harbar.net component based software & platform hygiene

NO! Your SharePoint Farm Account does NOT need local admin privileges. So don't give it them!

Print | posted on Tuesday, June 19, 2007 8:34 PM

Easily the most irritating element of mis-configuration in a SharePoint 2007 farm is the assignment of local admin privileges (for each box in the farm) to the account used for connections to the configuration database and as the identity of the application pool hosting Central Administration (commonly referred to as the 'farm account'.

THIS IS NOT A REQUIREMENT!!  THIS IS NOT A REQUIREMENT!!

Your farm account can be a regular domain user, no special requirements at all. The SharePoint Configuration Wizard will assign ALL the required privileges automatically (which the exception of DCOM activation as detailed here, and the issue with %windir%\Tasks).

So why do so many admins configure this account with local admin rights?

Well first up, previously (with WSS v2 & SPS SP1 and above) this was a requirement. A really nasty one. Especially when trying to deploy in organizations with sensible security policies (or "strong security postures" as marketing types trying to make security sexy say these days). It's not unreasonable to assume the equivalent principal needs the same privileges in the new versions, especially if the so called "IT Professional" has an aversion to reading documentation and then thinking.

Secondly and most annoyingly, so called authoritative sources state this as a requirement. Examples include the SharePoint Administrator's Companion and the SPT Administrators Pocket Consultant, both from MS Press. Both these titles detail numerous times incorrect requirements for accounts. Also there's a bunch of "how to install SharePoint" blogs out there pimping the same mis-configuration.

Funnily enough, the last word on accounts over at TechNet is actually correct. One can only speculate that the authors of the erroneous material couldn't be bothered to get things working without the old local admin "workaround".

Thirdly, well - we can all tell jokes about lame admins we've experienced from the not too distant past can't we?

As part of my ongoing platform hygiene public service activities, I will once again say:

OI! NO!
Your SharePoint Farm Account DOES NOT need local admin privileges!

Don't be assigning them, apart from the fact it's a really silly thing to do, your customers won't appreciate it.

Feedback

Gravatar

# re: NO! Your SharePoint Farm Account does NOT need local admin privileges. So don't give it them!

Funny enough, I've seen the same thing. Seasoned v2 / 03 developers and infrastructure guys giving their accounts local admin. At which point I basically want to scream and say, "What the heck do you think you're doing?"

7/4/2007 11:08 PM | grayghost
Gravatar

# SharePoint Least Privilege Install

This is a great introduction to a few issues that will keep you from performing a least privilege install of SharePoint v3/2007. In particular the file permission issue for the Tasks directory was pretty insiduous and is what has tripped me up in the past. Its good to see that the instruction guides were correct although one wonders how they made that statement without testing it appropriately (In which case they would have seen the errors that plague the attempt to install SharePoint as a non-Admin user). What is also interesting is that apparently, SharePoint hotfix installations can break least privilege installs....

7/9/2007 1:39 PM | Ravings of an Intermittent Fool
Gravatar

# re: NO! Your SharePoint Farm Account does NOT need local admin privileges. So don't give it them!

Is there a possible way to update the farm account? I specified a local system account initially at the time of installation, and want to change it to a domain account now, for adding more servers to the farm.

2/27/2009 10:44 AM | Dev
Gravatar

# related nonsense: resolving 7903 errors

Related stupidity: when installing MOSP on the same server as MOSS, it defaults to running the Project Server Queue Service under the Farm Service account. Many "work-arounds" suggest adding this account to local admin... However, if you change the account under which it is running to be the same as the SSP account, it resolves the issue without giving unnecessary privileges to the Farm Service Account. Orignal credit goes to:

dataerror.blogspot.com/.../...ue-system-could.html

2/2/2010 11:34 PM | BOFH
Gravatar

# re: NO! Your SharePoint Farm Account does NOT need local admin privileges. So don't give it them!

Thanks for the insight - As a DBA I keep harping on the same subject to my local Sharepoint "experts" about the lack of security in Redmond regarding Sharepoint security. What in the world are they thinking? A SP farm account needs not only local admin so they say, but sysadmin on my SQL Box to not only install but also to run!!! It is nice to see someone with SANITY with regards to Sharepoint configuration.

10/4/2010 1:36 AM | Michael Demmitt

Post Comment

Title  
Name  
Email
Url
Comment   
Please add 6 and 7 and type the answer here: