Plan for administrative and service accounts (SharePoint Foundation 2010)
适用于: SharePoint Foundation 2010
上一次修改主题: 2016-11-30
This article describes the accounts that that you must plan for and describes the deployment scenarios that affect account requirements.
In this article:
About administrative and service accounts
Single server standard requirements
Server farm requirements
Use this article with the following deployment article: 初始部署所需的管理和服务帐户 (SharePoint Foundation 2010)
The initial deployment administrative and service accounts article describes the specific account and permissions that you need to grant prior to running Setup.
This article does not describe security roles and permissions required to administer in Microsoft SharePoint Foundation 2010.
About administrative and service accounts
This section lists and describes the accounts that you must plan for. The accounts are grouped according to scope.
After you complete installation and configuration of accounts, ensure that you do not use the Local System account to perform administration tasks or to browse sites.
Server farm-level accounts
The following table describes the accounts that are used to configure Microsoft SQL Server database software and to install SharePoint Foundation 2010.
Account | Purpose |
---|---|
SQL Server service account |
SQL Server prompts for this account during SQL Server Setup. This account is used as the service account for the following SQL Server services:
If you are not using the default instance, these services will be shown as:
|
Setup user account |
The user account that is used to run: If you run Windows PowerShell cmdlets that affect a database, this account must be a member of the db_owner fixed database role for the database.
|
Server farm account |
This account is also referred to as the database access account. This account is:
|
Service application accounts
The following table describes the accounts that are used to set up and configure a service application. Plan one set of an application pool and proxy group for each service application you plan to implement.
For additional information about service application endpoints, see Using Service Endpoints (https://go.microsoft.com/fwlink/p/?LinkId=227293).
Account | Service | Purpose | Requirements |
---|---|---|---|
Service Application Endpoint |
Business Data Connectivity Service Search Service Usage and Health Data Collection Service |
Used as the identity for the service application endpoint application pool. Unless there are specific isolation requirements, the application pool can be used to host multiple service application endpoints. |
Must be a member of the Farm Administrators group. |
Application Discovery and Load Balancer Service Application |
Used as the identity for the service application endpoint application pool. This account must be the Farm Account and the application pool is created automatically by the SharePoint 产品配置向导. |
Must be a member of the Farm Administrators group. |
|
Default Content Access |
Search Service |
The default account when crawling content. Note that additional accounts can be specified per crawl rule. |
Must have Read Access to the content being crawled. Full Read permissions must be granted explicitly to content that is outside the local farm. Full Read permissions are automatically configured for content databases in the local farm. |
Search Service |
Search Service |
This is the Windows Service account for the SharePoint Server Search Service. This setting affects all Search service applications in the farm. |
Must be a domain user account. |
Microsoft SharePoint Foundation 2010 search service accounts
The following table describes the accounts that are used for the SharePoint Foundation 2010 search service account.
SharePoint Foundation 2010 uses these accounts only for searching Help content in response to user search queries. There is only one instance of the SharePoint Foundation 2010 Search service in a farm.
Account | Purpose |
---|---|
SharePoint Foundation 2010 Search Service |
Used as the service account for the SharePoint Foundation 2010 Search Service. This account cannot be a built-in account, such as Local Service or Network Service. |
SharePoint Foundation 2010 Search Content Access |
Used to crawl Help content. For proper search functionality and information security, do not use an administrator account or an account that can modify content. Used to crawl Help content. For proper search functionality and information security, do not use an administrator account or an account that can modify content. |
Additional application pool identity accounts
If you create additional application pools to host sites, plan for additional application pool identity accounts. The following table describes the application pool identity account. Plan one application pool account for each application pool you plan to implement.
Account | Purpose |
---|---|
Application pool identity |
The user account that the worker processes that service the application pool use as their process identity. This account is used to access content databases associated with the Web applications that reside in the application pool. |
Single server standard requirements
If you are deploying to a single server computer, account requirements are greatly reduced. In an evaluation environment, you can use a single account for all of the account purposes. In a production environment, ensure that the accounts you create have the appropriate permissions for their purposes.
For a list of account permissions for single server environments, see 初始部署所需的管理和服务帐户 (SharePoint Foundation 2010).
Server farm requirements
If you are deploying to more than one server computer, use the server farm standard requirements to ensure that accounts have the appropriate permissions to perform their processes across multiple computers. The server farm standard requirements detail the minimum configuration that is necessary to operate in a server farm environment.
For a more secure environment, see 规划最小特权环境中的管理任务 (SharePoint Foundation 2010)
For a list of standard requirements for server farm environments see the requirements listed in the Technical reference: Account requirements by scenario section of this article.
For some accounts, additional permissions or access to databases are configured when you run Setup. These are noted in the accounts planning tool. An important configuration for database administrators to be aware of is the addition of the WSS_Content_Application_Pools database role. Setup adds this role to the following databases:
SharePoint_Config database (configuration database)
SharePoint_AdminContent database
Members of the WSS_Content_Application_Pools database role are granted the Execute permission to a subset of the stored procedures for the database. Additionally, members of this role are granted the Select permission to the Versions table (dbo.Versions) in the SharePoint_AdminContent database.
For other databases, the accounts planning tool indicates that access to read from these databases is automatically configured. In some cases, limited access to write to a database is also automatically configured. To provide this access, permissions to stored procedures are configured. For the SharePoint_Config database, for example, access to the following stored procedures is automatically configured:
proc_dropEmailEnabledList
proc_dropEmailEnabledListsByWeb
proc_dropSiteMap
proc_markForDeletionEmailEnabledList
proc_markForDeletionEmailEnabledListsBySite
proc_markForDeletionEmailEnabledListsByWeb
proc_putDistributionListToDelete
proc_putEmailEnabledList
proc_putSiteMap
Technical reference: Account requirements by scenario
This section lists account requirements by scenario:
Single server standard requirements
Server farm standard requirements
Single server standard requirements
Server farm-level accounts
Account | Requirements |
---|---|
SQL Server service |
Local System account (default) |
Setup user |
Member of the Administrators group on the local computer |
Server farm |
Network Service (default) No manual configuration is necessary. |
Microsoft SharePoint Foundation 2010 Search service accounts
Account | Requirements |
---|---|
SharePoint Foundation 2010 Search Service |
Must not be a built-in account, such as Local Service or Network Service. |
SharePoint Foundation 2010 Search Service Content Access |
For proper search functionality and information security, do not use an administrator account or an account that can modify content. This account is automatically added to the Full Read policy, giving it read-only access to all Help content. |
Additional application pool identity accounts
Account | Requirements |
---|---|
Application pool identity |
No manual configuration is necessary. The Network Service account is used for the default Web site that is created during Setup and configuration. |
Server farm standard requirements
Server farm-level accounts
Account | Requirements |
---|---|
SQL Server service account |
Use either a Local System account or a domain user account. If a domain user account is used, this account uses Kerberos authentication by default, which requires additional configuration in your network environment. If SQL Server uses a service principal name (SPN) that is not valid (that is, that does not exist in the Active Directory service environment), Kerberos authentication fails, and then NTLM is used. If SQL Server uses an SPN that is valid but is not assigned to the appropriate container in Active Directory, authentication fails. Authentication will always try to use the first SPN it finds, so ensure that there are no SPNs assigned to inappropriate containers in Active Directory. If you plan to back up to or restore from an external resource, permissions to the external resource must be granted to the appropriate account. If you use a domain user account for the SQL Server service account, grant permissions to that domain user account. However, if you use the Network Service or the Local System account, grant permissions to the external resource to the machine account (domain_name\SQL_hostname$). |
Setup user account |
If you run Stsadm commands that affect a database, this account must be a member of the db_owner fixed database role for the database. |
Server farm account |
Additional permissions are automatically granted for this account on Web servers and application servers that are joined to a server farm. This account is automatically added as a SQL Server login on the computer running SQL Server and added to the following SQL Server security roles:
Note if you configure the Secure Store Service, the server farm account will not automatically be given db_owner access to the Secure Store Service database. |
Microsoft SharePoint Foundation 2010 Search accounts
Account | Requirements |
---|---|
Microsoft SharePoint Foundation 2010 Search service account |
The following are automatically configured:
|
Microsoft SharePoint Foundation 2010 Search content access account |
|
Additional application pool identity accounts
Account | Requirements |
---|---|
Application pool identity |
No manual configuration is necessary. The following are automatically configured:
|