In my quest to create a development farm with an organized configuration for least privileged service accounts, I am afraid I created a service account monster. My attempts were to configure a farm that had the right amount of security, based on the least privileged methodology, so that I did not have too few accounts, nor have too many either. What I ended up with, I am afraid, is a spaghetti mess. I hope that the mess can be fixed with a little work, and I would like to air out my dirty laundry in hopes the community can provide constructive feedback so I can learn where I went wrong.
After reading a few blogs on best practices for service accounts I organized my Application Pools, Service Accounts, and Managed Domain Accounts in the following ways:
I created 5 unique Application Pools:
- Excel_AppPool
- UPA_AppPool
- MMS_AppPool
- SearchService_AppPool
- SecureStore_AppPool
I created several registered managed domain accounts (maybe too many):
- setup_dev (server admin account) – used to install SharePoint
- farm_dev (server admin account) – used for major modifications after install
- admin_dev (server admin account) – used for everyday maintenance after instal
- sqlsetup_dev (server admin account) – primary sql account for database creation
- sqladmin_dev – used by SharePoint for db access
- sqlssas_dev – used by Analysis Services
- pool_dev – used as the account for Application Pools (except for the original App Pool)
- defaultpool_dev – used as the account for the original Application Pool
- mysitespool_dev – used as the account for My Site Application Pool
- webapps_dev – used as the account for Web Application
- search_dev – used as the primary account for Search Service
- searchquery_dev – used as the account for Search Query
- searchadmin_dev – used as the admin account for Search Service (not sure if this is necessary)
- crawl_dev – used as the account to crawl for the Search services
- content_dev – created a secondary crawl account
- usersync_dev – used as the account for user synchronization services
- excel_dev – used as the account for Excel services
- pps_dev – used as the account for PerformancePoint services
- access_dev – used as the account for Access services
- workflow_dev – used as the account for workflows
- services_dev – used as the default services account when no specific account is already assigned
Service Accounts:
- Farm Account
- using farm_dev account
- Windows Service – Claims to Windows Token Service
- using Local System account
- Windows Service – Distributed Cache
- using setup_dev account
- Windows Service – Document Conversions Launcher Service
- using Local System account
- Windows Service – Document Conversions Load Balancer Service
- using Local System account
- Windows Service – Microsoft SharePoint Foundation Sandboxed Code Service
- using setup_dev account
- Windows Service – Search Host Controller Services
- using setup_dev account
- Windows Service – SharePoint Server Search
- using sqladmin_dev account
- Windows Service – User Profile Synchronization Service
- using farm_dev account
- Web Application Pool – DevFarmAppPool
- using pool_dev account
- Web Application Pool – MySiteAppPool
- using mysitespool_dev account
- Service Application Pool – Excel_AppPool
- using pool_dev account
- Service Application Pool – SecurityTokenServiceApplicationPool
- using setup_dev account
- Service Application Pool – SharePoint Web Services System
- using setup_dev account
- Service Application Pool – UPA_AppPool
- using pool_dev account
- Service Application Pool – MMS_AppPool
- using pool_dev account
- Service Application Pool – SearchService_AppPool
- using search_dev account
- Service Application Pool – SecureStore_AppPool
- using pool_dev account
I have been getting some inconsistent behavior in the farm and I think it is due to the configuration and setup of the service accounts and the management of the managed domain accounts. Two specific issues are related to search and the other is user permissions and security.
Thank you for any feedback,
Alex
“It depends”. Yes, of course the config will work. If it works for your environment, go for it. Is it the absolute minimum? No.
I think the following revised list is a streamlined version of what I had before. Do you think this will work?
- Web Application Pool (content sites) = Default_AppPool\pool_dev (account)
- Web Application Pool (My Sites) = MySites_AppPool\pool_dev (account)
- Application Pool (admin rights) = FarmAdmin_AppPool\admin_dev (account)
- Application Pool (services) = Services_AppPool\services_dev (account)
- Application Pool (apps) = Apps_AppPool\apps_dev (account)
- Service Application (search) = using search_dev (account)
- Service Application (upss) = using farm_dev (account)
Domain Accounts:
- sqlsetup_dev = account to install SQL server
- sqladmin_dev = account SP uses
- farm_dev = farm account
- setup_dev = account used to install SP binaries
- admin_dev = elevated rights account
- apps_dev = account for app model apps
- services_dev = account for running services (without admin rights)
- superreader
- superuser
- uservices_dev = unattended account
- uadmin_dev = unattended account (admin rights)
- search_dev = account running Search SA
- content_dev = Search Default Content Access
- pool_dev = account running all Web App Pools
- usersync_dev = UPSS Connection
I have reduced the quantity of Application Pools and managed accounts. Plus, I also organized the association of the domain accounts with their SA’s better. I think my previous listing was too confusing. Will this config/setup work or do I still need to minimize the accounts?
Thank you,
Alex
Alex, based on what info we’ve given you so far, along with the other resources, do you have a revised list of accounts you feel you want to have?
One of my original guides for the creation of these accounts was Todd Klindt’s blog http://www.toddklindt.com/blog/Lists/Posts/Post.aspx?ID=391 named “Service Account Suggestions for SharePoint 2013”. In my attempt to implement Todd’s suggestions, do you see that I strayed way off the path of what he suggested? I am also using Andreas Glaser’s admin guides http://sharepoint-tutorial.net/page/sharepoint-training.aspx to try and get the right balance of SA and application pools, etc. and matching those up with Trevor and Vlad’s recommendations. So out of the 4 sources: Trevor, Vlad, Todd, and Andreas, I am trying to cut all extra Web App Pools, SA App Pools, SA’s, and domain accounts and consolidate into a simplistic design for easy management.
Say I remove some App Pools and consolidate them into 1 or 2 App Pools. That will help on performance, right? Could some of issues I am having deal with the use of the accounts and not using the right account for the proper SA (is it possible to determine with the data I’ve given)?
Thanks again for your help.
Alex
Accounts I’d use…
C2WTS – Runs Claims to Windows Token Services (requires Local Admin and a few other elevated rights)
Farm Administrator – Farm Admin
Service App Pool – Runs non-elevated Service Applications
Farm Service App Pool – Runs elevated Service Applications (like I pointed out above, Word/PowerPoint, and others)
Web App Pool – Runs Web Applications
Crawl – Crawls content
SU – Super User
SR – Super Reader
Sync – For UPSS Sync connections
