Question

I have read a lot of info about creating a domain account for installing SharePoint 2013. The problem I see with this account is all the SP admins would have to know the password. If someone leaves the company, the password would have to be changed immediately. If it gets over looked, that would be REALLY bad. Can an AD security group be used instead, with all the admins in it? What are the potential problems if I install SP (as a member of the security group) and leave the company? Does the install keep any info in HKCU (vs HKLM)?

If we did enforce the password change policy, that means whoever changes it would have to communicate it to everyone else. It just sounds messy, but maybe it is the best option. Any thoughts?

Was it helpful?

Solution

I'm assuming this is an on-premise installation. Typically, if someone leaves the company, they will no longer have access to your intranet. Even so, if your data is that important within SharePoint, then it is important enough to have a password change policy that can be reliably enforced.

Microsoft has a great technet article for account setup and management in SharePoint 2013

There is also a process for setting up automatic password management for your SharePoint service accounts via Managed Accounts. I have not used it myself, but I know other farms that have successfully done it.

As for installing SharePoint under your own user account........I would advise against it. If that account was subsequently disabled in Active Directory, there could be many different problems that could occur.

OTHER TIPS

Two things keep in the mind, which we mixed up all the times, Install Account & Farm Admin Account.

Farm Admin account is used for running the Central Admin and timer Services and required the elevated permissions. Never this account for the installation & daily task.

Install Account: this account is responsible for all the Installation, Patches(CU), Powershell, daily task, backup & restores. For this account, Never run any app Pool & SharePoint timer jobs...this account have elevated permission i.e Local Admin, DBO rights to all the databases( Content, Config, services db) and fixed role DB Creator & Security admin.

Now back to your question, If you setup your install account with a way that i described above then password change will not cause any issue...But if you run any app pool or any timer services then password change will cause the issue.

In our farm we have dedicated Install account which having full controls but not running any thing and we change the password after 30 days.

here is good article for services account

Licensed under: CC-BY-SA with attribution
Not affiliated with sharepoint.stackexchange
scroll top