Should my farm account be in the local admins group?
-
06-12-2019 - |
Question
In my Review problems and solutions reports I have the following Security Warning:
Both of the offending services use my "farm" managed account (I named it SP_Farm on my domain, it's the one you have to enter during the SP configuration wizard when you're ready to set up the DBs).
Recently I went through a boot camp (got my MCTS: SharePoint 2010, Configuration cert) and as part of the course they told us that the farm account needed to be a local admin on the machine(s) where your SharePoint server(s) is(are) installed.
My question is: How will it affect my server if I remove SP_Farm from the local administrators group on my server?
Solution
The farm account does not need to be a member of the local Administrator group. For a farm it should be a domain user, when you run the configuration wizard it will be granted the required user rights, file permissions, registry permissions, DCOM permissions, and DB permissions.
When you do your initial Sync with UPS, you will need to add the farm account to the local admins on the machine doing the sync, but this only for the first sync, after which you can remove it from the admin group.
Technet guides to refer too:
Plan for administrative and service accounts
Plan Administrative tasks in least privileged environment
It should not affect your farm to remove it from the admin group, but after removing the permissions (and rebooting), you may want to have SP reset the security settings. You can do this via Powershell so you don't have run the entire psconfig wizard.
Initialize-SPResourceSecurity
OTHER TIPS
A great article that might help Link