SharePoint 2010 install accounts

This has been throwing everyone for a crazy loop and its time to clear up what's going on.  So far most of my environments have been setup with accounts called SP_Admin, SP_Farm and SP_Service.  the SP_Admin is the install account, SP_Farm is the Database access account (weird naming right?), and the service applications get SP_Service.

I encourage you to do this and see what happens on the other side of the install and Farm configuration wizard.  You'll find out real quick what type of things you need to do to get SharePoint 2010 working using this best practice approach of service accounts.  But, rather than just leave you hanging, one big help for you in your quest for least privileged SharePoint Installs is:

SP_Admin and SP_Farm must be Local Administrators on the SharePoint server. 

It ends up that that "Database access account" really turns out to be the main Farm account.  When you get to user profile synchronization, if this account is not a local admin, the setup of the ForeFront Identity Manager will fail miserably and you will need to kill off the User Profile Synch services (using powershell) and start all over after adding in the local admin rights.  I'm not sure if that particular screen will get updated in RTM or not, but it would make a hell of a lot more sense if it had "Farm Account" rather than "Database Access Account" on the setup screen:

 

Another note, when you go to add a new server to the farm (unless you do some SQL permission setting), you will have to be logged in as SP_Farm, not SP_admin.

Chris

Leave a Reply