Remote Desktop rights - SharePoint 2010 Service Account (is it really required)
https://sharepoint.stackexchange.com//questions/37710
-
09-12-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I am preparing a SharePoint 2010 (1 WFE/APP + 1 DB) farm. While planning for service account creation , I was wondering do I really need to give Remote Administration Rights to this account.
The account is already in the Administrators Group on both the servers. But I wish to deny Remote Login rights exclusively for this service account.
There are no official documentation concerning the remote desktop rights of a sharepoint service account in MSDN or Technet from what I have read. Would request someone to share some insights on this and let me know the possible pitfalls of not giving remote desktop rights to the SharePoint service accounts.
Solution
The first thing to keep in mind is that rights are being granted to service accounts, not accounts actually associated with a specific user. So these accounts should not be used to log into a server unless it is a highly specific and unique situation. In fact, you can optionally configure these accounts so that they cannot be used to log on to a server via a physical or remote desktop connection by denying them the Logon Locally right via a Group Policy Object.
Read more: http://salaudeen.blogspot.se/2011/05/sharepoint-2010-service-accounts.html
OTHER TIPS
Yes the service account should perform a log in operation at least once on the server that you intend running the User Profile Service application. When establishing the UPSA your service account needs local admin rights. Once you've got it all setup and running you can revoke these rights.
From the Rational Guide to implementing SharePoint Server 2010 User Profile Syncronization:
The DOMAIN\SPFARM account requires the log on locally right on the machine running the User Profile Synchronization (FIMSync) service. Grant this right via Group Policy or Local Security Policy on that Machine.
1.Security Settings - > Local Policies -> User Rights Assignment -> Allow Logon Locally 2.If on a DC ( you shouldn’t be :)) GPMC.MSC and edit the default domain controller policy 3.Run gpupdate to refresh the policy change To provision the UPS service – we must make the DOMAIN\spfarm account a local administrator of the box hosting the UPS service. Once we are done we can remove this. Don’t try and work around this – you won’t succeed! The local administrator rights are only required during provisioning.
