Get rid of the infamous “Service Account” and other security related issues by adding the following section to your pre-install architecture document. One benefit of following these best practices with security accounts is a seamless transition to Kerberos authentication.
An architecture document will make a SharePoint install a BORING event. Other common sections of a SharePoint architecture document include ‘friendly’ SharePoint database names, DNS entries, site collection names, alternative paths, managed paths, internal and external URL’s.
There should be NO surprises on install day. You will simply run setup and fill in the blanks during install using your architecture document. Again a SharePoint install should be boring and tedious if planned and executed according to plan.
screen cast on SharePoint architecture documents and how they might be useful when preparing for SharePoint 2010.
Service Accounts
The installation of MOSS can be divided logically into IV key phases
- Phase I – MOSS Software Installation
- Phase II – MOSS Configuration Wizard
- Phase III – MOSS Software Service Configuration
- Phase IV – MOSS Web Application Creation and Configuration
The table below provides a list of accounts needed and the phase they will be required.
| Title | A-D Name | Purpose Summary | Phase |
| Setup User Account | SVC_MOSS-CUST-Install | Install Account | I and II |
| Server Farm Account | SVC_MOSS-CUST-FarmAdmin | Farm Administrator Account | II |
| Shared Services Provider Process Account | SVC_MOSS-CUST-SspAppPool | SSP Admin Process Account | III |
| Shared Services Provider Web Services Account | SVC_MOSS-CUST-SspService | SSP Services / Shared Web Service Account | III |
| Web Application Process Account – MySites | SVC_MOSS-CUST-MySite | My Site Application Pool Account | III |
| Search Content Access Accounts | SVC_MOSS-CUST-Crawl | Crawl / Content Access Account | III |
| WSS Search Service Account | SVC_MOSS-CUST-SearchSvc | WSS Search Service Account | III |
| User Profile and Properties Access Account | SVC_MOSS-CUST-ProfileImport | Needed to import user profiles from a 3rd party LDAP or Active Directory Domain | III |
| Excel Calculation Services Unattended Process Account | SVC_MOSS-CUST-Excel | Account to access external data sources | III |
| Web Application Process Account (Sites) | SVC_MOSS-CUST-Content | Content Account | IV |
The table below provides additional details of the accounts
| Account | Description | Rights |
| Install Account SVC_MOSS-CUST-Install | Used to run the MOSS installer. | The following permissions must be manually configured: · Member of the local Administrators group on each front-end server. · Member of the 'sysadmin' role within the SQL Server instance |
| Farm Administrator Account SVC_MOSS-CUST-FarmAdmin | Gathered in the "Specify Configuration Database Settings" screen of the "SharePoint Products and Technologies Configuration Wizard". This is step 4 in section 2.2.3.1 of the Installation Guide. | You must manually add this account the following rights: · Member of the local Administrators group on each front-end server This account is automatically added to the SQL Server Logins, the SQL Server Database Creator server role, and the SQL Server Security Administrators server role. · Member of the 'dbcreator' and 'securityadmin' roles within the SQL Server instance. · Member of the 'db_owner' role on all MOSS databases within the instance. · Identity of the SharePoint Central Administration application pool. · Identity of the "Windows SharePoint Services Timer" service. · The only account with write access to the SharePoint configuration database. |
| SSP Admin Process Account | Gathered in the "Create New Web Application" page for the web application assocated to the SSP admin page within the "Create SSP" page. Identity of the app pool for the SSP Admin site. |
|
| SSP Services / Shared Web Service Account | Gathered in the "SSP Service Credentials" section of the "Create SSP" page. Identity of the SSP Shared Web Service application pool. Identity of the search NT service, but not what is used to authenticate when crawling content. |
|
| Crawl / Content Access Account
| Used by both the WSS and MOSS indexers to authenticate to a target data store, both internal and external. Within WSS search configuration, it is referred to as the "Content Access Account". Within MOSS search configuration, it is referred to as the "Farm Search Service Account". The identity of the "Office SharePoint Server Search" service. (The search service account and the crawler account are the same and are not broken into two separate configurable accounts like WSS search.) It is NOT the same as the SSP process account. | · This is the only account that needs full read access to content. |
| Search Service Account | The identity of the "Windows SharePoint Services Search" service. Within WSS search configuration, it is referred to as the "Service Account". | |
| Content Account | Identity of the content site's (site collection's) app pool. | Granted read access to config db via the 'WSS_Content_Application_Pools' role. Granted read/write access to its own content db via the 'db_owner' role. Granted read/limited write to SSP resources |
| User Profile and Properties Access Account | Needed to import users from a 3rd party LDAP or another Active Directory Domain, need to specify the import connection account in SSP Administration when creating the data connection. | Requires read access to all attributes for which you want to do a profile import. |
| Excel Calculation Services Unattended Process Account | If you need to connect to external data sources with Excel Calculation services, you will need to define an additional account in SSP Administration. By default, the above defined SSP Process account will be used. | Requires read/write access to external data source. |
