We have a 2010 SharePoint farm that we took over from staff that left. We are currently going through a compliance audit of SharePoint accounts that are in the local administrators group and the main question is, do these accounts still need to be in the administrators group or is it safe to remove them? Some of these accounts do show up in the Central Admin under Monitoring\configure managed accounts…however, they have no SP components listed with them….
1) ProdInstall – it’s assumed this account was used as the primary SP installation account and it shows up in a few places in the registry but no services or IIS pools are bound to it and no components listed in Central Admin.
2) ProdSuperReader – no clue what this account is for and it shows no components in Central Admin nor does it have any services or app pools bound to it. Like the account above, it does have a few references in the registry or one or more farm machines.
Bottom line is it best practice or advisable to remove these accounts from the local administrators group on the farm machines? Yes I know testing would be a must be would like to hear from someone who has experience with this scenario. I am sure I’m not the only one who has a security group who tries to minimize accounts in the local admin group on production servers.
Thanks for any light you can shed on this!
Hi Deron,
It sounds like the first account would just be the setup account, so if no services are tied to this it should be okay to remove. This account may be the owner of some of the databases but you could check this in SQL. You may need to use this account in future for running PowerShell CMDlets or for installing solutions but you could just add this to local admins as needed.
The super reader account will be used by SharePoint’s object cache for publishing features and other optimisations. It should be configured to have full read access to your web application’s user policy in central admin. It’s not a managed account, so it doesn’t need to be listed here and it certainly doesn’t need to be a member of local admins.
