locked
Best practice for Farm accounts RRS feed

  • Question

  • Hi All,

    For one customer I have to setup a middle SP farm. I will have to take this task next month so I have started the ground work for that. I have couple of doubts that I want to clearly.

    To setup a middle SP farm (4 front end servers + 1 SQL server + 1 Application server) I suppose I should have following accounts.

    1. One user for farm admin.
    2. One user for Search Service that will have read only access on farm. It is must.
    3. For each site collection, one Site collection admin i.e. if there is a 5 site collection then better to have 5 domain users for same.

    I have following doubts in my mind so can anyone please clarify.

    1. I think it is better that farm admin & site collection admin should be a group so that multiple peoples can be added.
    2. I am confused whether I suppose keep secondary site collection administrators? Will it add any value?
    3. Is it required to have a separate account for SQL data access, I do feel that it will not add any value?
    4. Is it required to have a separate account of Meta data service?
    5. Is there any other additional account needed for some service?

    Regards
    Amit K

    Tuesday, May 22, 2012 1:51 PM

Answers

  • I'll try an answer some of your questions Amit

    1. One user for farm admin. - Personally, if you have users assigned to specific tasks, give the approriate user accounts the relevant access for auditing purposes.
    2. One user for Search Service that will have read only access on farm. It is must. - Agreed, although some other data and access requirements may restrict the 1 account.
    3. For each site collection, one Site collection admin i.e. if there is a 5 site collection then better to have 5 domain users for same. - Again, with tasks being distributed, you could have 1 user being the site collection admin of more than 1 site collection.  I sometimes have, as a caution created a seperate account call domain\sitecolladmin or something similar and make sure this is the secondary site collection administrator of all site collections.

    I have following doubts in my mind so can anyone please clarify.

    1. I think it is better that farm admin & site collection admin should be a group so that multiple peoples can be added. - Farm administrators is a group, but you can't add a group to site collection admins.
    2. I am confused whether I suppose keep secondary site collection administrators? Will it add any value? - See my point 3 above, it's a nice fallback.
    3. Is it required to have a separate account for SQL data access, I do feel that it will not add any value? - You may have seperate DBA's who are responsible for the SQL itself. 
    4. Is it required to have a separate account of Meta data service? - If you have the resources to have a seperate application pool, it can be good practice to use seperate accounts for the app pool, if you need to view the w3svc service in task manager, you'll be able to identify which app pool is using with of the multiple processes due to user ID.  Not necessary though.

    5. Is there any other additional account needed for some service? - Following a good guide to operating on least privilages is a good start.

    I'm sure there will be other views out there.


    Paul Turner http://redmanta.co.uk/blog Twitter: @RedMantaUK MCTS:WSS,MOSS,2010 MCITP:2010.
    Please remember to click "Propose As Answer" if a post solves your problem or "Vote As Helpful" if it was useful.

    • Proposed as answer by ova c Tuesday, May 22, 2012 2:17 PM
    • Marked as answer by Restless Spirit Tuesday, May 22, 2012 2:46 PM
    Tuesday, May 22, 2012 2:11 PM

All replies

  • Hi,

    Start by reading this article, it will give you a complete guide. If you don't find an answer to one of your questions, just go ahead and ask!

    http://technet.microsoft.com/en-us/library/cc678863.aspx


    Regards
    Henrik A. Halmstrand
    sharepointrevealed.com
    getspconfig.codeplex.com
    Please click Mark As Answer; if a post solves your problem or Vote As Helpful; if a post has been useful to you.

    Tuesday, May 22, 2012 1:58 PM
  • I'll try an answer some of your questions Amit

    1. One user for farm admin. - Personally, if you have users assigned to specific tasks, give the approriate user accounts the relevant access for auditing purposes.
    2. One user for Search Service that will have read only access on farm. It is must. - Agreed, although some other data and access requirements may restrict the 1 account.
    3. For each site collection, one Site collection admin i.e. if there is a 5 site collection then better to have 5 domain users for same. - Again, with tasks being distributed, you could have 1 user being the site collection admin of more than 1 site collection.  I sometimes have, as a caution created a seperate account call domain\sitecolladmin or something similar and make sure this is the secondary site collection administrator of all site collections.

    I have following doubts in my mind so can anyone please clarify.

    1. I think it is better that farm admin & site collection admin should be a group so that multiple peoples can be added. - Farm administrators is a group, but you can't add a group to site collection admins.
    2. I am confused whether I suppose keep secondary site collection administrators? Will it add any value? - See my point 3 above, it's a nice fallback.
    3. Is it required to have a separate account for SQL data access, I do feel that it will not add any value? - You may have seperate DBA's who are responsible for the SQL itself. 
    4. Is it required to have a separate account of Meta data service? - If you have the resources to have a seperate application pool, it can be good practice to use seperate accounts for the app pool, if you need to view the w3svc service in task manager, you'll be able to identify which app pool is using with of the multiple processes due to user ID.  Not necessary though.

    5. Is there any other additional account needed for some service? - Following a good guide to operating on least privilages is a good start.

    I'm sure there will be other views out there.


    Paul Turner http://redmanta.co.uk/blog Twitter: @RedMantaUK MCTS:WSS,MOSS,2010 MCITP:2010.
    Please remember to click "Propose As Answer" if a post solves your problem or "Vote As Helpful" if it was useful.

    • Proposed as answer by ova c Tuesday, May 22, 2012 2:17 PM
    • Marked as answer by Restless Spirit Tuesday, May 22, 2012 2:46 PM
    Tuesday, May 22, 2012 2:11 PM
  • Hi Paul,

    In this way it is not possible to have multiple admin for site collection. If we will give secondary site collection admin too then also only two admin are possible.

    In real business, I suppose we might require multiple site collection administrators too.

    I would also like to ask, does secondary site collection admin has full privilege as main site collection admin?

    I have seen in industry, in fact we are also using the same, for SharePoint Farm different specific accounts are created and all the admin uses the same for administration purpose. I do feel that it is wrong as it doesn’t provide capability to do the auditing. Any suggestion around it?

    Regards Amit

    Tuesday, May 22, 2012 2:45 PM
  • From Central Admin and when you're creating a new site collection you provide the details for the Primary and if required Secondary Site Collection Administrators.  You can also from the UI, at the Site Collection level add additional users as Site Collection Administrators by going "Site Settings" > "Permissions" > "Site Collection Administrators"

    Paul Turner http://redmanta.co.uk/blog Twitter: @RedMantaUK MCTS:WSS,MOSS,2010 MCITP:2010.
    Please remember to click "Propose As Answer" if a post solves your problem or "Vote As Helpful" if it was useful.

    Tuesday, May 22, 2012 3:01 PM