MOSS 2007 – Accounts

MachineMOSS – 172.24.65.211 LorSrv011 Sharepoint
Groupe Local administrators:
Members:
 
lorsinclair\LorMossFarmAdmin
lorsinclair\LorMossSetup
lorsinclair\LorSqlAdmin
 
 
Machine SQL Server 2008 – 172.24.65.210 LorSrv010 SQLServer2008
 
 
Au niveau local user and groups:
 
groupe Administrators :  membre – lorsinclair\LorSqlAdmin
 
Au niveau du serveur sql 2008
 
Security Logins -Server Roles –
 
 login lorSqlAdmin – (public et sysadmin (suffit pour avoir les droits de creation des banquess)
 
A toutes fins utile j’ai attribué en supplément le rôle au login LorSqlAdmin:
  • dbcreator
  • public
  • serveradmin
  • securityadmin
  • sysadmin
  • setupadmin
Running MOSS Setup
On every server where MOSS is to be installed, the account you run setup with must belong to the local administrators group. In addition, this account must be a Domain User and be a member of the following SQL server security roles: Logins, Securityadmin & Dbcreator. This account is going to be doing a lot – creating new databases, and also creating new IIS sites – so make sure you have enough permissions! Typically, an account such as the domain administrator is used to run the installation, which addresses all of the security requirements.
 
 
SQL Server (SQL_Service)
This account is specified when a new SQL server is being brought online or a new instance installed. It typically is used for running both the SQL Server & SQL Server Agent, however, each can have their own account. For our purposes, we will utilize one account for both SQL Server & the Agent. The account only needs to be a basic Domain Account with no specific permissions set. When SQL Server is installed, all of the other appropriate permissions will be granted to the account.
  
Database Access Account / Farm Account (Farm_Service)
This account serves a few roles. The first is that it is used by MOSS to access the databases… it acts as the account by which the server(s) MOSS is installed on communicates back and forth to SQL with (read/write). Additionally, it is used as the identity for the Central Administration application pool & the WSS Timer service. This account needs to be a Domain Account – but note that it is believed to have to be a local admin on every MOSS box – this is not true, as Spence points out very eloquently.
 
cet account doit être utilise comme account de la DB lors de l’execution du wizard!
 
 
Shared Service Provider (SSP#_Service)
Each shared service provider can run under its own account, therefore, it is desirable to name the account using a number. This way, if your MOSS farm ends up having a large number of SSPs, you can map the SSPs back to their specific service accounts easily. This account is used for the SSP web services & the SSP timer jobs. The account only needs to be a basic Domain Account with no specific permissions set.
  
Office SharePoint Server Search (Search_Service)
LorMossSearchSvc
 
This account is utilized by all of the Shared Service Provider to crawl local & remote content. This account should be a Domain Account & have local administrator permissions on each MOSS server.
 
 
  
Default Content Access Account (SSP#ContentAccess_Service)
When a shared service provider crawls content, this is the default account used if a specific account (see below) is not specified for the content source being crawled. This account is specific for each individual SSP. This account should be a Domain Account & have read access to the content sources it needs to crawl.
  
Content Access Account (XXXXContent_Service)
If you have specific content sources that need to be crawled, and you do not want to allow the default content access account to crawl them, then you specify an individual content access account (specified at the time a Crawl Rule is setup). This account is a Domain Account with read permissions specifically on the content source it crawls.
LorSPSearcher
 
  
Windows SharePoint Services Search Account (WSSSearch_Service)
The WSS Services Search is used only to provide search capabilities within the Help content. If this search feature is desired, then this account should be configured as a Domain Account with no specific permissions.
 
LorWssSearchSvc
 
  
Application Pool Process Account (XXXXPool_Service)
When each application pool is setup, you must specify an account that will be used for that specific application pool’s identity. This account will be used to access the content databases associated with the web application. It is recommended that a new service account is created for each application pool. This should be a Domain Account with no specific permissions. When the account is specified & SharePoint creates the application pool, it automatically grants the account additional needed permissions.
 
 
 
 MOSS Accounts 
Setup User
j’utilise l’administrateur du domaine
lorsinclair\Administrator  (pourrait être un accoumpte special du genre LorMossAdmin)
 
The user account that is used to run:
  • Setup on each server computer
  • The SharePoint Products and Technologies Configuration Wizard
  • The Psconfig command-line tool
  • The Stsadm command-line tool
 
 
 
 
Purpose:
User account that is used to run setup on each server
Scope
Farm
Used by
 Person installing
Needed
Setup
Requirements
Member of the administrator group on each Web front-end (WFE) server and application server computer in the farm. Member of the following SQL Server groups with SQL Security administrator and database creator rights on SQL servers
 
et est rajouter au niveau de SQL : LORSINCLAIR\Administrator
 
privileges:
  • dbcreator
  • securityadmin
 SQL Server Service
LorSqlAdmin – est utilisé comme account lors du setup de sql server ou de la creation d’une nouvelle instance 
Purpose:
 This is the security context used By Central Administration for creating databases and other SQL configurations
Scope
Farm
Used by
  MSSQLSERVER, SQLSERVERAGENT
Needed
Setup
Requirements
 
 Member of the administrators group on each server on which setup runs, administrators group on each SQL Server computer, database system administrator, and member of the SQL security administrator and database creator SQL Server groups.
 
 
 
 
 
Server Farm
LorMossFarmAdmin : cet account est assigné lors du setup losque le serveur sql est demandé, donner cet account.
Purpose:
This account is also referred to as the database access account
Scope
Farm
Used by
Central administration site application pool identity
Needed
Setup
Requirements
Member of administrators group on each WFE server and application server computer in the farm with SQL security administrator and database creator rights on SQL Servers. Database Owner (DBO) for all databases and additional permissions on WFE server and application server computers are automatically configured for this account when SharePoint is installed 
 
SSP App Pool
Purpose:
 
Scope
App
Used by
SSP App Pool Identity
Needed
SSP Creation
Requirements
No configuration is necessary. The following permissions are automatically configured for this account when SharePoint is installed: DBO for the Share Service Provider (SSP) content database, read/write permissions for the SSP content database, read/write permissions for content databases for Web applications that are associated with the SSP, read permissions for the configuration database, read permissions for the central administration content database, and additional permissions on WFE server and application server computers
 
 
SSP Service Account
SSPService
 
Purpose:
 The default account used by a specific SSP to crawl content. It is used when an account is not specified for a content source.
 
Used by the following:
  • SSP Web services for inter-server communication
  • Application pool identity of the application pool that is associated with the virtual directory associated with a given SSP
 
Scope
Farm
Used by
SSP Timer service; SSP Web services
Needed
SSP Creation
Requirements
Same as SSP App Pool Account
 
Search Default Content Access Account
Search Default Content Access Account
Purpose:
Used as the service account for the Windows SharePoint Services Search service. There is only one instance of this service, and it is used by all SSPs.
The default account used by a specific SSP to crawl content. It is used when an account is not specified for a content source
 
The default account used within a specific SSP to crawl content, unless a different authentication method is specified by a crawl rule for a URL or URL pattern.
Scope
App
Used by
Windows SharePoint Services 3.0 Search service
Needed
SSP Creation
Requirements
Must be a domain account, but must not be a member of the farm administrators group. It requires read access to external or secure content sources that you want to crawl using this account. Additional permissions for this account are automatically configured when SharePoint is installed.
  
Search Specific Content Access Account
SPSearcher
 
Windows SharePoint Services Search
Purpose:
This is an optional account that is configured to replace the default content access account to crawl a specific content source.
Used as the service account for the Office SharePoint Server Search service. There is only one instance of this service and it is used by all SSPs to write content index files to the index location on index servers and to propagate the searchable index to all query servers in a Microsoft Office SharePoint Server 2007 farm
Scope
Rule
Used by
Windows SharePoint Services 3.0 Search service
Needed
Create a new crawl rule
Requirements
Read access to external or secure content sources that this account is configured to access.
 
User Profile and Properties Content Access Account
Purpose:
Account used to connect to a directory service, such as Active Directory, a Lightweight Directory Access Protocol (LDAP) directory, Business Data Catalog (BDC) application, or other directory source and used to import profile data from a directory service. Note: If no account is specified, the Search Default Content Access account is used. If the Search Default Content Access account does not have read access to the directory or directories that you want to import data from, you will need to specify a different account. You should plan for one account per directory connection.
 
A specific account that is configured to access a content source. This account is optional and is specified when you create a new crawl rule. For example, content sources that are external to Office SharePoint Server 2007 (such as a file share) might require a different access account.
 
Used to:
  • Connect to a directory service, such as the Active Directory directory service, a Lightweight Directory Access Protocol (LDAP) directory, a Business Data Catalog application, or other directory source.
  • Import profile data from a directory service.
If no account is specified, the default content access account is used. If the default content access account does not have read access to the directory or directories that you want to import data from, plan to use a different account. You can plan up to one account per directory connection.
 
 
 
Scope
App
Used by
Profile Import
Needed
SSP creation
Requirements
Read access to the directory service. For an Active Directory service connection that enables Server Side Incremental, the account must have the Replicate Changes permissions for Active Directory directory services provided by Windows 2000 Server. This permission is not required for Windows 2003 Active Directory. Manage user profiles right. View rights on entities used in Business Data Catalog import connections
 
Excel Services Unattended Service Account
Purpose:
Excel Calculation Services uses this account to connect to data sources that require user name and password strings for authentication. The SSP App Pool account is used if none is specified. For security, plan to use a low-privileged account that does not have the database privileges of the SSP App Pool Account.
Scope
App
Used by
Excel Services Service
Needed
SSP creation
Requirements
Read/write access to the Excel data sources.
 
 
App Pool Identity
Purpose:
Used to access content databases associated with the Web application. Plan one for each application pool.
The user account that the worker processes that service the application pool use as their process identity. This account is used to access content databases associated with the Web applications that reside in the application pool.
Scope
App
Used by
Web Applications
Needed
SSP creation
Requirements
No configuration is necessary. SQL Server privileges that are automatically assigned to this account are member of Database Owners Group for content databases associated with the Web application, read/write access to the associated SSP database only, and read permission for the configuration database. Additional privileges for this account on WFE servers and application servers are automatically configured by SharePoint
   
 
Windows SharePoint Services Search service account
 
 
Used as the service account for the Windows SharePoint Services Help Search service. There is only one instance of this service in a farm and it is used to write content index files to the index location on index servers and to propagate the searchable index to all query servers in a Office SharePoint Server 2007 farm.
 
Windows SharePoint Services Search content access account
Used by the Windows SharePoint Services Search application server role to crawl content across sites.
 
 
 
Server farm requirements
If you are deploying to more than one server computer, use the server farm standard requirements to ensure that accounts have the appropriate permissions to perform their processes across multiple computers. The server farm standard requirements detail the minimum configuration that is necessary to operate in a server farm environment. For a more secure environment, consider using the least privilege administration requirements using domain user accounts.
For a list of standard requirements for server farm environments, see the Office SharePoint Server security account requirements (http://go.microsoft.com/fwlink/?LinkID=92883&clcid=0x409) planning tool, or view the requirements listed in the Technical reference: Account requirements by scenario section of this article.
For some accounts, additional permissions or access to databases are configured when you run Setup. These are noted in the accounts planning tool. An important configuration for database administrators to be aware of is the addition of the WSS_Content_Application_Pools database role. Setup adds this role to the following databases:
  • SharePoint_Config database (configuration database)
  • SharePoint_AdminContent database
Members of the WSS_Content_Application_Pools database role are granted the Execute permission to a subset of the stored procedures for the database. Additionally, members of this role are granted the Select permission to the Versions table (dbo.Versions) in the SharePoint_AdminContent database.
For other databases, the accounts planning tool indicates that access to read from these databases is automatically configured. In some cases, limited access to write to a database is also automatically configured. To provide this access, permissions to stored procedures are configured. For the SharePoint_Config database, for example, access to the following stored procedures is automatically configured:
  • proc_dropEmailEnabledList
  • proc_dropEmailEnabledListsByWeb
  • proc_dropSiteMap
  • proc_markForDeletionEmailEnabledList
  • proc_markForDeletionEmailEnabledListsBySite
  • proc_markForDeletionEmailEnabledListsByWeb
  • proc_putDistributionListToDelete
  • proc_putEmailEnabledList
  • proc_putSiteMap
 
 
Publicités
Cet article a été publié dans Microsoft - MOSS 2007. Ajoutez ce permalien à vos favoris.

Laisser un commentaire

Entrez vos coordonnées ci-dessous ou cliquez sur une icône pour vous connecter:

Logo WordPress.com

Vous commentez à l'aide de votre compte WordPress.com. Déconnexion / Changer )

Image Twitter

Vous commentez à l'aide de votre compte Twitter. Déconnexion / Changer )

Photo Facebook

Vous commentez à l'aide de votre compte Facebook. Déconnexion / Changer )

Photo Google+

Vous commentez à l'aide de votre compte Google+. Déconnexion / Changer )

Connexion à %s