Question

I am getting ready to build a three-tier SP 2013 server farm and have a couple questions about the domain accounts needed. I was planning the following:

  • sp_install
  • sp_farm (farm acct)
  • sp_webapp (for Web servers)
  • sp_serviceapps (services acct)
  • sp_crawl (search crawl)
  • sp_userprofile (UPS)
  • sp_workflow (workflow manager)
  • sp_report (reporting services)

I mainly have three questions:

1.We are going to have identical QA (quality assurance) and a production environments/farms. Should we have two separate groups of accounts, one for each environment? The only thing I am concerned about are those that someone will actually use to log into a server for any reason, which increases the chance of someone locking them out.

2.Do we need an account for just installing? If so, is this account also used down the road for installation maintenance on the server? We already have separate accounts for server admins. Example, I have my normal login I use every day (jdoe), but I also have a server admin login (sajdoe) with admin rights on the server. I was thinking I could just use my sajdoe account to install.

3.Which of these accounts, if any, do SP admins actually use to log in to a server for administration of SP, such as deploying and enabling features, running powershell, etc.?

I just think we have some bad practices in our current instance of SP 2007 and would like to clean them up in our new environment.

Any advice is appreciated.

Was it helpful?

Solution

1.) i would recommend to separate set for each farm, your fear is correct and that happens many times. so don't risk your Production.

2.) Best Practice is always recommend to use a separate account which perform Installation, configuration, Routine Maintenance, Pathes/CU and day to day operation i.e powershell. From your list sp_install is the account which you should use. One thing make sure, you should give this account DBO rights on all the Databases( config, Content, Services).

3.) sp_install is the account which you should use.

OTHER TIPS

In addition, you should consider using sp_superuser and sp_superreader accounts for caching.

As far as "eliminating sp_workflow and sp_report and just use sp_serviceapps", I would suggest that you do not take that approach. Separating service accounts by role will help your farm function well and it will enable you to troubleshoot problems more effectively as they come up.

Take some time to dig in deeper with this post from Todd Klindt.

Licensed under: CC-BY-SA with attribution
Not affiliated with sharepoint.stackexchange
scroll top