Solved

What accounts to use for what service in SharePoint Server 2010?

Posted on 2012-03-27
4
5,376 Views
Last Modified: 2012-06-27
In the application event logs, I see this error:

The SharePoint Health Analyzer detected a condition requiring your attention.  Accounts used by application pools or service identities are in the local machine Administrators group.
Using highly-privileged accounts as application pool or as service identities poses a security risk to the farm, and could allow malicious code to execute.  The following services are currently running as accounts in the machine Administrators group:       

SharePoint - 80  (Application Pool)
SharePoint Central Administration v4 (Application Pool)
OSearch14(Windows Service)
SPTimerV4(Windows Service)
WebAnalyticsService(Windows Service)

However, when looking at the drop down list box for services and web applications on the Credential Management page in Central Administration, I don't see some of these that are listed above in the log. I like to change the accounts that the services are using.

Drop down list box has these listed:

Farm Account
Service application Pool - Security Token Service Application Pool
Service Application Pool - SharePoint Web Services Default
Service Application Pool - SharePoint Web Services System
Web Application Pool – MySites
Web Application Pool - SharePoint - 80
Windows Service - Claims to Windows Token Service
Windows Service - Document Conversion Launcher Services
Windows Service - Document Conversion Load Balancer Service
Windows Service - Microsoft SharePoint Foundation Sandbox Code Service
Windows Service - SharePoint Foundation Help Search
Windows Service - SharePoint Server Search
Windows Service - User Profile Synchronization Service
Windows Service - Web Analytics Data Process Service

For the ones I don’t know, which services reported in event log above, would match what services are listed in the drop down list box?

SharePoint Central Administration v4 (Application Pool) = ??
SPTimerV4(Windows Service) = ??
OSearch14(Windows Service) = Windows Service - SharePoint Server Search ( I think)

Thank you.
0
Comment
Question by:gtrapp
  • 2
4 Comments
 
LVL 13

Assisted Solution

by:Yagya Shree
Yagya Shree earned 150 total points
ID: 37774611
Please refer to this link:

http://mpwiki.viacode.com/default.aspx?g=posts&t=12715

You can ignore this error message currently as MS has put this rule to monitor any unwanted settings with service accounts but currently they generate false alerts.
0
 
LVL 38

Accepted Solution

by:
Justin Smith earned 350 total points
ID: 37776336
I'm guessing you let SharePoint set up your farm by using the wizard.  If so, it probably set NETWORK SERVICE or LOCAL SYSTEM on a lot of your services.  Grrrrr....

Agreed with above comment.  Some of these account alerts can be misleading and I usually disable the rules in new deployments.  You can do this by clicking the Health alert, then at the bottom of the screen click the "Edit Rule" and disable.

The Central Admin App Pool and the Timer service should run as the same domain account, and this account is considered as the "Farm Account".  This can be changed using STSADM updatefarmcredentials command.  As a best practice, the Farm Account shouldn't be part of the Local Administrators group on the server.  Same goes for the accounts running your web app pools.

The OSearch is what runs SharePoint Enterprise Search.  It is indeed SharePoint Server Search.
0
 

Author Comment

by:gtrapp
ID: 37779732
Unfortunately, I did.

Questions:

How do I change the SharePoint 2010 Timer service account?
How do I change the Central Admin Application Pool account?
When I run STSADM updatefarmcredentials, will it change accounts used by services?
What is the best way to change a service account for other service application pools?

I need to review all of the services and what accounts they are using.  I have the wrong accounts running services.

Thanks.
0
 
LVL 38

Assisted Solution

by:Justin Smith
Justin Smith earned 350 total points
ID: 37779985
The Timer and CA App Pool are changed via STSADM -o updatefarmcredentials command.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Sharepoint Backup and Restore individual files 4 59
Change Master on a View Sharepoint 2016 6 55
Sharepoint online 3 53
Error while setting up the Server Farm Account 8 38
I used to be SharePoint evangelist in our company, so my Outlook always full of questions about how to do this, or where I can find that. One day I found such an email with the following question: "how to attach 3-State workflow (one of the workflow…
The vision: A MegaMenu for a SharePoint portal home page The mission: Make it easy to maintain. Allow rich content and sub headers as well as standard links. Factor in frequent changes without involving developers or a lengthy Dev/Test/Prod rel…
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now