Which accounts should be managed accounts?
https://sharepoint.stackexchange.com/questions/13319
-
16-10-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Three questions on a theme...
Which accounts should be managed accounts?
Or perhaps to put it another way, which services / things are best to have as managed accounts?
Or perhaps the opposite question: Are there any accounts that are best not set up as managed accounts?
Solution
It is a best practice to create a specific service account per Service Application, so that the farm service account is only used for this specific purpose (health monitor will warn you if it is used for other services). With few exceptions these can each be made a managed account.
Also create a service account per application pool, as this is a natural security boundary in your farm. I usually create one for web services and one for web applications. If I run both intranet and extranet on the same farm, I will create a web application pool for each and give them each a unique account.
Some service accounts cannot be made managed accounts. This includes the User Profile Synchronization account, the portal super reader and super user account (both used for caching).
