Plan for Administrative and Service Accounts (Windows Share Point Services)

8/8/2019 Plan for Administrative and Service Accounts (Windows Share Point Services)

http://slidepdf.com/reader/full/plan-for-administrative-and-service-accounts-windows-share-point-services 1/18

lan for administrative and service accounts (Windows SharePoint Services)

Plan for administrative and service accounts (WindowsSharePoint Services)

Updated: 2009-04-23

In this article:

● About administrative and service accounts

● Single server standard requirements

● Server farm standard requirements

● Least-privilege administration requirements when using domain user accounts

● Least-privilege administration requirements when using SQL authentication

● Least-privilege administration requirements when connecting to pre-created databases

● Technical reference: Account requirements by scenario

This article describes the accounts that that you must plan for and describes the deployment scenariosthat affect account requirements.

Use this article with the following planning tool: Windows SharePoint Services security account requirements [ http://go.microsoft.com/fwlink/?LinkId=92885&clcid=0x409 ] (http://go.microsoft.com/fwlink/?LinkId=92885&clcid=0x409). This planning tool lists the requirements for each account based onthe deployment scenario. The requirements are also listed in the Technical reference: Account requirements by scenario section of this article.

The account requirements detail the specific permissions that you need to grant prior to running Setup. Insome cases, additional permissions that are automatically granted by running Setup are noted in theplanning tool.

This article does not describe security roles and permissions required to administer Windows SharePointServices 3.0. For more information, see Plan for security roles (Windows SharePoint Services) [ http://

technet.microsoft.com/en-us/library/cc288186(office.12).aspx ] .

A b o u t a d m i n i s t r a t i v e a n d s e rv i c e a c c o u n t s

This section lists and describes the accounts that you must plan for. The accounts are grouped accordingto scope. If an account has a limited scope, you might need to plan multiple accounts for this category.

After you complete installation and configuration of accounts, ensure that you do not use the LocalSystem account to perform administration tasks or to browse sites. For example, do not use the sameaccount that is used to run Setup to perform administration tasks.

ttp://technet.microsoft.com/en-us/library/cc288210(office.12,printer).aspx (1 of 18) [7/20/2010 4:38:29 AM]

http://go.microsoft.com/fwlink/?LinkId=92885&clcid=0x409


http://technet.microsoft.com/en-us/library/cc288186(office.12,printer).aspx







Server farm-level accounts

The following table describes the accounts that are used to configure Microsoft SQL Server databasesoftware and to install Windows SharePoint Services 3.0.

Account Purpose

SQL Server service account SQL Server prompts for this account during SQL Server Setup. This account isused as the service account for the following SQL Server services:

● MSSQLSERVER

● SQLSERVERAGENT

If you are not using the default instance, these services will be shown as:

● MSSQL$ InstanceName

● SQLAgent$ InstanceName

Setup user account The user account that is used to run:

● Setup on each server computer

● The SharePoint Products and Technologies Configuration Wizard

● The Psconfig command-line tool

● The Stsadm command-line tool

Server farm account This account is also referred to as the database access account.

This account is:

● The application pool identity for the SharePoint Central AdministrationWeb site.

● The process account for the Windows SharePoint Services Timer service.

Windo w s SharePoint Services Search accounts

The following table describes the accounts that are used to set up and configure Windows SharePointServices Search.

Account Purpose

Windows SharePoint Services Search service account Used as the service account for the Windows SharePointServices Search service. There is one instance of thisservice on each search server. Typically, a server farmwill include only one search server.

Windows SharePoint Services Search content accessaccount

Used by the Windows SharePoint Services Searchapplication server role to crawl content across sites.

Plan for multiple accounts if the server farm includesmultiple search server computers. This is not common.

Additional application pool iden tity accounts





If you create additional application pools to host sites, plan for additional application pool identityaccounts. The following table describes the application pool identity account. Plan one application poolaccount for each application pool you plan to implement.

Account Purpose

Application pool identity The user account that the worker processes that service the application pool use astheir process identity. This account is used to access content databases associatedwith the Web applications that reside in the application pool.

Sing le se rve r s t anda rd r equ i r emen t s

If you are deploying to a single server computer, account requirements are greatly reduced. In anevaluation environment, you can use a single account for all of the account purposes. In a productionenvironment, ensure that the accounts you create have the appropriate permissions for their purposes.

For a list of account permissions for single server environments, see the Windows SharePoint Services security account requirements [ http://go.microsoft.com/fwlink/?LinkId=92885&clcid=0x409 ] (http://go.microsoft.com/fwlink/?LinkId=92885&clcid=0x409) planning tool, or view the requirements listed in theTechnical reference: Account requirements by scenario section of this article.

Serve r f a rm requ i r emen t s

If you are deploying to more than one server computer, use the server farm standard requirements toensure that accounts have the appropriate permissions to perform their processes across multiplecomputers. The server farm standard requirements detail the minimum configuration that is necessary tooperate in a server farm environment. For a more secure environment, consider using the least privilegeadministration requirements using domain user accounts.

For a list of standard requirements for server farm environments see the Windows SharePoint Services security account requirements [ http://go.microsoft.com/fwlink/?LinkId=92885&clcid=0x409 ] (http://go.

microsoft.com/fwlink/?LinkId=92885&clcid=0x409) planning tool, or view the requirements listed in theTechnical reference: Account requirements by scenario section of this article.

For some accounts, additional permissions or access to databases are configured when you run Setup.These are noted in the accounts planning tool. An important configuration for database administrators tobe aware of is the addition of the WSS_Content_Application_Pools database role. Setup adds this roleto the following databases:

● SharePoint_Config database (configuration database)

● SharePoint_AdminContent database

Members of the WSS_Content_Application_Pools database role are granted the Execute permission toa subset of the stored procedures for the database. Additionally, members of this role are granted theSelect permission to the Versions table (dbo.Versions) in the SharePoint_AdminContent database.

For other databases, the accounts planning tool indicates that access to read from these databases isautomatically configured. In some cases, limited access to write to a database is also automaticallyconfigured. To provide this access, permissions to stored procedures are configured. For theSharePoint_Config database, for example, access to the following stored procedures is automaticallyconfigured:













● proc_dropEmailEnabledList

● proc_dropEmailEnabledListsByWeb

● proc_dropSiteMap

● proc_markForDeletionEmailEnabledList

● proc_markForDeletionEmailEnabledListsBySite

● proc_markForDeletionEmailEnabledListsByWeb

● proc_putDistributionListToDelete

● proc_putEmailEnabledList

● proc_putSiteMap

Leas t -p r iv i l ege admin i s t r a t ion r equ i r emen t s w hen us ing domain use r accoun t s

Least privilege administration is a recommended security practice in which each service or user isprovided with only the minimum privileges needed to accomplish the tasks they are authorized toperform. This means that each service is granted access to only the resources that are necessary to itspurpose. The minimum requirements to achieve this design goal include the following:

● Separate accounts are used for different services and processes.

● No executing service or process account is running with local administrator permissions.

By using separate service accounts for each service and limiting the permissions assigned to eachaccount, you reduce the opportunity for a malicious user or process to compromise your environment.

Least privilege administration with domain user accounts is the recommended configuration for mostenvironments.

For a list of least privilege administration requirements with domain user accounts, see the Windows SharePoint Services security account requirements [ http://go.microsoft.com/fwlink/?LinkId=92885&clcid=0x409 ] (http://go.microsoft.com/fwlink/?LinkId=92885&clcid=0x409) planning tool,or view the requirements listed in the Technical reference: Account requirements by scenario section of this article.

Leas t -p r iv i l ege admin i s t r a t ion r equ i r emen t s when us ing SQL au then t i ca t ion

In environments where SQL authentication is a requirement, you can follow the principle of least privilegeadministration. In this scenario:

● SQL authentication is used for every database that is created.

● All other administration and service accounts are created as domain user accounts.









Setup and configuration

Using SQL authentication requires additional setup and configuration:

● All database accounts must be created as SQL Server login accounts in SQL Server 2000 EnterpriseManager or SQL Server 2005 Management Studio. These accounts must be created before thecreation of any databases, including the configuration database and the AdminContent database.

● You must use the Psconfig command-line tool to create the configuration database and theSharePoint_AdminContent database. You cannot use the SharePoint Products and TechnologiesConfiguration Wizard to create these databases. To create a farm or to join a computer to a farm,specify the SQL Server login that you created for these databases as the dbusername anddbpassword . The same SQL Server login is used to access both databases.

● You can create additional content databases in Central Administration by selecting the SQLauthentication option. However, you must first create the SQL Server login accounts in SQLServer 2000 Enterprise Manager or SQL Server 2005 Management Studio.

● Secure all communication with the database servers by using Secure Sockets Layer (SSL) orInternet Protocol security (IPsec).

When SQL authentication is used:

● SQL Server login accounts are encrypted in the registry of the Web servers and application servers.

● The server farm account is not used to access the configuration database and theSharePoint_AdminContent database. The corresponding SQL Server login accounts are used instead.

Creating service and administration accounts

For a list of least privilege administration requirements with SQL authentication, see the Windows SharePoint Services security account requirements [ http://go.microsoft.com/fwlink/?LinkId=92885&clcid=0x409 ] (http://go.microsoft.com/fwlink/?LinkId=92885&clcid=0x409) planning tool,or view the requirements listed in the Technical reference: Account requirements by scenario section of this article.

Creating SQL Server logins

Before creating databases, create SQL Server logins for each of the databases. Two logins are created forthe configuration and SharePoint_AdminContent databases. Create one login for each content database.

The following table lists the logins that must be created. The Login column indicates the account that isspecified or created for the SQL Server login. For the first login, you must enter the Setup user account.For all other logins, you create a new SQL Server login account. For these logins, the Login columnprovides an example account name.

Login Database SQL Rights

Setup user account Configuration andSharePoint_AdminContent databases

Specify Windows authentication whencreating the login.









< ConfigAdminDBAcc > Configuration andSharePoint_AdminContent databases

● Specify SQL authenticationwhen creating the login.

● Assign the dbcreator serverrole.

< WSSSearch_DB_Acc > WSS_Search database● Specify SQL authentication

when creating the login.


< Content_DB_Acc1 > Content databases● Specify SQL authentication

when creating the login.


Leas t -p r iv i l ege admin i s t r a t ion r equ i r emen t s w hen connec t ing to p re -c rea t ed da t abases

In environments where databases are pre-created by a database administrator, you can follow theprinciple of least privilege administration. In this scenario:

● Administration and service accounts are created as domain user accounts.

● SQL Server logins are created for the accounts that are used to configure databases.

● Databases are created by a database administrator.

For more information about deploying Windows SharePoint Services 3.0 using pre-created blankdatabases, see Deploy using DBA-created databases (Windows SharePoint Services) [ http://technet.microsoft.com/en-us/library/cc288606(office.12).aspx ] .

Creating service and administration accounts

For a list of least privilege administration requirements when connecting to an existing blank database,see the Windows SharePoint Services security account requirements [ http://go.microsoft.com/fwlink/?LinkId=92885&clcid=0x409 ] (http://go.microsoft.com/fwlink/?LinkId=92885&clcid=0x409) planning tool,or view the requirements listed in the Technical reference: Account requirements by scenario section of this article.

Creating SQL Server logins

Before creating databases, create SQL Server logins for each of the accounts that will access thedatabases. The accounts planning tool details the specific permissions that are configured for eachaccount. For instructions on how to create and grant permissions to databases, see Deploy using DBA-created databases (Windows SharePoint Services) [ http://technet.microsoft.com/en-us/library/cc288606(office.12).aspx ] .

The following table lists the logins that must be created. The database column indicates which databasesare configured with permissions for each login account. For each login, specify Windows authenticationwhen creating the login.













Login Database

Setup user account (run-as user for thePsconfig command-line tool)

All databases

Server farm account (Office SharePointServer database access account)

● SSP database

● SSP search database

Windows SharePoint Services Search serviceaccount

● WSS_Search database

● Configuration database

● SharePoint_AdminContent database

Application pool identity for additionalcontent databases

● SSP database

● SSP search database

● Content databases associated with the application pool

Techn ic a l re fe rence : Acc oun t r equ i r emen t s by scena r io

This section lists account requirements by scenario:

● Single server standard requirements

● Server farm standard requirements

● Least-privilege administration requirements when using domain user accounts

● Least-privilege administration requirements when using SQL authentication

● Least-privilege administration requirements when connecting to pre-created databases

Single server standard requirements


Account Requirements

SQL Server service account Local System account (default)

Setup user account Member of the Administrators group on the local computer

Server farm account Network Service (default)

No manual configuration is necessary.







Windows SharePoint Services Searchservice account

By default, this account runs as the Local System account.

Windows SharePoint Services Searchcontent access account

Must not be a member of the Farm Administrators group.

The following are automatically configured:

● Added to the Web application Full Read policy for the farm.



Application pool identity No manual configuration is necessary.

The Network Service account is used for the default Web site that is created duringSetup and configuration.

Server farm standard requirements



SQL Server service account Use either a Local System account or a domain user account.

If a domain user account is used, this account uses Kerberos authentication bydefault, which requires additional configuration in your network environment. If SQLServer uses a service principal name (SPN) that is not valid (that is, that does notexist in the Active Directory directory service environment), Kerberos authenticationfails, and then NTLM is used. If SQL Server uses an SPN that is valid but is notassigned to the appropriate container in Active Directory, authentication fails,resulting in a "Cannot generate SSPI context" error message. Authentication willalways try to use the first SPN it finds, so ensure that there are no SPNs assigned toinappropriate containers in Active Directory.

If you plan to back up to or restore from an external resource, permissions to theexternal resource must be granted to the appropriate account. If you use a domainuser account for the SQL Server service account, grant permissions to that domainuser account. However, if you use the Network Service or the Local System account,grant permissions to the external resource to the machine account ( domain_name\SQL_hostname$ ).

Setup user account● Domain user account.

● Member of the Administrators group on each server on which Setup is run.

● SQL Server login on the computer running SQL Server.

● Member of the following SQL Server security roles:

r securityadmin fixed server role

r dbcreator fixed server role

If you run Stsadm commands that affect a database, this account must be amember of the db_owner fixed database role for the database.





Server farm account● Domain user account.

Additional permissions are automatically granted for this account on Web serversand application servers that are joined to a server farm.

This account is automatically added as a SQL Server login on the computer runningSQL Server and added to the following SQL Server security roles:

● dbcreator fixed server role

● securityadmin fixed server role

● db_owner fixed database role for all databases in the server farm

Note if you configure the Microsoft Single Sign-On Service, the server farmaccount will not automatically be given db_owner access to the SSO database



Windows SharePoint Services Searchservice account

● Must be a domain user account.

● Must not be a member of the Farm Administrators group.


● Access to read from the configuration database and theSharePoint_Admin Content database.

● Membership in the db_owner role for the Windows SharePointServices Search database.

Windows SharePoint Services Search

content access account

● Same requirements as the Windows SharePoint Services Searchservice account.


● Added to the Web application Full Read policy for the farm.



Application pool identity No manual configuration is necessary.


● Membership in the db_owner role for content databases and searchdatabases associated with the Web application.

● Access to read from the configuration and the SharePoint_AdminContentdatabases.

● Additional permissions for this account to front-end Web servers andapplication servers are automatically granted.

Least-privilege administration requirements when using domain user accounts






Account Server farm standard requirementsLeast-privilege using domainuser accounts requirements

SQL Serverservice account

Use either a Local System account or a domain useraccount.

If a domain user account is used, this account usesKerberos authentication by default, which requiresadditional configuration in your networkenvironment. If SQL Server uses a service principalname (SPN) that is not valid (that is, that does notexist in the Active Directory directory serviceenvironment), Kerberos authentication fails, and thenNTLM is used. If SQL Server uses an SPN that is validbut is not assigned to the appropriate container inActive Directory, authentication fails, resulting in a"Cannot generate SSPI context" error message.Authentication will always try to use the first SPN itfinds, so ensure that there are no SPNs assigned toinappropriate containers in Active Directory.

If you plan to back up to or restore from an externalresource, permissions to the external resource mustbe granted to the appropriate account. If you use adomain user account for the SQL Server serviceaccount, grant permissions to that domain useraccount. However, if you use the Network Service orthe Local System account, grant permissions to theexternal resource to the machine account(domain_name\SQL_hostname$ ).

Server farm standard requirementswith the following additions orexceptions:

● Use a separate domain useraccount.

Setup useraccount

● Domain user account.

● Member of the Administrators group on eachserver on which Setup is run.

● SQL Server login on the computer runningSQL Server.

● Member of the following SQL Server securityroles:



If you run Stsadm commands that affect a database,this account must be a member of the db_owner fixed database role for the database.



● This account should NOT be amember of the Administratorsgroup on the computer runningSQL Server.





Server farmaccount


● If the server farm is a child farm with Webapplications that consume shared servicesfrom a parent farm, this account must be amember of the db_owner fixed database roleon the configuration database of the parentfarm.

Additional permissions are automatically granted forthis account on Web servers and application serversthat are joined to a server farm.

This account is automatically added as a SQL Serverlogin on the computer running SQL Server and addedto the following SQL Server security roles:



● db_owner fixed database role for alldatabases in the server farm.

Note If you configure the Microsoft Single Sign-OnService, the server farm account will notautomatically be given db_owner access to the SSOdatabase.



● NOT a member of theAdministrators group on anyserver in the server farm,including the computer runningSQL Server.

● This account does not requirepermissions to SQL Serverbefore creating theconfiguration database.


Account Server farm standard requirements

Least-privilege u singdomain user accounts

requirements

Windows SharePoint

Services Search serviceaccount


● Must not be a member of the FarmAdministrators group.


● Access to read from the configurationdatabase and the SharePoint_AdminContent database.

● Membership in the db_owner role for theWindows SharePoint Services Searchdatabase.

Server farm standard

requirements with the followingadditions or exceptions:


Windows SharePointServices Searchcontent access account

● Same requirements as the WindowsSharePoint Services Search serviceaccount.


● Added to the Web application Full Readpolicy for the farm.

Server farm standardrequirements with the followingadditions or exceptions:







Account Server farm standard requirementsLeast-privilege using domainuser accounts requirements

Application poolidentity



● Membership in the db_owner role forcontent databases and search databasesassociated with the Web application.

● Access to read from the configuration andthe SharePoint_AdminContent databases.

● Additional permissions for this account tofront-end Web servers and applicationservers are automatically granted.


● Use a separate domain useraccount for each applicationpool.

● This account should not be amember of the Administratorsgroup on any computer in theserver farm.

Least-privilege administration requirements w hen using SQL authentication


Account Server farm standard requirement Least-privilege u sing SQLauthentication requirements

SQL Serverserviceaccount

Use either a Local System account or a domainuser account.

If a domain user account is used, this accountuses Kerberos authentication by default, whichrequires additional configuration in yournetwork environment. If SQL Server uses aservice principal name (SPN) that is not valid(that is, that does not exist in the ActiveDirectory directory service environment),Kerberos authentication fails, and then NTLM isused. If SQL Server uses an SPN that is validbut is not assigned to the appropriatecontainer in Active Directory, authenticationfails, resulting in a "Cannot generate SSPIcontext" error message. Authentication willalways try to use the first SPN it finds, soensure that there are no SPNs assigned toinappropriate containers in Active Directory.

If you plan to back up to or restore from anexternal resource, permissions to the externalresource must be granted to the appropriateaccount. If you use a domain user account forthe SQL Server service account, grantpermissions to that domain user account.However, if you use the Network Service or theLocal System account, grant permissions tothe external resource to the machine account( domain_name\SQL_hostname$ ).

Server farm standard requirements with thefollowing additions or exceptions:

● Use a separate domain user account.

Note:

All database accounts must be created as SQLServer login accounts in Microsoft SQL Server

2000 Enterprise Manager or SQL Server 2005Management Studio. These accounts must becreated before the creation of any contentdatabases, including the configurationdatabase and the SharePoint_AdminContentdatabase. Create one SQL Server login forboth the configuration database and theSharePoint_AdminContent database.





Setup useraccount


● Member of the Administrators group oneach server on which Setup is run.

● SQL Server login on the computerrunning SQL Server.

● Member of the following SQL Serversecurity roles:



If you run Stsadm commands that affect adatabase, this account must be a member of the db_owner fixed database role for thedatabase.



● SQL Server login on the SQL Servercomputer.

● NOT a member of the following SQLServer security roles:



● NOT a member of the Administratorsgroup on the computer running SQLServer.

Note:

You must use the Psconfig command-line toolto create the configuration database and theSharePoint_AdminContent database. Youcannot use the SharePoint Products andTechnologies Configuration Wizard to createthese databases. To create a farm or to join acomputer to a farm, specify the SQL Serverlogin that you created for these databases asthe dbusername and dbpassword. The sameSQL Server login is used to access bothdatabases. All other content databases can becreated in Central Administration by selectingthe SQL authentication option.

Server farmaccount


● If the server farm is a child farm withWeb applications that consume sharedservices from a parent farm, thisaccount must be a member of thedb_owner fixed database role on theconfiguration database of the parentfarm.

Additional permissions are automaticallygranted for this account on Web servers and

application servers that are joined to a serverfarm.

This account is automatically added as a SQLServer login on the computer running SQLServer and added to the following SQL Serversecurity roles:



● db_owner fixed database role for all



● NOT a member of the Administratorsgroup on any server in the server farm,including the computer running SQLServer.

● NOT a SQL Server login on thecomputer running SQL Server.

● This account does not requirepermissions to SQL Server beforecreating the configuration database.





databases in the server farm

Note If you configure the Microsoft SingleSign-On Service, the server farm account willnot automatically be given db_owner accessto the SSO database.


Account Server farm standard requirementLeast-privilege u sing SQL

authentication requirements

Windows SharePointServices Searchservice account





● Membership in the db_owner role forthe Windows SharePoint ServicesSearch database.

Server farm standard requirements withthe following additions or exceptions:


● NOT a member of theAdministrators group on anyserver in the farm, including thecomputer running SQL Server.

● NOT a SQL Server login.

Windows SharePointServices Searchcontent accessaccount

● Same requirements as the WindowsSharePoint Services Search serviceaccount.


● Added to the Web application Full Read

policy for the farm.

Server farm standard requirements withthe following additions or exceptions:


● NOT a member of theAdministrators group on any

server in the farm, including thecomputer running SQL Server.



Account Server farm standard requirementLeast-privilege u sing SQL

authentication requirements

Application poolidentity



● Membership in the db_owner role forcontent databases and search databasesassociated with the Web application.

● Access to read from the configuration andthe SharePoint_AdminContent databases.

● Additional permissions for this account tofront-end Web servers and applicationservers are automatically granted.



● NOT a member of theAdministrators group on anyserver in the farm, includingthe computer running SQLServer.






Least-privilege administration requirements w hen connecting to p re-created databases


Account Server farm standard requirement

Least-privilege wh enconnecting to pre-created

databases requirements

SQL Serverservice account

Use either a Local System account or a domain useraccount.

If a domain user account is used, this account uses

Kerberos authentication by default, which requiresadditional configuration in your networkenvironment. If SQL Server uses a service principalname (SPN) that is not valid (that is, that does notexist in the Active Directory directory serviceenvironment), Kerberos authentication fails, and thenNTLM is used. If SQL Server uses an SPN that is validbut is not assigned to the appropriate container inActive Directory, authentication fails, resulting in a"Cannot generate SSPI context" error message.Authentication will always try to use the first SPN itfinds, so ensure that there are no SPNs assigned toinappropriate containers in Active Directory.

●

If you plan to back up to or restore from anexternal resource, permissions to the externalresource must be granted to the appropriateaccount. If you use a domain user account forthe SQL Server service account, grantpermissions to that domain user account.However, if you use the Network Service orthe Local System account, grant permissionsto the external resource to the machineaccount (domain_name\SQL_hostname$).



Setup useraccount


● Member of the Administrators group on eachserver on which Setup is run.

● SQL Server login on the computer runningSQL Server.

● Member of the following SQL Server securityroles:



If you run Stsadm commands that affect a database,this account must be a member of the db_owner fixed database role for the database.



● NOT a member of theAdministrators group on thecomputer running SQL Server.

This account is used to configuredatabases. After each database hasbeen created, change the databaseowner ( db o or db_owner ) to theSetup User account.





Server farmaccount


● If the server farm is a child farm with Webapplications that consume shared servicesfrom a parent farm, this account must be amember of the db_owner fixed database roleon the configuration database of the parentfarm.

Additional permissions are automatically granted forthis account on Web servers and application serversthat are joined to a server farm.

This account is automatically added as a SQL Serverlogin on the computer running SQL Server and addedto the following SQL Server security roles:



● db_owner fixed database role for alldatabases in the server farm

Note If you configure the Microsoft Single Sign-OnService, the server farm account will notautomatically be given db_owner access to the SSOdatabase.



● NOT a member of theAdministrators group on anyserver in the server farm,including the computer runningSQL Server.

● This account does not requirepermissions to SQL Serverbefore creating theconfiguration database.

After the Shared Services Provider(SSP) database and the SSP searchdatabase are created, add this accountto the following for each of thesedatabases:

● Users group

● db_owner fixed database role


Account Server farm standard requirement

Least-privilege w hen connectingto pre-created databases

requirements

Windows SharePoint

Services Searchservice account





● Membership in the db_owner role forthe Windows SharePoint ServicesSearch database.

Server farm standard requirements with

the following additions or exceptions:


When running the Psconfig command-line tool to start the WindowsSharePoint Services Search service,membership is automatically configuredin the following:

● Users group and db_owner rolefor the WSS_Search database.

● Users group in the configurationdatabase.

● Users group in the CentralAdministration content database.







See the full list of available books at Downloadable books for Windows SharePoint Services [ http://go.microsoft.com/fwlink/?LinkId=81199 ] .

See Also

Concepts

Plan for security roles (Windows SharePoint Services) [ http://technet.microsoft.com/en-us/library/cc288186(office.12).aspx ]

http://go.microsoft.com/fwlink/?LinkId=81199



http://go.microsoft.com/fwlink/?LinkId=81199

Documents

Plan for Administrative and Service Accounts (Windows Share Point Services)