Chart: Domain User Accounts Required before Installing MOSS 2007

Below is a chart of the user accounts required before installing MOSS 2007 / Sharepoint 2007 when installed in a server farm. This table is a must for every sharepoint developer/adminsitrator. Thanks to Clayton for his blog post who put the ever confusing user accounts in a neat descriptive table.

Account Purpose   Used By   Requirements
Setup User User account that is used to run setup on each server.   Person installing   Member of the administrator group on each Web front-end (WFE) server and application server computer in the farm. Member of the following SQL Server groups with SQL Security administrator and database creator rights on SQL servers.
SQL Server Service This is the security context used By Central Administration for creating databases and other SQL configurations.   MSSQLSERVER, SQLSERVERAGENT   Member of the administrators group on each server on which setup runs, administrators group on each SQL Server computer, database system administrator, and member of the SQL security administrator and database creator SQL Server groups.
Server Farm This account is also referred to as the database access account.   Central administration site application pool identity   Member of administrators group on each WFE server and application server computer in the farm with SQL security administrator and database creator rights on SQL Servers. Database Owner (DBO) for all databases and additional permissions on WFE server and application server computers are automatically configured for this account when SharePoint is installed.
SSP App Pool     SSP App Pool Identity   No configuration is necessary. The following permissions are automatically configured for this account when SharePoint is installed: DBO for the Share Service Provider (SSP) content database, read/write permissions for the SSP content database, read/write permissions for content databases for Web applications that are associated with the SSP, read permissions for the configuration database, read permissions for the central administration content database, and additional permissions on WFE server and application server computers
SSP Service Account Used to run timer jobs and for interserver communications.   SSP Timer service; SSP Web services   Same as SSP App Pool Account
Windows SharePoint Services Search Used as the service account for the Windows SharePoint Services Search service. There is only one instance of this service, and it is used by all SSPs.   Windows SharePoint Services 3.0 Search service   Must be a domain account, but must not be a member of the farm administrators group. Permissions automatically configured for this account when SharePoint is installed include the following: read/write permissions for content databases for Web applications, read permissions for the configuration database, and read/write permissions for the Windows SharePoint Services Search database
Search Default Content Access Account The default account used by a specific SSP to crawl content. It is used when an account is not specified for a content source.   Windows SharePoint Services 3.0 Search service   Must be a domain account, but must not be a member of the farm administrators group. It requires read access to external or secure content sources that you want to crawl using this account. Additional permissions for this account are automatically configured when SharePoint is installed.
Search Specific Content Access Account This is an optional account that is configured to replace the default content access account to crawl a specific content source.   Windows SharePoint Services 3.0 Search service   Read access to external or secure content sources that this account is configured to access.
User Profile and Properties Content Access Account Account used to connect to a directory service, such as Active Directory, a Lightweight Directory Access Protocol (LDAP) directory, Business Data Catalog (BDC) application, or other directory source and used to import profile data from a directory service. Note: If no account is specified, the Search Default Content Access account is used. If the Search Default Content Access account does not have read access to the directory or directories that you want to import data from, you will need to specify a different account. You should plan for one account per directory connection.   Profile Import   Read access to the directory service. For an Active Directory service connection that enables Server Side Incremental, the account must have the Replicate Changes permissions for Active Directory directory services provided by Windows 2000 Server. This permission is not required for Windows 2003 Active Directory. Manage user profiles right. View rights on entities used in Business Data Catalog import connections.
Excel Services Unattended Service Account Excel Calculation Services uses this account to connect to data sources that require user name and password strings for authentication. The SSP App Pool account is used if none is specified. For security, plan to use a low-privileged account that does not have the database privileges of the SSP App Pool Account.   Excel Services Service   Read/write access to the Excel data sources.
App Pool Identity Used to access content databases associated with the Web application. Plan one for each application pool.   Web Applications   No configuration is necessary. SQL Server privileges that are automatically assigned to this account are member of Database Owners Group for content databases associated with the Web application, read/write access to the associated SSP database only, and read permission for the configuration database. Additional privileges for this account on WFE servers and application servers are automatically configured by SharePoint

Below are the sample accounts in a more concise way for a quick reference in the following format:

Account username – password – Role – Rights/Permissions

  1. mosssetupusr – Pass12! – Moss Setup user – Member of: Administrator – SQL: dbcreator and security-admin
  2. sqlserversrvc – Pass12! – User to create db’s and sql configs – Member of: Administrator – SQL: dbcreator and security-admin
  3. caapooldbaccessusr – Pass12! – caa app pool usr acct and to access db – Member of: Administrator – SQL: dbcreator and security-admin
  4. sspappool@AIFSMOSS.local – Pass12! = SSP App Pool Identity – User rights and entitlements assigned automatically
  5. sspserviceusr – Pass12! – SSP Timer/Web Services – User rights and entitlements assigned automatically
  6. WssSearchSrvcUsr – Pass12! – used for wss search – User rights and entitlements assigned automatically
  7. searchcontentaccessusr – Pass12! – default user for search content access – User rights assigned automatically
  8. searchspccontentaccessusr – Pass12! – user for search specific content access – read access to external content source
  9. userprofilesaccessusr – Pass12! – usr who access the AD and user properties – read rights to AD
  10. excelservicesusr – Pass12! – usr to access excel content soruces – read rights to excel content sources

9 Responses

  1. Pretty awesome article. Thanks! – CowDir

  2. Great list of users required. A lot of mistakes I have seen is when people just use a single admin account for it, which isn’t the best practice.

  3. Nice list of accounts – and credit should also go to the book “Microsoft Office Sharepoint Server 2007 – Administrator’s Companion”. This list has come directly from this book.

  4. I didn’t know that. Thanks to that book!🙂

  5. Thanks for the list, am i missing the app pool indentity account in the sample account list?

  6. Heine, Yes, we need to have a separate account for each app pool associated for each web application.

  7. Hey There. I found your blog using msn. This is an extremely well written
    article. I’ll be sure to bookmark it and come back to read more of your useful info. Thanks for the post. I’ll certainly return.

  8. They go, ‘This is what you always say: ‘Well,you
    could do it that way. There’s more ajdio recording software out there that
    works just as good but Pro Tools is the most used. It’s
    another rule or ‘guideline’ off magic thhat we all need tto follow
    if we want to become great.

  9. As you reap the reewards of your hard work, you
    will find all the time and effort you devotewd in building and developing your accounting qualifications are finally paying-off.

    Those are som of the important characteristics that you want tto
    look for ass you’re searching for a CPA. Studies currently have shown which, about average, CPAs earn 10% more than non-CPA Accountants.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: