Web and Service Application Pool Accounts: SP_WebApps and SP_ServiceApps
Each Web application runs in an application pool. The application pool identity is a domain user account that is functionally equivalent to a service
account, with permissions to access the content database for the Web application on the SQL Server. Service applications and services, such as Search or
the Office Web Applications, also use domain user identities for application pool and service accounts.
When you assign an account to a Web application, service, or service application, SharePoint automatically grants the account the permissions it
needs. For example, when you assign an account as the default crawl account, which is used to index SharePoint content for search, SharePoint automatically
grants the account permission to read all content in all new web applications.
You can use one or more accounts for Web applications, service applications, and services based on your requirements for manageability and security. By
using unique accounts for each application and service, you can create a least-privileged environment in which each application or service account has only
the permissions required for that component. Additionally, you can more easily audit and troubleshoot because logs will clearly identify the account—and
therefore the service—in question.
By using a single account for all applications and services, you eliminate the need to manage multiple accounts. However, the account will have the
cumulative permissions required for all applications and services, which means that any one application or service process will run with more permissions
than it needs. And it will become more difficult to audit and troubleshoot certain scenarios, because logs will identify a single account and you cannot
directly associate that account with a specific service or application.
In many products, it is difficult to manage service accounts because of password synchronization. When a service account’s password is changed in Active
Directory, you must manually update the logon information for the service on each system on which the service is installed.
SharePoint provides managed accounts, a feature that reduces the management overhead for service accounts. A managed account is a domain
user account that is registered with SharePoint and assigned to one or more Web applications, service applications, or services. When you change the
password of a managed account, SharePoint automatically updates the logon information of the associated components. Additionally, SharePoint can
automatically manage password changes so that changes are made just prior to the expiration of the password based on domain password policy.
As a result, managing service accounts for SharePoint is significantly easier than many other services or products. By
reducing the management burden of service accounts, SharePoint makes it possible for you to use one account per service or application.
[Read more about managed service accounts***]
At a bare minimum, it is recommended to use one account, e.g. SP_ServiceApps, for service applications, and another account, e.g. SP_WebApps, as the
application pool identity for user-facing Web applications.
In a production environment, you should define accounts based on your requirements for security
and manageability, with the understanding that defining unique accounts for each service and application pool is often a best practice.
[Read more about multiple web application and service application accounts***]