CJ

The circle of life – ** .Net – Training – MOSS **

  • Past Post

  • Vistor Locations

MOSS 2007 Setup Accounts

Posted by Clayton James on April 23, 2007

Installing MOSS 2007 in a farm environment requires a few dedicated accounts and can be quite a confusing process. I came across a couple of great resources so I thought I would save you the heart ache and post them here. 

This information was found on TechNet and in Bill English’s book Microsoft Office SharePoint Server 2007 Administrator’s Companion

It is strongly recommended that you use a dedicated account to log in and install Windows SharePoint Services and SharePoint Server 2007 servers. This account can also be used as the identity of the Central Administration site application pool, or it can be unique. By design, the Welcome menu displays “system account” if that account is used to log on to any application pool or Web site. This behavior continues even if the application pool identity is changed to the Network Service. This means your administrator account should not be used as an application pool identity or to install an SharePoint Server 2007 server.

Account Purpose Scope Used By Needed Requirements
Setup User User account that is used to run setup on each server. Farm Person installing Setup Member of the administrator group on each Web front-end (WFE) server and application server computer in the farm. Member of the following SQL Server groups with SQL Security administrator and database creator rights on SQL servers.
SQL Server Service This is the security context used By Central Administration for creating databases and other SQL configurations. Farm MSSQLSERVER, SQLSERVERAGENT Setup Member of the administrators group on each server on which setup runs, administrators group on each SQL Server computer, database system administrator, and member of the SQL security administrator and database creator SQL Server groups.
Server Farm This account is also referred to as the database access account. Farm Central administration site application pool identity Setup Member of administrators group on each WFE server and application server computer in the farm with SQL security administrator and database creator rights on SQL Servers. Database Owner (DBO) for all databases and additional permissions on WFE server and application server computers are automatically configured for this account when SharePoint is installed.
SSP App Pool App SSP App Pool Identity SSP Creation No configuration is necessary. The following permissions are automatically configured for this account when SharePoint is installed: DBO for the Share Service Provider (SSP) content database, read/write permissions for the SSP content database, read/write permissions for content databases for Web applications that are associated with the SSP, read permissions for the configuration database, read permissions for the central administration content database, and additional permissions on WFE server and application server computers
SSP Service Account Used to run timer jobs and for interserver communications. Farm SSP Timer service; SSP Web services SSP Creation Same as SSP App Pool Account
Windows SharePoint Services Search Used as the service account for the Windows SharePoint Services Search service. There is only one instance of this service, and it is used by all SSPs. Farm Windows SharePoint Services 3.0 Search service SSP Creation Must be a domain account, but must not be a member of the farm administrators group. Permissions automatically configured for this account when SharePoint is installed include the following: read/write permissions for content databases for Web applications, read permissions for the configuration database, and read/write permissions for the Windows SharePoint Services Search database
Search Default Content Access Account The default account used by a specific SSP to crawl content. It is used when an account is not specified for a content source. App Windows SharePoint Services 3.0 Search service SSP Creation Must be a domain account, but must not be a member of the farm administrators group. It requires read access to external or secure content sources that you want to crawl using this account. Additional permissions for this account are automatically configured when SharePoint is installed.
Search Specific Content Access Account This is an optional account that is configured to replace the default content access account to crawl a specific content source. Rule Windows SharePoint Services 3.0 Search service Create a new crawl rule Read access to external or secure content sources that this account is configured to access.
User Profile and Properties Content Access Account Account used to connect to a directory service, such as Active Directory, a Lightweight Directory Access Protocol (LDAP) directory, Business Data Catalog (BDC) application, or other directory source and used to import profile data from a directory service. Note: If no account is specified, the Search Default Content Access account is used. If the Search Default Content Access account does not have read access to the directory or directories that you want to import data from, you will need to specify a different account. You should plan for one account per directory connection. App Profile Import SSP Creation Read access to the directory service. For an Active Directory service connection that enables Server Side Incremental, the account must have the Replicate Changes permissions for Active Directory directory services provided by Windows 2000 Server. This permission is not required for Windows 2003 Active Directory. Manage user profiles right. View rights on entities used in Business Data Catalog import connections.
Excel Services Unattended Service Account Excel Calculation Services uses this account to connect to data sources that require user name and password strings for authentication. The SSP App Pool account is used if none is specified. For security, plan to use a low-privileged account that does not have the database privileges of the SSP App Pool Account. App Excel Services Service SSP Creation Read/write access to the Excel data sources.
App Pool Identity Used to access content databases associated with the Web application. Plan one for each application pool. App Web Applications App Pool Creation No configuration is necessary. SQL Server privileges that are automatically assigned to this account are member of Database Owners Group for content databases associated with the Web application, read/write access to the associated SSP database only, and read permission for the configuration database. Additional privileges for this account on WFE servers and application servers are automatically configured by SharePoint.
Advertisements

29 Responses to “MOSS 2007 Setup Accounts”

  1. Rebecca Smith said

    Thank you VERY much!! Been struggling for the past 3 days with what rights users need – will definitely make use of this – thanks again 🙂

  2. Sanjer said

    Hey Buddy,

    I must say a biiiiiiiiiiiiiiiiiiiiiiiiggggggggggg “Thank You” for your efforts. Was struggling the whole day.

    Thanks again.

    Regards
    Sanjer

  3. Lucky Paddy said

    Thanks for this list. However, there’s no need for using an Administrator Account for SQL Server Service. Furthermore, yo’ll normally use two different accounts for SQL Service and SQL Agent Service, because they’ll need different System privileges.

    Using an Administrator Account for SQL Service is a security risk and should be avoided.

    Regards

    Paddy

  4. […] 2007. This table is a must for every sharepoint developer/adminsitrator. Thanks to Clayton and his blog post who put the ever confusing user accounts in a neat descriptive […]

  5. Martijn said

    Thanks a lot for this list, but in my opinion you missed the office search accounts

    Regards,

    Martijn

  6. themush1326 said

    Should I(must) use the install account for day to day administration?
    This what I am doing now.
    If done this way all admins must know the password for the setup account making it difficult to give someone temporary access to admin features.

    Is being part of the farm administrators group equivilent?

  7. Jos said

    Hi,
    Thanks for the info it is of great help, could you maybe elaborate by using login examples above.
    eg. Setup account : SMACHINE\Administrator , Farm Account : DOMAIN1\MOSSADMIN, etc. This would make it easy to tie the knots together.

  8. Mischa said

    Hi,

    a big help!!! thanks for the table.

    Greetings,
    Mischa

  9. Benjamin said

    Hi,

    thank you for the information about permissions. I have indeed bookmarked it.

    We have an automatic deployment process that runs under local system however when we try to deploy a MOSS ‘setupsilent’ single server build it fails at step 8 of psconfig.exe with a message of can not locate user or some such.

    Should we be able to use the local system account to install MOSS singleserver ?

    Kind regards,

    Benjamin

  10. Bob said

    love is a gameble.
    sex is a game.
    boys do the fucking.
    girls get the pain.
    one night of pleasure.
    nine months of pain.
    three days in the hospital.
    one baby to name.
    Cherry Red Casino

  11. Kubajz said

    hello, thank you for information, but it doesn´t work.)
    i´m using farm topologhy, but when i want search any information, it doesn´t work… i don´t know where is problem, search account is owner of every database, but server log says:
    Event Type: Error
    Event Source: Windows SharePoint Services 3 Search
    Event Category: Gatherer
    Event ID: 2424
    Date: 8/31/2006
    Time: 11:52:50 AM
    User: N/A
    Computer: ComputerName
    Description: The update cannot be started because the content sources cannot be accessed. Fix the errors and try the update again.

    Context: Application ‘Search’, Catalog ‘index file on the search server Search’

    So what´s wrong?

  12. Nick said

    Thanks a whole bunch for this page. You’ve saved me the trouble of constantly searching for each accounts definitions. Unfortunately I didn’t find this page until some of the accounts had been misconfigured, but at least I can go back and figure out what was wrong.
    Cheers
    Nick

  13. Mahendra Sing Dhoni said

    I think Sachin is quite old for our Indian Cricket Team.
    Congratulations to my boys who really played well on the last T20 we played with Sri-Lanka.

    I don’t like Pathan Brother, personally, but what can I do here.
    They played superbly.

  14. […] Si nos referimos al servicio de búsqueda , por defecto el usuario no tiene que dar ningún permiso, estas cuentas son simples cuentas de usuario sin ningún permiso, ya se encarga SharePoint de concedérselos. Aquí os dejamos una tabla donde viene especificado todas las cuentas y permisos que necesitan: https://claytonj.wordpress.com/2007/04/23/moss-2007-setup-accounts/ […]

  15. […] Si nos referimos al servicio de búsqueda , por defecto el usuario no tiene que dar ningún permiso, estas cuentas son simples cuentas de usuario sin ningún permiso, ya se encarga SharePoint de concedérselos. Aquí os dejamos una tabla donde viene especificado todas las cuentas y permisos que necesitan: https://claytonj.wordpress.com/2007/04/23/moss-2007-setup-accounts/ […]

  16. Ghalia said

    if after installation i want to change domain of farm, how i can change setup account “system”.
    I can migrate all users but how i can do this for system account

    If I have deployed MOSS farm using account for setup and configure it in domain,
    The whole farm servers will be changed and connected to other domain.
    How can i change system account user and setup users i have entered.
    I m afraid when we change domain i won’t be able to open MOSS.
    Is there is a way to change system account user something like migrate or to create new one and add it to farm.
    When that will happen, if I can’t use an admin user to open farm?

  17. Endy said

    Great post.. thanks for sharing 😀

  18. buy mdma said

    Find out where to buy MDMA online. Discover the best MDMA to buy online.

  19. interesting blog so i think so its very useful and knowledge able.I would like to thank you for the efforts you have made in writing this article

  20. You’d wonderful guidelines there. I did a search on the topic and identified that likely the majority will agree with your website.

  21. content creations…

    MOSS 2007 Setup Accounts « CJ…

  22. 2010 ethics in accounting articles,accounting article,accounting article 2007,accounting articled clerk jobs,accounting articles,accounting articles 2008,accounting articles 2010,accounting articles 2010 on paperless audits,accounting articles 2011,a…

    […]MOSS 2007 Setup Accounts « CJ[…]…

  23. Masterpieces…

    […]MOSS 2007 Setup Accounts « CJ[…]…

  24. Simple Domains…

    […]MOSS 2007 Setup Accounts « CJ[…]…

  25. Getgreataccounting positionsfrom the comfort of your apartment…

    […]MOSS 2007 Setup Accounts « CJ[…]…

  26. writing articles, writing articles online, article directory…

    […]MOSS 2007 Setup Accounts « CJ[…]…

  27. […] App Pool- User(Domain) https://claytonj.wordpress.com/2007/04/23/moss-2007-setup-accounts/ See how to create MOSS VPC Image […]

  28. Kaminomoto said

    That is a great tip particularly to those new to the blogosphere.
    Brief but very accurate info… Appreciate your sharing this
    one. A must read post!

  29. cheap sex said

    I think this is among the most vital information
    for me. And i am glad reading your article. But
    wanna remark on some general things, The site style is perfect, the articles is
    really excellent : D. Good job, cheers

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: