0
0 Comments

In my quest to create a development farm with an organized configuration for least privileged service accounts, I am afraid I created a service account monster. My attempts were to configure a farm that had the right amount of security, based on the least privileged methodology, so that I did not have too few accounts, nor have too many either. What I ended up with, I am afraid, is a spaghetti mess. I hope that the mess can be fixed with a little work, and I would like to air out my dirty laundry in hopes the community can provide constructive feedback so I can learn where I went wrong.

After reading a few blogs on best practices for service accounts I organized my Application Pools, Service Accounts, and Managed Domain Accounts in the following ways:

I created 5 unique Application Pools:

  • Excel_AppPool
  • UPA_AppPool
  • MMS_AppPool
  • SearchService_AppPool
  • SecureStore_AppPool

I created several registered managed domain accounts (maybe too many):

  • setup_dev (server admin account) – used to install SharePoint
  • farm_dev (server admin account) – used for major modifications after install
  • admin_dev (server admin account) – used for everyday maintenance after instal
  • sqlsetup_dev (server admin account) – primary sql account for database creation
  • sqladmin_dev – used by SharePoint for db access
  • sqlssas_dev – used by Analysis Services
  • pool_dev – used as the account for Application Pools (except for the original App Pool)
  • defaultpool_dev – used as the account for the original Application Pool
  • mysitespool_dev – used as the account for My Site Application Pool
  • webapps_dev – used as the account for Web Application
  • search_dev – used as the primary account for Search Service
  • searchquery_dev – used as the account for Search Query
  • searchadmin_dev – used as the admin account for Search Service (not sure if this is necessary)
  • crawl_dev – used as the account to crawl for the Search services
  • content_dev – created a secondary crawl account
  • usersync_dev – used as the account for user synchronization services
  • excel_dev – used as the account for Excel services
  • pps_dev – used as the account for PerformancePoint services
  • access_dev – used as the account for Access services
  • workflow_dev – used as the account for workflows
  • services_dev – used as the default services account when no specific account is already assigned

Service Accounts:

  • Farm Account
    • using farm_dev account
  • Windows Service – Claims to Windows Token Service
    • using Local System account
  • Windows Service – Distributed Cache
    • using setup_dev account
  • Windows Service – Document Conversions Launcher Service
    • using Local System account
  • Windows Service – Document Conversions Load Balancer Service
    • using Local System account
  • Windows Service – Microsoft SharePoint Foundation Sandboxed Code Service
    • using setup_dev account
  • Windows Service – Search Host Controller Services
    • using setup_dev account
  • Windows Service – SharePoint Server Search
    • using sqladmin_dev account
  • Windows Service – User Profile Synchronization Service
    • using farm_dev account
  • Web Application Pool – DevFarmAppPool
    • using pool_dev account
  • Web Application Pool – MySiteAppPool
    • using mysitespool_dev account
  • Service Application Pool – Excel_AppPool
    • using pool_dev account
  • Service Application Pool – SecurityTokenServiceApplicationPool
    • using setup_dev account
  • Service Application Pool – SharePoint Web Services System
    • using setup_dev account
  • Service Application Pool – UPA_AppPool
    • using pool_dev account
  • Service Application Pool – MMS_AppPool
    • using pool_dev account
  • Service Application Pool – SearchService_AppPool
    • using search_dev account
  • Service Application Pool – SecureStore_AppPool
    • using pool_dev account

I have been getting some inconsistent behavior in the farm and I think it is due to the configuration and setup of the service accounts and the management of the managed domain accounts. Two specific issues are related to search and the other is user permissions and security.

Thank you for any feedback,

Alex

 

(Visited 52 times, 1 visits today)
Add a Comment