SharePoint 2016 Service Accounts Recommendations

March 13, 2017

Service Accounts are a very big part of installing every version of SharePoint, however everyone has a different way of setting them up. And once you install your SharePoint with a set of service accounts, it’s not always easy to change them. Let’s take a look at the SharePoint 2016 Service Accounts that I reccomend.

Every SharePoint administrator you ask, will have a different opinion on how many service accounts you need and whether you should have dedicated service accounts for some Service Applications or certain administration tasks. Even if all SharePoint Administrators have different opinions, it doesn’t mean some are wrong and some are right, there is no real “golden” solution that will be good for every SharePoint farm out there. From my experience with SharePoint, here are the Service Accounts that I recommend for your SharePoint 2016 implementation.

SharePoint 2016 Service Accounts

The following Service Accounts can be named according to your companies naming convention. Local Security Policies only need to be configured if you have Group Policies that will take those away.

Account	Description	Local / Application Permissions	Local Security Policy
SP_Admin	This account will be used to Install and configure the SharePoint farm initially. After the initial setup, you can grant the farm administrator rights to your SharePoint Administrators account so they can log in and manage SharePoint with their own account.	Domain User Local Administrator on the SharePoint Servers Member of the following SQL Roles DB Creator Security Admin	Back up files and directories Debug Programs Manage auditing and Security log Restore files and directories Take ownership of files or other objects
SP_Farm	Runs the SharePoint Timer and Administration Service	Domain User Member of the following SQL Roles DB Creator Security Admin	Allow log on locally Adjust memory quotas for a process Impersonate a client after authentication Log on as a batch job Log on as a service Replace a process level token
SP_Services	Runs the Application Pool for most of your Service Applications. There are some service applications that require more rights and a dedicated Service Account is recommended. We’re converting those a bit lower in this blog post!	Domain User	Adjust memory quotas for a process Log on as a batch job Log on as a service Replace a process level token Impersonate a client after authentication
SP_Pool	Runs the Application Pool for your Web Applications.	Domain User	Impersonate a client after authentication Log on as a batch job Lon as a service
SP_Crawl	The Default Content Access Account for the Search Service Application. This account is sued to crawl the content of your SharePoint Web Applications.	Domain User This account needs to have Read Access on all your Web Applications (given automatically)
SP_Sync	Used to synchronize profiles between AD and SharePoint Server 2016	Domain User Needs to have “Replicate Directory Changes” in the Active Directory >> Tutorial here
SP_C2WTS	Used to run the Claims to Windows Token Service	Domain User Local Administrator on all SharePoint Servers running the C2WTS service	Act as part of the operating system Impersonate a client after authentication Log on as a service
SP_SU	Object cache account (Super User). Must not be an account that will ever be used to log in to the site.	Domain User Full Control on your Web Applications
SP_SR	Object cache account (Super Reader). Must not be an account that will ever be used to log in to the site.	Domain User Full Read on your Web Applicationss

SQL Service Accounts

The following Service Accounts are recommended for your dedicated SQL Server hosting SharePoint databases and can be named according to your companies naming convention. Local Security Policies only need to be configured if you have Group Policies that will take those away.

Account	Description	Local / Application Permissions	Local Security Policy
SP_SQLAdmin	This account will be used to Install and configure the SQL Server initially. After the initial setup, you can grant the SQL Admin rights to your SQL Administrators account so they can log in and manage SQL with their own account.	Domain User Local Administrator on the SQL Server	Back up files and directories Debug Programs Manage auditing and Security log Restore files and directories Take ownership of files or other objects
SP_SQLEngine	This account will run the Database Engine service	Domain User	Log on as a service Replace a process-level token Bypass traverse checking Adjust memory quotas for a process Perform Volume Maintenance Tasks (Only If you want to enable Instant File Initialization)
SP_SQLAgent	This account will run the SQL Server Agent Service	Domain User	Log on as a service Replace a process-level token Bypass traverse checking Adjust memory quotas for a process

Other Accounts Depending on your Scenario

Depending on what features you plan to use in your SharePoint 2016 implementation, here are some other Service Accounts that I recommend:

Account	Description	Local / Application Permissions	Local Security Policy
SP_WFM	This account would be used as the RunAs account for the Workflow Manager and Service Bus Farms. If you want, you could create a dedicated account for each.	Domain User Local Administrator on the WFM Servers Full Control to the Web Applications where Workflow Manager will be used	Impersonate a client after authentication Log on as a service Log on as a batch job
SP_Access	This account would be used to run the Service Application Pool for the Access Apps for SharePoint Service Application. The reason of a dedicated service account is that this account requires special permissions in SQL as well as special settings on the Access App Services Service Application	Domain User Member of the following SQL Roles DB Creator Security Admin Read/Write permission to the config cache folder located at C:\ProgramData\Microsoft\SharePoint\Config The IIS Application Pool running the Access App Services Service Application needs to have “Load User Profile” at True. Navigate to the IIS Application Pools , and from Advanced Settings, change “Load User Profile” to True.	Adjust memory quotas for a process Log on as a batch job Log on as a service Replace a process level token Impersonate a client after authentication
SP_PowerPivot	The PowerPivot unattended data refresh account is a designated account for running PowerPivot data refresh jobs in a SharePoint farm.	Domain User Read permissions to external data sources

General Recommendations for SharePoint 2016 Service Accounts

Whatever accounts you choose, here are some recommendations that you need to follow for your SharePoint 2016 service accounts.

First of all, the length of your Service Accounts Username should be less than 20 (including domain name). This is due to the SAM-Account-Name attribute (also known as the pre–Windows 2000 user logon name) which is limited to 20 characters in the AD Schema. For example, CORP\SP16Prod_SuperReader is 25 characters and would be too long.

My second recommendation is to use different service accounts for each environment. For example, your production might have a SP_Services, while your QA account would be SPQ_Services. This makes sure that nothing in a farm can affect the other one, and if you ever want to test for example changing the password of the managed account, or giving the password of the QA account to someone else, you will not compromise the security and stability of your production SharePoint farm.

Follow me on Social Media and Share this article with your friends!

#SharePoint 2016 Service Accounts Recommendations https://t.co/cE6AImt4KJ pic.twitter.com/69SZ1iEAJa
— Vlad catrinescu (@vladcatrinescu) March 14, 2017

Leave a comment and don’t forget to like the Absolute SharePoint Blog Page on Facebook and to follow me on Twitter here for the latest news and technical articles on SharePoint. I am also a Pluralsight author, and you can view all the courses I created on my author page.

SharePoint Server

March 14, 2017 at 7:04 am
Geoff Firth
Do you know if ‘Log on as a batch job’ is still required with Windows Server 2016? the default domain security policy picks this up and produces scecli 1202 events when I add users to this. I can see the need if in a mixed domain but perhaps it’s not needed with servers all Windows 2016. Or is there a step I have missed?
April 25, 2017 at 4:27 pm
Michel
Hi,
The SP_Crawl account should have the Manage auditing and security log on the server that host the files.
https://support.microsoft.com/en-us/help/2817731/sharepoint-server-2013-crawler-has-insufficient-permissions-to-crawl-file-shares
- May 10, 2017 at 12:11 am
  Vlad Catrinescu
  Great stuff for file shares!
June 15, 2017 at 1:12 pm
William HUg
Where would Managed and Virtual service accounts fit into this, as those are the recommended sql accounts?
https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-windows-service-accounts-and-permissions
July 7, 2017 at 1:20 am
Peter Cheung
Can dbcreator and securityadmin be granted on as needed basis? Do SP_Admin and SP_Farm need those roles for daily operation? After a database has been created, all the database roles/users haven been created/granted right after the database created, and any backup and restore will be done through 3rd party tool like CommVault, why any SP accounts need dbcreator and securityadmin?
- July 8, 2017 at 7:42 pm
  Vlad Catrinescu
  Hi Peter,
  Technically it’s something that would work.. but it’s not reccomended to do so. You would need to grant those rights everytime you create a Web Application, a Content Database, A Service Application, etc.
  - July 13, 2017 at 11:12 pm
    Peter Cheung
    Thanks Vlad. I assume this is not recommended due to the inconvenience.
    Another issue we discovered is that Workflow Manager is using BUILTIN\Administrators which is the group Microsoft has intentionally not added to SQL Server since SQL Server 2008 due to its security risk. I’m DBA not SharePoint administrator so I wonder whether this can be configured when Workflow Manager is installed.
July 12, 2017 at 3:34 pm
Kim Ryan
Why would the SP_SQLAdmin need to be a local administrator on the SQL Server, and not just on the instance? I’m working for a client with a SQL team that manages these servers, and I suspect there will be some pushback when I request them to add this account. What can I tell them is the reason for this? Thank you
- July 17, 2017 at 7:50 pm
  Vlad Catrinescu
  This is only needed for the Install / Patching of SQL Server. If you have a DBA team taking care of this, you don’t need it to be a Local admin on the SQL Server!
August 1, 2017 at 2:11 pm
Samuel Levesque
Hi Vlad,
Back in SP2010 some sites (E.g :https://nikpatel.net/2010/12/24/sharepoint-2010-service-account-references-for-least-privileged-installation/) suggested to use a specific account for MySite and another for the WebApp Pools. In SP2016 I only see the Pool account. What changed this recommandation ? Thx
- August 2, 2017 at 8:59 am
  Vlad Catrinescu
  Hi Sam, great question!
  While having multiple App Pool accounts is definetly supported, if we follow the performance best practices, we should only have one Application Pool (therefore one account) for all our Web Applications unless there is a business reason to do otherwise. This will limit the ram taken by the Web Front End.
  Other limitations if you use multiple App Pool accounts is you might have problems deploying Apps (Add-ins now) >https://vladtalkstech.com/2013/10/sharepoint-2013-apps-load-css-properly-403-defaultcss-ashx.html
  - August 2, 2017 at 9:35 am
    Samuel Levesque
    Thanks Vlad!
November 15, 2017 at 1:37 am
Robert Rathbun
Can I suggest adding a reference to specific articles that support your recommendations. I know Microsoft scatters this information, but it would be nice if you had an additional column with supporting references. Hopefully this is something you can add.
Great job by the way, this information is extremely beneficial and easy to read.
January 30, 2018 at 5:33 am
Daniel Westerdale
Vlad , thanks for the post. I am in the process of replacing the Search Service Application with a Hybrid Search Application. Am I correct in thinking I should be using an sp_farm for the search service account?
- January 30, 2018 at 8:37 am
  Vlad Catrinescu
  I would use the SP_Services to run the Search Service! SP_Crawl for the crawling!
March 7, 2018 at 7:56 pm
Maria
Can the Sync AD account be part of the Group Manage Service Account GMSA ?
April 1, 2018 at 7:25 pm
Jim S
Vlad – In your very helpful and well written book “Deploying SharePoint 2016: Best Practices for Installing, Configuring, and Maintaining SharePoint Server 2016” it is stated “This book will use a minimal service accounts to maintain the best possible performance by creating the least number of Application Pools in SharePoint.” In most cases do you recommend the minimal approach covered in the book?
November 7, 2019 at 6:15 am
Alex
Hello, I m receiving this error
https://docs.microsoft.com/en-us/sharepoint/technical-reference/the-server-farm-account-should-not-be-used-for-other-services
Which account should be used for Windows Services: SharePoint Search Host Controller, SharePoint Server Search, and Distributed Cache (AppFabric Caching Service).
- November 8, 2019 at 4:22 pm
  Vlad Catrinescu
  You should use “SP_Services”