Print | posted on Tuesday, June 19, 2007 8:34 PM
Easily the most irritating element of mis-configuration in a SharePoint 2007 farm is the assignment of local admin privileges (for each box in the farm) to the account used for connections to the configuration database and as the identity of the application pool hosting Central Administration (commonly referred to as the 'farm account'.
THIS IS NOT A REQUIREMENT!! THIS IS NOT A REQUIREMENT!!
Your farm account can be a regular domain user, no special requirements at all. The SharePoint Configuration Wizard will assign ALL the required privileges automatically (which the exception of DCOM activation as detailed here, and the issue with %windir%\Tasks).
So why do so many admins configure this account with local admin rights?
Well first up, previously (with WSS v2 & SPS SP1 and above) this was a requirement. A really nasty one. Especially when trying to deploy in organizations with sensible security policies (or "strong security postures" as marketing types trying to make security sexy say these days). It's not unreasonable to assume the equivalent principal needs the same privileges in the new versions, especially if the so called "IT Professional" has an aversion to reading documentation and then thinking.
Secondly and most annoyingly, so called authoritative sources state this as a requirement. Examples include the SharePoint Administrator's Companion and the SPT Administrators Pocket Consultant, both from MS Press. Both these titles detail numerous times incorrect requirements for accounts. Also there's a bunch of "how to install SharePoint" blogs out there pimping the same mis-configuration.
Funnily enough, the last word on accounts over at TechNet is actually correct. One can only speculate that the authors of the erroneous material couldn't be bothered to get things working without the old local admin "workaround".
Thirdly, well - we can all tell jokes about lame admins we've experienced from the not too distant past can't we?
As part of my ongoing platform hygiene public service activities, I will once again say:
Your SharePoint Farm Account DOES NOT need local admin privileges!
Don't be assigning them, apart from the fact it's a really silly thing to do, your customers won't appreciate it.