Managing Sharepoint 2010 Farm service accounts?

sharepoint.stackexchange https://sharepoint.stackexchange.com/questions/10913

  •  16-10-2019
  •  | 
  •  

Question

We are using a single Farm account in our sharepoint 2010, would like to manage the service applications and web applications with the proper service accounts. What would be the best and reliable way of doing(except from the central administration)?

Was it helpful?

Solution

Not entirely sure why you add "except CA". Sure you can automate security using PowerShell. But this gives you only real value if you have multiple farm environments that you want to stay as much "the same" as possible.

The important thing here is to harden security for your farm, not really how you do it. As a primer you should read Plan security hardening (SharePoint Server 2010).

Theres several blogs that point out how to seperate security to several service accounts. An example: http://www.ericharlan.com/Moss_SharePoint_2007_Blog/sharepoint-2010-service-account-reference-guide-a184.html

The point is to minimize your attach surface by giving minimal privileges to the specific accounts.

Each service should have its own account. Each application pool should have its own account. You can share web service application pool across Service Apps in the same proxy group (if no specific demand require isolation).

Also you should never ever log into your farm or CA using the farm service account. This is a big no-no! The install account should only be used initially for install and patching. When the farm is created you should create an administrative account to use for everyday configuration in PowerShell and CA. This account should be farm administrator and be shell admin. If your admin account need access to services on server or account security, or need to add farm solutions, it need to be local administrator too. Check out Todd Klindts excellent guide here.

Licensed under: CC-BY-SA with attribution
Not affiliated with sharepoint.stackexchange
scroll top