Administration Accounts in SharePoint 2010

Many of the SharePoint Server 2010 baseline account permissions and security settings are configured by the SharePoint Configuration Wizard (Psconfig) and the Farm Creation Wizard, both of which are run during a Complete installation.

Setup user administrator account -

This account is used to set up each server in your farm by running The SharePoint Configuration Wizard, the initial Farm Creation Wizard, and Windows PowerShell. For the examples in this article, the setup user administrator account is used for farm administration, and it can be managed using Central Administration. The setup user administrator account requires the following permissions:

It must have domain user account permissions.

It must be a member of the local administrators group on each server in the SharePoint Server 2010 farm, excluding SQL Server and the Simple Mail Transfer Protocol (SMTP) server.


This account must have access to the SharePoint Server 2010databases.


If you use any Windows PowerShell operations that affect a database, the setup user administrator account must be a member of the db_owner role.


This account must be assigned to the securityadmin and dbcreator SQL Server security roles during setup and configuration.

After you run the configuration wizards, machine-level permissions for the setup user administrator account include:

Membership in the WSS_ADMIN_WPG Windows security group.


Membership in the IIS_WPG role.


After you run the configuration wizards, database permissions include:

db_owner on the SharePoint Server 2010 server farm configuration database.


db_owner on the SharePoint Server 2010 Central Administration content database.


Farm service account -

The server farm account is also referred to as the database access account and is used as the application pool identity for Central Administration, and as the process account for the Microsoft SharePoint Foundation 2010 Timer service. The server farm account requires the following permissions:

It must have domain user account permissions.


Additional permissions are automatically granted to the server farm account on Web servers and application servers that are joined to a server farm.

After you run the SharePoint Configuration Wizard, machine-level permissions include:

Membership in the WSS_ADMIN_WPG Windows security group for the SharePoint Foundation 2010 Timer service.


Membership in WSS_RESTRICTED_WPG for the Central Administration and Timer service application pools.


Membership in WSS_WPG for the Central Administration application pool.


After you run the configuration wizards, SQL Server and database permissions include:

Dbcreator fixed server role.


Securityadmin fixed server role.


db_owner for all SharePoint Server 2010 databases.


Membership in the WSS_CONTENT_APPLICATION_POOLS role for the SharePoint Server 2010 server farm configuration database.


Membership in the WSS_CONTENT_APPLICATION_POOLS role for the SharePoint Server 2010 SharePoint_Admin content database.

0 comments:

Post a Comment

Disclaimer

This is a personal weblog. The opinions expressed here represent my own and not those of my employer or anyone else. Should you have any questions or concerns please e-mail me at sharepointprogrammingblogger@gmail.com .

Copyright (c) 2010 @ myshaepointwork.blogspot.com. All rights are reserved.Do Not Copy.

@ Learning SharePoint.com