SharePoint 2013 Service Accounts Best Practices Explained
Several weeks ago I did a post about SharePoint 2013 Service accounts Best practices titled : SharePoint 2013 Service Accounts Best Practices! Is there a golden solution for all farms?. The post talked about how important Service Accounts were in the installation of SharePoint 2013 because if they are not set up correctly they can open big security holes in your organization or give you problems down the road.
The article also suggested that you cannot have only one set of Service accounts for every scenario, since not all scenarios require the same security (ex: a development environment does not require same security as the production one). So, I suggested three sets of service accounts for different deployment scenarios of SharePoint 2013, however I got some feedback that my choices and the accounts weren’t explained in detail.
This post will go over all the three sets of service accounts, explaining the difference between the sets and also what every account does!
NOTE: This sets only cover the basic installation and configuration of SharePoint 2013 and SQL. Other Service accounts will be needed for some Service Applications (Ex: Excel, Visio, Performance Point, etc)
NOTE: For SharePoint 2016, check out this blog post: https://vladtalkstech.com/2017/03/sharepoint-2016-service-accounts-recommendations.html
SharePoint 2013 Service Accounts – Low Security Option
Summary
The Low security option is of course the one with the least accounts possible to install SharePoint in a proper manner. It uses only 1 SQL account that will be the SQL administrator and also run the services, and 5 SharePoint accounts: The Farm Administrator, the Web Application pool account, the SharePoint Service Application Pool account the Crawl account and the User Profile Synchronization account. More details under each section
For the SQL Server
Name | Description | Local Rights | Domain Rights |
---|---|---|---|
SQL_Admin | The SQL Server service account is used to run SQL Server. It is the service account for the following SQL Server services: MSSQLSERVER SQLSERVERAGENT. SQL Admin on the SQL Server | Local Administrator on the SQL Server | Domain User |
Explanation
For the SharePoint Server
Name | Description | Local Rights | Domain Rights | |||||
---|---|---|---|---|---|---|---|---|
SP_Farm | The server farm account is used to perform the following tasks:
| Local Administrator on all the SharePoint Servers. SecurityAdmin and DB_Creator rights on the SQL Instance | Domain User | |||||
SP_Pool | The Pool account is used to run the Web Application Pools | None | Domain User | |||||
SP_Services | The Services Account is used to run the Service Application Pool | None | Domain User | |||||
SP_Crawl | The Default Content Access Account for the Search Service Application | None | Domain User | |||||
SP_UserProfiles | The User Profile Synchronization Account | None | Replicate Directory Changes permission on the domain. Guide: http://bit.ly/TSE7xs |
Explanation
SP_Services is a domain account used for the Service Applications Pools. ex: When you create a Managed Metadata Service application and create a pool for it, you select this account!
SP_Crawl is used within the Search Service Application to crawl content. The Search Service Application will automatically grant this account read access on all Web Applications. It will also run the SharePoint Windows Search Service.
SP_UserProfiles is the account used for the User Profile Synchronization between your Service Application and your Active Directory. This account does not need any local rights, however you need to give it Replicate Directory Changes rights on the Active Directory in order to allow the synchronization
SharePoint 2013 Service Accounts – Medium Security Option (Sweet Spot)
Summary
For the SQL Server
Name | Description | Local Rights | Domain Rights |
---|---|---|---|
SQL_Admin | SQL Admin on the SQL Server. Used to Install the SQL Server. | Local Administrator on the SQL Server | Domain User |
SQL_Services | It is the service account for the following SQL Server services: MSSQLSERVER SQLSERVERAGENT. | None | Domain User |
Explanation
For the SharePoint Server
Name | Description | Local Rights | Domain Rights | |||
---|---|---|---|---|---|---|
SP_Farm | The server farm account is used to perform the following tasks:
| SecurityAdmin and DB_Creator rights on the SQL Instance | Domain User | |||
SP_Admin | The server farm account is used to perform the following tasks:
| Local Administrator on all the SharePoint Servers. SecurityAdmin and DB_Creator rights on the SQL Instance | Domain User | |||
SP_Pool | The Pool account is used to run the Web Application Pools | None | Domain User | |||
SP_Services | The Services Account is used to run the Service Application Pool | None | Domain User | |||
SP_Crawl | The Default Content Access Account for the Search Service Application | None | Domain User | |||
SP_Search | Service Account to run the SharePoint Search “Windows Service” | None | Domain User | |||
SP_UserProfiles | The User Profile Synchronization Account | None | Replicate Directory Changes permission on the domain. Guide: http://bit.ly/TSE7xs |
Explanation
In the Medium Security option we increase the security by adding two new accounts: The SP_Admin and the SP_Search. Instead of giving all the Farm Administration power to the SP_Farm account, the SP_Admin will be the one that installs and configures SharePoint 2013 and have the local administrator rights, while the SP_Farm will only run the services and connect to the database. Furthermore, instead of letting the SP_Crawl account run both the Windows Service and have FULL-READ rights on all the web applications, the SP_Search will now run the Windows Service. Here is the breakdown of the accounts:
SP_Farm is a domain account that the SharePoint Timer service and the web application for Central Administration use to access the SharePoint content database. This account does not need to be a local administrator. The SharePoint configuration wizard grants the proper minimal privilege in the back-end SQL Server database.The minimum SQL Server privilege configuration is membership in the roles securityadmin and dbcreator.
SP_admin is a domain account you use to install and configure the farm. It is the account used to run the SharePoint Configuration Wizard for SharePoint 2013.The SPAdmin account is the only account that requires local Administrator rights. To configure the SPAdmin account in a minimum privilege scenario, it should be a member of the roles securityadmin and dbcreator on the SQL server.
SP_Services is a domain account used for the Service Applications Pools. ex: When you create a Managed Metadata Service application and create a pool for it, you select this account!
SP_Crawl is used within the Search Service Application to crawl content. The Search Service Application will automatically grant this account read access on all Web Applications.
SP_Search Is used to run the SharePoint Windows Search Service.
SP_UserProfiles is the account used for the User Profile Synchronization between your Service Application and your Active Directory. This account does not need any local rights, however you need to give it Replicate Directory Changes rights on the Active Directory in order to allow the synchronization.
SharePoint 2013 Service Accounts – High Security Option
Summary
For the SQL Server
Name | Description | Local Rights | Domain Rights |
---|---|---|---|
SQL_Admin | SQL Admin on the SQL Server. Used to Install the SQL Server. | Local Administrator on the SQL Server | Domain User |
SQL_AGENT | It is the service account for the following SQL Server services: SQL SERVER AGENT. | None | Domain User |
SQL_ENGINE | It is the service account for the following SQL Server services: Database Engine. | None | Domain User |
Explanation
The difference between the Medium Security and High Security Option is that we now have a separate account for each of the two base services: SQL_Agent and Database Engine. Nothing changes for the SQL_Admin
SQL_Engine: This account does not have any local rights, it is only used to run the Database Engine windows service.
For the SharePoint Server
Name | Description | Local Rights | Domain Rights | |||
---|---|---|---|---|---|---|
SP_Farm | The server farm account is used to perform the following tasks:
| SecurityAdmin and DB_Creator rights on the SQL Instance | Domain User | |||
SP_Admin | The server farm account is used to perform the following tasks:
| Local Administrator on all the SharePoint Servers. SecurityAdmin and DB_Creator rights on the SQL Instance | Domain User | |||
SP_Pool | The Pool account is used to run the Web Application Pools | None | Domain User | |||
SP_Services | The Services Account is used to run the Service Application Pool | None | Domain User | |||
SP_Crawl | The Default Content Access Account for the Search Service Application | None | Domain User | |||
SP_Search | Service Account to run the SharePoint Search “Windows Service” | None | Domain User | |||
Sp_MySitePool | Used for the My Sites Web Application | None | Domain User | |||
SP_UserProfiles | The User Profile Synchronization Account | None | Replicate Directory Changes permission on the domain. Guide: http://bit.ly/TSE7xs |
Explanation
The only difference between the Medium security and the High Security option is that we now have a separate account for the Web Application Pool hosting the ‘My Sites’ since it has a different security policy than the other Web Applications . I will only give the details for the new account in the breakdown:
SP_MySitePool is a domain account used for the My Sites Web Application Pool Identity. It’s very similar to the SP_Pool, however it is only used for the My Sites Web Application.
Sources
http://technet.microsoft.com/en-us/library/cc678863.aspx
Edit (19/08/2013):
The SP_Farm account needs to be in the Local Administrators during, and only during the User Profile Provisioning!
Also, you can create those Service Accounts automatically with PowerShell using the SharePoint 2013 Service Account Creator project on CodePlex: https://sp2013serviceaccount.codeplex.com/
Download
I think that this post gives all the information necessary for SharePoint 2013 Service Accounts for the years to come, and don’t forget that this post only covers the basic Service Accounts needed for SharePoint 2013 and that other Service Accounts will be needed for some Service Application (ex: Excel Unattended Service, Visio, etc )
If you have any questions or comments please do not hesitate to post a comment, because your opinions will only make this post better!
Leave a comment and don’t forget to like the Vlad Talks Tech Page on Facebook and to follow me on Twitter here for the latest news and technical articles on SharePoint. I am also a Pluralsight author, and you can view all the courses I created on my author page. |