Service Accounts for SharePoint

Configure least-privilege service accounts for SharePoint

Dan Holme

by Dan Holme on 2/14/2014

Share this:

Article Details

Date Revised:

Sponsored by

SharePoint has close relationships with and dependencies on SQL Server and Active Directory.

Active Directory provides identity and authentication services. In other words, it stores user accounts (user names and passwords) and validates account logons. These services support users logging on to SharePoint sites. They also support the accounts used by SharePoint and SQL services themselves.

SQL Server stores almost all of the configuration and content of a SharePoint farm. SQL Server services, like all Windows services, run using an identity and log on with credentials consisting of a user name and password.

SharePoint services also run with Active Directory credentials. The credentials are used by SharePoint to access data in SQL Server. These accounts must have SQL logins so that SQL can authorize the access. These SQL logins are created automatically by SharePoint during setup and the creation of Web applications.

To support the administration and services of SQL and SharePoint, you must create identities in Active Directory, and you must ensure that appropriate permissions have been granted. It is important that you adhere to the security practice of least privilege, in which an account is given only the permissions required to perform its tasks. The following accounts enable a least-privilege implementation of SharePoint in a typical environment:

  • SQL Server administrator account: SQL_Admin

  • SQL Server service account: SQL_SERVICE

  • SharePoint setup user and administrator account: SP_ADMIN

  • SharePoint farm account: SP_Farm

  • Web and service application pool account(s): SP_WebApps and SP_ServiceApps

  • Search indexer (crawler) account: SP_Crawl

  • User profile synchronization account: SP_UserSync

The following sections provide detail about each of these accounts. Because these accounts are privileged, they should be dedicated for the indicated purpose, and should not be used for any other purpose in the enterprise.

Download Related Files:

Topic: Article

Sign in with

Or register