In my quest to create a development farm with an organized configuration for least privileged service accounts, I am afraid I created a service account monster. My attempts were to configure a farm that had the right amount of security, based on the least privileged methodology, so that I did not have too few accounts, nor have too many either. What I ended up with, I am afraid, is a spaghetti mess. I hope that the mess can be fixed with a little work, and I would like to air out my dirty laundry in hopes the community can provide constructive feedback so I can learn where I went wrong.
After reading a few blogs on best practices for service accounts I organized my Application Pools, Service Accounts, and Managed Domain Accounts in the following ways:
I created 5 unique Application Pools:
- Excel_AppPool
- UPA_AppPool
- MMS_AppPool
- SearchService_AppPool
- SecureStore_AppPool
I created several registered managed domain accounts (maybe too many):
- setup_dev (server admin account) – used to install SharePoint
- farm_dev (server admin account) – used for major modifications after install
- admin_dev (server admin account) – used for everyday maintenance after instal
- sqlsetup_dev (server admin account) – primary sql account for database creation
- sqladmin_dev – used by SharePoint for db access
- sqlssas_dev – used by Analysis Services
- pool_dev – used as the account for Application Pools (except for the original App Pool)
- defaultpool_dev – used as the account for the original Application Pool
- mysitespool_dev – used as the account for My Site Application Pool
- webapps_dev – used as the account for Web Application
- search_dev – used as the primary account for Search Service
- searchquery_dev – used as the account for Search Query
- searchadmin_dev – used as the admin account for Search Service (not sure if this is necessary)
- crawl_dev – used as the account to crawl for the Search services
- content_dev – created a secondary crawl account
- usersync_dev – used as the account for user synchronization services
- excel_dev – used as the account for Excel services
- pps_dev – used as the account for PerformancePoint services
- access_dev – used as the account for Access services
- workflow_dev – used as the account for workflows
- services_dev – used as the default services account when no specific account is already assigned
Service Accounts:
- Farm Account
- using farm_dev account
- Windows Service – Claims to Windows Token Service
- using Local System account
- Windows Service – Distributed Cache
- using setup_dev account
- Windows Service – Document Conversions Launcher Service
- using Local System account
- Windows Service – Document Conversions Load Balancer Service
- using Local System account
- Windows Service – Microsoft SharePoint Foundation Sandboxed Code Service
- using setup_dev account
- Windows Service – Search Host Controller Services
- using setup_dev account
- Windows Service – SharePoint Server Search
- using sqladmin_dev account
- Windows Service – User Profile Synchronization Service
- using farm_dev account
- Web Application Pool – DevFarmAppPool
- using pool_dev account
- Web Application Pool – MySiteAppPool
- using mysitespool_dev account
- Service Application Pool – Excel_AppPool
- using pool_dev account
- Service Application Pool – SecurityTokenServiceApplicationPool
- using setup_dev account
- Service Application Pool – SharePoint Web Services System
- using setup_dev account
- Service Application Pool – UPA_AppPool
- using pool_dev account
- Service Application Pool – MMS_AppPool
- using pool_dev account
- Service Application Pool – SearchService_AppPool
- using search_dev account
- Service Application Pool – SecureStore_AppPool
- using pool_dev account
I have been getting some inconsistent behavior in the farm and I think it is due to the configuration and setup of the service accounts and the management of the managed domain accounts. Two specific issues are related to search and the other is user permissions and security.
Thank you for any feedback,
Alex
I think the following revised list is a streamlined version of what I had before. Do you think this will work?
- Web Application Pool (content sites) = Default_AppPool\pool_dev (account)
- Web Application Pool (My Sites) = MySites_AppPool\pool_dev (account)
- Application Pool (admin rights) = FarmAdmin_AppPool\admin_dev (account)
- Application Pool (services) = Services_AppPool\services_dev (account)
- Application Pool (apps) = Apps_AppPool\apps_dev (account)
- Service Application (search)Â = using search_dev (account)
- Service Application (upss)Â = using farm_dev (account)
Domain Accounts:
- sqlsetup_dev = account to install SQL server
- sqladmin_dev = account SP uses
- farm_dev = farm account
- setup_dev = account used to install SP binaries
- admin_dev = elevated rights account
- apps_dev =Â account for app model apps
- services_dev = account for running services (without admin rights)
- superreader
- superuser
- uservices_dev = unattended account
- uadmin_dev = unattended account (admin rights)
- search_dev = account running Search SA
- content_dev = Search Default Content Access
- pool_dev = account running all Web App Pools
- usersync_dev = UPSS Connection
I have reduced the quantity of Application Pools and managed accounts. Plus, I also organized the association of the domain accounts with their SA’s better. I think my previous listing was too confusing. Will this config/setup work or do I still need to minimize the accounts?
Thank you,
Alex
Â
Â
