SharePoint has close relationships with and dependencies on SQL Server and Active Directory.
Active Directory provides identity and authentication services. In other words, it stores user accounts (user names and passwords) and validates account
logons. These services support users logging on to SharePoint sites. They also support the accounts used by SharePoint and SQL services themselves.
SQL Server stores almost all of the configuration and content of a SharePoint farm. SQL Server services, like all Windows services, run using an identity
and log on with credentials consisting of a user name and password.
SharePoint services also run with Active Directory credentials. The credentials are used by SharePoint to access data in SQL Server. These accounts must
have SQL logins so that SQL can authorize the access. These SQL logins are created automatically by SharePoint during setup and the creation of Web
To support the administration and services of SQL and SharePoint, you must create identities in Active Directory, and you must ensure that appropriate
permissions have been granted. It is important that you adhere to the security practice of least privilege, in which an account is given only the
permissions required to perform its tasks. The following accounts enable a least-privilege implementation of SharePoint in a typical environment:
SQL Server administrator account: SQL_Admin
SQL Server service account: SQL_SERVICE
SharePoint setup user and administrator account: SP_ADMIN
SharePoint farm account: SP_Farm
Web and service application pool account(s): SP_WebApps and SP_ServiceApps
Search indexer (crawler) account: SP_Crawl
User profile synchronization account: SP_UserSync
The following sections provide detail about each of these accounts. Because these accounts are privileged, they should be dedicated for the indicated
purpose, and should not be used for any other purpose in the enterprise.