Tags
Service Accounts are a very important to installing every version of SharePoint. Let’s take a look at the SharePoint 2016 Service Accounts that I recommend and used.
Account | Description | Local / Application Permissions | Local Security Policy |
SP_Admin | This account will be used to Install and configure the SharePoint farm initially. After the initial setup, you can grant the farm administrator rights to your SharePoint Administrators account so they can log in and manage SharePoint with their own account. | Domain User | Back up files and directories |
Local Administrator on the SharePoint Servers | Debug Programs | ||
Member of the following SQL Roles | Manage auditing and Security log | ||
Restore files and directories | |||
DB Creator | Take ownership of files or other objects | ||
Security Admin | |||
SP_Farm | Runs the SharePoint Timer and Administration Service | Domain User | Allow log on locally |
Member of the following SQL Roles | Adjust memory quotas for a process | ||
Impersonate a client after authentication | |||
DB Creator | Log on as a batch job | ||
Security Admin | Log on as a service | ||
Replace a process level token | |||
SP_Services | Runs the Application Pool for most of your Service Applications. There are some service applications that require more rights and a dedicated Service Account is recommended. We’re converting those a bit lower in this blog post! | Domain User | Adjust memory quotas for a process |
Log on as a batch job | |||
Log on as a service | |||
Replace a process level token | |||
Impersonate a client after authentication | |||
SP_Pool | Runs the Application Pool for your Web Applications. | Domain User | Impersonate a client after authentication |
Log on as a batch job | |||
Lon as a service | |||
SP_Crawl | The Default Content Access Account for the Search Service Application. This account is sued to crawl the content of your SharePoint Web Applications. | Domain User | |
This account needs to have Read Access on all your Web Applications (given automatically) | |||
SP_Sync | Used to synchronize profiles between AD and SharePoint Server 2016 | Domain User | Needs to have “Replicate Directory Changes” in the Active Directory Tutorial here |
SP_C2WTS | Used to run the Claims to Windows Token | Domain User | Act as part of the operating system |
Service | Local Administrator on all SharePoint Servers running the C2WTS service | Impersonate a client after authentication | |
Log on as a service | |||
SP_SuperUser | Object cache account (Super User). Must not be an account that will ever be used to log in to the site. | Domain User | |
Full Control on your Web Applications | |||
SP_SuperReader | Object cache account (Super Reader). Must not be an account that will ever be used to log in to the site. | Domain User | |
Full Read on your Web Applicationss | |||
SP_SQLAdmin | This account will be used to Install and configure the SQL Server initially. After the initial setup, you can grant the SQL Admin rights to your SQL Administrators account so they can log in and manage SQL with their own account. | Domain User | Back up files and directories |
Local Administrator on the SQL Server | Debug Programs | ||
Manage auditing and Security log | |||
Restore files and directories | |||
Take ownership of files or other objects | |||
SP_SQLEngine | This account will run the Database Engine service | Domain User | Log on as a service |
Replace a process-level token | |||
Bypass traverse checking | |||
Adjust memory quotas for a process | |||
Perform Volume Maintenance Tasks (Only If you want to enable Instant File Initialization) | |||
SP_SQLAgent | This account will run the SQL Server Agent Service | Domain User | Log on as a service |
Replace a process-level token | |||
Bypass traverse checking | |||
Adjust memory quotas for a process |