user account.

Server farm standard requirements with the following additions or exceptions:

Use a separate domain user account.

Notes

All database accounts must be created as SQL Server login accounts in Microsoft SQL Server 2000 Enterprise Manager or SQL Server 2005 Management Studio. These accounts must be created before the creation of any content databases, including the configuration database and the SharePoint_AdminContent database. Create one SQL Server login for both the configuration database and the SharePoint_AdminContent database.

Setup user account

Domain user account.
Member of the Administrators group on each server on which Setup is run.
SQL Server login on the computer running SQL Server.
Member of the following SQL Server security roles:
- securityadmin fixed server role
- dbcreator fixed server role

If you run Stsadm commands that affect a database, this account must be a member of the db_owner fixed database role for the database.

Server farm standard requirements with the following additions or exceptions:

Use a separate domain user account.
SQL Server login on the SQL Server computer.
NOT a member of the following SQL Server security roles:
- securityadmin fixed server role
- dbcreator fixed server role
NOT a member of the Administrators group on the computer running SQL Server.

Notes

You must use the Psconfig command-line tool to create the configuration database and the SharePoint_AdminContent database. You cannot use the SharePoint Products and Technologies Configuration Wizard to create these databases. To create a farm or to join a computer to a farm, specify the SQL Server login that you created for these databases as the dbusername and dbpassword. The same SQL Server login is used to access both databases. All other content databases can be created in Central Administration by selecting the SQL authentication option.

Server farm account

Domain user account.
If the server farm is a child farm with Web applications that consume shared services from a parent farm, this account must be a member of the db_owner fixed database role on the configuration database of the parent farm.

Additional permissions are automatically granted for this account on Web servers and application servers that are joined to a server farm.

This account is automatically added as a SQL Server login on the computer running SQL Server and added to the following SQL Server security roles:

dbcreator fixed server role
securityadmin fixed server role
db_owner fixed database role for all databases in the server farm

Server farm standard requirements with the following additions or exceptions:

Use a separate domain user account.
NOT a member of the Administrators group on any server in the server farm, including the computer running SQL Server.
NOT a SQL Server login on the computer running SQL Server.
This account does not require permissions to SQL Server before creating the configuration database.

SSP accounts

Account	Server farm standard requirement	Least-privilege using SQL authentication requirements
SSP application pool account	No manual configuration is necessary. The following are automatically configured: Membership in the db_owner role for the SSP content database. Access to read from and write to the SSP content database. Access to read from and write to content databases for Web applications that are associated with the SSP. Access to read from the configuration database. Access to read from the Central Administration content database. Additional permissions to front-end Web servers and application servers are automatically granted.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. NOT a member of the local Administrators group on any server in the farm, including the computer running SQL Server. NOT a SQL Server login.
SSP service account	Use a domain user account. No manual configuration is necessary. The same permissions as the SSP application pool account are automatically granted. This account should not be a member of the Administrators group on any computer in the server farm.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. NOT a member of the Administrators group on any server in the farm, including the computer running SQL Server. NOT a SQL Server login.
Office SharePoint Server Search Service account	Must be a domain user account. Should not be a member of the Farm Administrators group. The following are automatically configured: Access to read from the configuration database, the administration content database, the SSP database, and the Office Server Search database. Full control access to the index file location on index servers and full control access to the Search propagation location on query servers in a Office SharePoint Server 2007 farm.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. NOT a member of the Administrators group on any server in the farm, including the computer running SQL Server. NOT a SQL Server login.
Default content access account	Must be a domain user account. Must not be a member of the Farm Administrators group. Read access to external or secure content sources that you want to crawl by using this account. For sites that are not a part of the server farm, this account must explicitly be granted Full Read permissions on the Web applications that host the sites. The following are automatically configured: Full Read permissions are automatically granted to content databases hosted by the server farm.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. NOT a member of the Administrators group on any server in the farm, including the computer running SQL Server. NOT a SQL Server login on the SQL Server Host.
Content access account	Read access to external or secure content sources that this account is configured to access. For Web sites that are not a part of the server farm, this account must explicitly be granted Full Read permissions on the Web applications that host the sites.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. NOT a member of the Administrators group on any server in the farm, including the computer running SQL Server. NOT a SQL Server login.
Profile import default access account	Read access to the directory service. If Enable Server Side Incremental is selected for an Active Directory connection and the environment is Windows 2000 Server, the account must have the Replicate Changes permission in Active Directory. This permission is not required for Windows Server 2003 Active Directory environments. Manage User Profiles personalization services permission. View permissions on entities used in Business Data Catalog import connections.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. NOT a member of the Administrators group on any server in the farm, including the computer running SQL Server. NOT a SQL Server login.
Excel Services unattended service account	Must be a domain user account.	Must be a domain user account.

Windows SharePoint Services Search accounts

Account	Server farm standard requirement	Least-privilege using SQL authentication requirements
Windows SharePoint Services Search service account	Must be a domain user account. Should not be a member of the Farm Administrators group. The following are automatically configured: Access to read from the configuration database and the SharePoint_Admin Content database. Membership in the db_owner role for the Windows SharePoint Services Search database.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. NOT a member of the Administrators group on any server in the farm, including the computer running SQL Server. NOT a SQL Server login.
Windows SharePoint Services Search content access account	Same requirements as the Windows SharePoint Services Search service account. The following are automatically configured: Added to the Web application Full Read policy for the farm.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. NOT a member of the Administrators group on any server in the farm, including the computer running SQL Server. NOT a SQL Server login.

Windows SharePoint Services Search service account

Must be a domain user account.
Should not be a member of the Farm Administrators group.

The following are automatically configured:

Access to read from the configuration database and the SharePoint_Admin Content database.
Membership in the db_owner role for the Windows SharePoint Services Search database.

Server farm standard requirements with the following additions or exceptions:

Use a separate domain user account.
NOT a member of the Administrators group on any server in the farm, including the computer running SQL Server.
NOT a SQL Server login.

Windows SharePoint Services Search content access account

Same requirements as the Windows SharePoint Services Search service account.

The following are automatically configured:

Added to the Web application Full Read policy for the farm.

Server farm standard requirements with the following additions or exceptions:

Use a separate domain user account.
NOT a member of the Administrators group on any server in the farm, including the computer running SQL Server.
NOT a SQL Server login.

Additional application pool identity accounts

Account	Server farm standard requirement	Least-privilege using SQL authentication requirements
Application pool identity	No manual configuration is necessary. The following are automatically configured: Membership in the db_owner role for content databases and search databases associated with the Web application. Access to read from the configuration and the SharePoint_AdminContent databases. Access to read from and write to the associated SSP database. Additional permissions for this account to front-end Web servers and application servers are automatically granted.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. NOT a member of the Administrators group on any server in the farm, including the computer running SQL Server. NOT a SQL Server login.

Application pool identity

No manual configuration is necessary.

The following are automatically configured:

Membership in the db_owner role for content databases and search databases associated with the Web application.
Access to read from the configuration and the SharePoint_AdminContent databases.
Access to read from and write to the associated SSP database.
Additional permissions for this account to front-end Web servers and application servers are automatically granted.

Server farm standard requirements with the following additions or exceptions:

Use a separate domain user account.
NOT a member of the Administrators group on any server in the farm, including the computer running SQL Server.
NOT a SQL Server login.

Least-privilege administration requirements when connecting to pre-created databases

Server farm-level accounts

Account	Server farm standard requirement	Least-privilege when connecting to pre-created databases requirements
SQL Server service account	Use either a Local System account or a domain user account. If a domain user account is used, this account uses Kerberos authentication by default, which requires additional configuration in your network environment. If SQL Server uses a service principal name (SPN) that is not valid (that is, that does not exist in the Active Directory directory service environment), Kerberos authentication fails, and then NTLM is used. If SQL Server uses an SPN that is valid but is not assigned to the appropriate container in Active Directory, authentication fails, resulting in a "Cannot generate SSPI context" error message. Authentication will always try to use the first SPN it finds, so ensure that there are no SPNs assigned to inappropriate containers in Active Directory. If you plan to back up to or restore from an external resource, permissions to the external resource must be granted to the appropriate account. If you use a domain user account for the SQL Server service account, grant permissions to that domain user account. However, if you use the Network Service or the Local System account, grant permissions to the external resource to the machine account (domain_name\SQL_hostname$).	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account.
Setup user account	Domain user account. Member of the Administrators group on each server on which Setup is run. SQL Server login on the computer running SQL Server. Member of the following SQL Server security roles: securityadmin fixed server role dbcreator fixed server role If you run Stsadm commands that affect a database, this account must be a member of the db_owner fixed database role for the database.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. NOT a member of the Administrators group on the computer running SQL Server. This account is used to configure databases. After each database has been created, change the database owner (dbo or db_owner) to the Setup User account.
Server farm account	Domain user account. If the server farm is a child farm with Web applications that consume shared services from a parent farm, this account must be a member of the db_owner fixed database role on the configuration database of the parent farm. Additional permissions are automatically granted for this account on Web servers and application servers that are joined to a server farm. This account is automatically added as a SQL Server login on the computer running SQL Server and added to the following SQL Server security roles: dbcreator fixed server role securityadmin fixed server role db_owner fixed database role for all databases in the server farm Note If you configure the Microsoft Single Sign-On Service, the server farm account will not automatically be given db_owner access to the SSO database.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. NOT a member of the Administrators group on any server in the server farm, including the computer running SQL Server. This account does not require permissions to SQL Server before creating the configuration database. After the Shared Services Provider (SSP) database and the SSP search database are created, add this account to the following for each of these databases: Users group db_owner fixed database role

SQL Server service account

Use either a Local System account or a domain user account.

If you plan to back up to or restore from an external resource, permissions to the external resource must be granted to the appropriate account. If you use a domain user account for the SQL Server service account, grant permissions to that domain user account. However, if you use the Network Service or the Local System account, grant permissions to the external resource to the machine account (domain_name\SQL_hostname$).

Server farm standard requirements with the following additions or exceptions:

Use a separate domain user account.

Setup user account

Domain user account.
Member of the Administrators group on each server on which Setup is run.
SQL Server login on the computer running SQL Server.
Member of the following SQL Server security roles:
- securityadmin fixed server role
- dbcreator fixed server role

If you run Stsadm commands that affect a database, this account must be a member of the db_owner fixed database role for the database.

Server farm standard requirements with the following additions or exceptions:

Use a separate domain user account.
NOT a member of the Administrators group on the computer running SQL Server.

This account is used to configure databases. After each database has been created, change the database owner (dbo or db_owner) to the Setup User account.

Server farm account

Domain user account.
If the server farm is a child farm with Web applications that consume shared services from a parent farm, this account must be a member of the db_owner fixed database role on the configuration database of the parent farm.

Additional permissions are automatically granted for this account on Web servers and application servers that are joined to a server farm.

This account is automatically added as a SQL Server login on the computer running SQL Server and added to the following SQL Server security roles:

dbcreator fixed server role
securityadmin fixed server role
db_owner fixed database role for all databases in the server farm

Note If you configure the Microsoft Single Sign-On Service, the server farm account will not automatically be given db_owner access to the SSO database.

Server farm standard requirements with the following additions or exceptions:

Use a separate domain user account.
NOT a member of the Administrators group on any server in the server farm, including the computer running SQL Server.
This account does not require permissions to SQL Server before creating the configuration database.

After the Shared Services Provider (SSP) database and the SSP search database are created, add this account to the following for each of these databases:

Users group
db_owner fixed database role

SSP accounts

Account	Server farm standard requirement	Least-privilege when connecting to pre-created databases requirements
SSP application pool account	No manual configuration is necessary. The following are automatically configured: Membership in the db_owner role for the SSP content database. Access to read from and write to the SSP content database. Access to read from and write to content databases for Web applications that are associated with the SSP. Access to read from the configuration database. Access to read from the Central Administration content database. Additional permissions to front-end Web servers and application servers are automatically granted.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. For security isolation, use a separate service account for each SSP.
SSP service account	Use a domain user account. No manual configuration is necessary. The same permissions as the SSP application pool account are automatically granted. This account should not be a member of the Administrators group on any computer in the server farm.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. After the configuration database and the Central Administration content databases are created, add this account to the following for these databases: Users group WSS_Content_Application_Pools database role After the content database for the Shared Services Administration site, the SSP database, and the SSP search database are created, add this account to the following for each of these databases: Users group db_owner role After My Sites are created, add this account to the following for the My Sites Web application content database: Users group db_owner role After each content database is created, add this account to the following: Users group db_owner role
Office SharePoint Server Search Service account	Must be a domain user account Should not be a member of the Farm Administrators group The following are automatically configured: Access to read from the configuration database, the administration content database, the SSP database, and the Office Server Search database. Full control access to the index file location on index servers and full control access to the Search propagation location on query servers in a Office SharePoint Server 2007 farm.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. After the configuration database and the Central Administration content databases are created, add this account to the following for these databases: Users group WSS_Content_Application_Pools role After the SSP database and the SSP search database are created, add this account to the following for each of these databases: Users group db_owner role
Default content access account	Must be a domain user account. Must not be a member of the Farm Administrators group. Read access to external or secure content sources that you want to crawl by using this account. For sites that are not a part of the server farm, this account must explicitly be granted Full Read permissions on the Web applications that host the sites. The following are automatically configured: Full Read permissions are automatically granted to content databases hosted by the server farm.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. By default, in a server farm environment, the Office SharePoint Server Search service account is used until a different account is specified. After completing Setup and running the configuration wizard, change this account to a domain user account. Do not give the default content access account access to the directory service. For added security, use a separate default content access account for each SSP. After the configuration database and the Central Administration content databases are created, add this account to the following for these databases: Users group WSS_Content_Application_Pools database role
Content access account	Read access to external or secure content sources that this account is configured to access. For Web sites that are not a part of the server farm, this account must explicitly be granted Full Read permissions on the Web applications that host the sites.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account.
Profile import default access account	Read access to the directory service If Enable Server Side Incremental is selected for an Active Directory connection and the environment is Windows 2000 Server, the account must have the Replicate Changes permission in Active Directory. This permission is not required for Windows Server 2003 Active Directory environments. Manage User Profiles personalization services permission View permissions on entities used in Business Data Catalog import connections.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. This account can be the same account as the default content access account or you can use a separate account. Use an account that has read access to the directory service and the Manage User Profiles personalization services permission. This account should not be a member of the Administrators group on any computer in the server farm.
Excel Services unattended service account	Must be a domain user account.	Must be a domain user account.

Windows SharePoint Services Search accounts

Account	Server farm standard requirement	Least-privilege when connecting to pre-created databases requirements
Windows SharePoint Services Search service account	Must be a domain user account. Should not be a member of the Farm Administrators group. The following are automatically configured: Access to read from the configuration database and the SharePoint_Admin Content database. Membership in the db_owner role for the Windows SharePoint Services Search database.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. After the SSP database and the SSP search database are created, add this account to the following for each of these databases: Users group db_owner role When running the Psconfig command-line tool to start the Windows SharePoint Services Search service, membership is automatically configured in the following: Users group and db_owner role for the WSS_Search database. Users group in the configuration database. Users group in the Central Administration content database.
Windows SharePoint Services Search content access account	Same requirements as the Windows SharePoint Services Search service account. The following are automatically configured: Added to the Web application Full Read policy for the farm.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. When running the Psconfig command-line tool to start the Windows SharePoint Services Search service, membership is automatically configured in the following: Users group and the db_owner role in the WSS— Search database. Users group in the configuration database. Users group in the Central Administration content database.

Windows SharePoint Services Search service account

Must be a domain user account.
Should not be a member of the Farm Administrators group.

The following are automatically configured:

Access to read from the configuration database and the SharePoint_Admin Content database.
Membership in the db_owner role for the Windows SharePoint Services Search database.

Server farm standard requirements with the following additions or exceptions:

Use a separate domain user account.

After the SSP database and the SSP search database are created, add this account to the following for each of these databases:

Users group
db_owner role

When running the Psconfig command-line tool to start the Windows SharePoint Services Search service, membership is automatically configured in the following:

Users group and db_owner role for the WSS_Search database.
Users group in the configuration database.
Users group in the Central Administration content database.

Windows SharePoint Services Search content access account

Same requirements as the Windows SharePoint Services Search service account.

The following are automatically configured:

Added to the Web application Full Read policy for the farm.

Server farm standard requirements with the following additions or exceptions:

Use a separate domain user account.

When running the Psconfig command-line tool to start the Windows SharePoint Services Search service, membership is automatically configured in the following:

Users group and the db_owner role in the WSS— Search database.
Users group in the configuration database.
Users group in the Central Administration content database.

Additional application pool identity accounts

Account	Server farm standard requirement	Least-privilege when connecting to pre-created databases requirements
Application pool identity	No manual configuration is necessary. The following are automatically configured: Membership in the db_owner role for content databases and search databases associated with the Web application. Access to read from the configuration and the SharePoint_AdminContent databases. Access to read from and write to the associated SSP database. Additional permissions for this account to front-end Web servers and application servers are automatically granted.	Server farm standard requirements with the following additions or exceptions: Use a separate domain user account for each application pool. This account should not be a member of the Administrators group on any computer in the server farm. After the SSP database and the SSP search database are created, add this account to the following for each of these databases: Users group db_owner role

Application pool identity

No manual configuration is necessary.

The following are automatically configured:

Membership in the db_owner role for content databases and search databases associated with the Web application.
Access to read from the configuration and the SharePoint_AdminContent databases.
Access to read from and write to the associated SSP database.
Additional permissions for this account to front-end Web servers and application servers are automatically granted.

Server farm standard requirements with the following additions or exceptions:

Use a separate domain user account for each application pool.
This account should not be a member of the Administrators group on any computer in the server farm.

After the SSP database and the SSP search database are created, add this account to the following for each of these databases:

Users group
db_owner role

Download this book

This topic is included in the following downloadable book for easier reading and printing:

Planning and architecture for Office SharePoint Server 2007, part 2

See the full list of available books at Downloadable content for Office SharePoint Server 2007.

Voir aussi

Concepts

Planifier l’authentification unique
Planifier les rôles de sécurité (Office SharePoint Server)

Partager via

Planifier des comptes d’administration et de service (Office SharePoint Server)

About administrative and service accounts

Server farm-level accounts

SSP accounts

Windows SharePoint Services Search accounts

Additional application pool identity accounts

Single server standard requirements

Server farm requirements

Least-privilege administration requirements when using domain user accounts

Least-privilege administration requirements when using SQL authentication

Setup and configuration

Creating service and administration accounts

Creating SQL Server logins

Least-privilege administration requirements when connecting to pre-created databases

Creating service and administration accounts

Creating SQL Server logins

Technical reference: Account requirements by scenario

Single server standard requirements

Server farm-level accounts

SSP accounts

Windows SharePoint Services Search accounts

Additional application pool identity accounts

Server farm standard requirements

Server farm-level accounts

SSP accounts

Windows SharePoint Services Search accounts

Additional application pool identity accounts

Least-privilege administration requirements when using domain user accounts

Server farm-level accounts

SSP accounts

Windows SharePoint Services Search accounts

Additional application pool identity accounts

Least-privilege administration requirements when using SQL authentication

Server farm-level accounts

SSP accounts

Windows SharePoint Services Search accounts

Additional application pool identity accounts

Least-privilege administration requirements when connecting to pre-created databases

Server farm-level accounts

SSP accounts

Windows SharePoint Services Search accounts

Additional application pool identity accounts

Download this book

Voir aussi

Concepts

Ressources supplémentaires