Home   |    About   |    Contact               Twitter   |    Facebook   |    Flickr    MCMSfaq.com: Content Management Server Resources
   MCM | SharePoint 2010 & 2007
 
MVP - Office SharePoint Server
 
Best Practices Conference
 
 
 
Content Management Server Resources

The posts on this weblog are provided “AS IS” with no warranties, and confer no rights.
The opinions expressed herein are personal and do not represent those of my employer.
 
 
harbar.net component based software & platform hygiene

NO! Your SharePoint Farm Account does NOT need local admin privileges. So don't give it them!

Easily the most irritating element of mis-configuration in a SharePoint 2007 farm is the assignment of local admin privileges (for each box in the farm) to the account used for connections to the configuration database and as the identity of the application pool hosting Central Administration (commonly referred to as the 'farm account'.

THIS IS NOT A REQUIREMENT!!  THIS IS NOT A REQUIREMENT!!

Your farm account can be a regular domain user, no special requirements at all. The SharePoint Configuration Wizard will assign ALL the required privileges automatically (which the exception of DCOM activation as detailed here, and the issue with %windir%\Tasks).

So why do so many admins configure this account with local admin rights?

Well first up, previously (with WSS v2 & SPS SP1 and above) this was a requirement. A really nasty one. Especially when trying to deploy in organizations with sensible security policies (or "strong security postures" as marketing types trying to make security sexy say these days). It's not unreasonable to assume the equivalent principal needs the same privileges in the new versions, especially if the so called "IT Professional" has an aversion to reading documentation and then thinking.

Secondly and most annoyingly, so called authoritative sources state this as a requirement. Examples include the SharePoint Administrator's Companion and the SPT Administrators Pocket Consultant, both from MS Press. Both these titles detail numerous times incorrect requirements for accounts. Also there's a bunch of "how to install SharePoint" blogs out there pimping the same mis-configuration.

Funnily enough, the last word on accounts over at TechNet is actually correct. One can only speculate that the authors of the erroneous material couldn't be bothered to get things working without the old local admin "workaround".

Thirdly, well - we can all tell jokes about lame admins we've experienced from the not too distant past can't we?

As part of my ongoing platform hygiene public service activities, I will once again say:

OI! NO!
Your SharePoint Farm Account DOES NOT need local admin privileges!

Don't be assigning them, apart from the fact it's a really silly thing to do, your customers won't appreciate it.

Print | posted on Tuesday, June 19, 2007 8:34 PM

Feedback

Gravatar

# re: NO! Your SharePoint Farm Account does NOT need local admin privileges. So don't give it them!

Funny enough, I've seen the same thing. Seasoned v2 / 03 developers and infrastructure guys giving their accounts local admin. At which point I basically want to scream and say, "What the heck do you think you're doing?"

7/4/2007 11:08 PM | grayghost
Gravatar

# SharePoint Least Privilege Install

This is a great introduction to a few issues that will keep you from performing a least privilege install of SharePoint v3/2007. In particular the file permission issue for the Tasks directory was pretty insiduous and is what has tripped me up in the past. Its good to see that the instruction guides were correct although one wonders how they made that statement without testing it appropriately (In which case they would have seen the errors that plague the attempt to install SharePoint as a non-Admin user). What is also interesting is that apparently, SharePoint hotfix installations can break least privilege installs....

7/9/2007 1:39 PM | Ravings of an Intermittent Fool
Gravatar

# re: NO! Your SharePoint Farm Account does NOT need local admin privileges. So don't give it them!

I followed the least privilege installation guides and only allow a domain user account as the farm acount during configuration wizard.

To my dismay, when i logged in to Central Admin site using the farm account, several options are not available; for example: Services on Server.

I then assigned the domain user to local admin group and the option showed up. I used the installation account (local admin), it also shows up.

Am i missing something or should central administration run by the installation account?

2/21/2008 4:30 AM | Troubled_SA
Gravatar

# re: NO! Your SharePoint Farm Account does NOT need local admin privileges. So don't give it them!

Troubled_SA: you should never login to Central Admin as the farm account. the farm account is effectively a service account. Central Admin is designed to be accessed by members of Farm Administrators - for example the install account you tried (which is added to farm admins automatically). you can add other users if you wish following installation

hth
s.

2/24/2008 8:47 PM | spence

Post Comment

Title  
Name  
Email
Url
Comment   
Please add 7 and 7 and type the answer here:
 
 
Creative Commons License   Powered By Subtext

© 1997 - 2009 Triumph Media Limited.
This work is licensed under a Creative Commons License.