One of the biggest recommendations when installing a SharePoint environment is to think carefully about what accounts are going to run which roles that are used. TechNet has a large section on this called Plan for administrative and service accounts.

Reasons Why Use Least Privileged Install

Can allocate permissions to individual role accounts rather than given "god mode" to the one uber account
Can isolate problems with roles security - event log will log particular account names, rather than one uber account which will pin point the role that is having issues

There are various roles in SharePoint, the following table summarise a clean SharePoint Farm install as an example of the accounts on TechNet.

Setup Accounts

Account Role	example name	Description	When Configured	Priviledges
Set up account	sp_admin	The user account that is used to run: Setup on each server computer The SharePoint Products and Technologies Configuration Wizard The Psconfig command-line tool The Stsadm command-line tool	On logging into server to install SharePoint	Domain user account. Member of the Administrators group on each server on which Setup is run. SQL Server login on the computer running SQL Server. Member of the following SQL Server security roles: o securityadmin fixed server role o dbcreator fixed server role If you run Stsadm commands that affect a database, this account must be a member of the db_owner fixed database role for the database.

SQL

Account Role	example name	Description	When Configured	Priviledges
SQL Service	sp_service	SQL Server prompts for this account during SQL Server Setup. This account is used as the service account for the following SQL Server services: MSSQLSERVER SQLSERVERAGENT If you are not using the default instance, these services will be shown as: MSSQL$InstanceName SQLAgent$InstanceName	On running install for SQL	N/A
Default Content Access Account	sp_farm	This account is also referred to as the database access account. This account is: The application pool identity for the SharePoint Central Administration Web site. The process account for the Windows SharePoint Services Timer service.	On running install for SharePoint	N/A

Search

Account Role	example name	Description	When Configured	Priviledges
Windows SharePoint Services Search service	sp_wsssearch	Used as the service account for the Windows SharePoint Services Help Search service. There is only one instance of this service in a farm and it is used to write content index files to the index location on index servers and to propagate the searchable index to all query servers in a Office SharePoint Server 2007 farm.	Central Administration Configuring Windows SharePoint Services Search	N/A
Windows SharePoint Services Search content access	sp_wsscontent	Used by the Windows SharePoint Services Search application server role to crawl content across sites.	Central Administration Configuring Windows SharePoint Services Search	N/A
Office SharePoint Server Search Service	sp_mosssearch	Used as the service account for the Office SharePoint Server Search service. There is only one instance of this service and it is used by all SSPs to write content index files to the index location on index servers and to propagate the searchable index to all query servers in a Microsoft Office SharePoint Server 2007 farm.	Central Administration Configuring Microsoft Office SharePoint Search	N/A

SharePoint Services Providers (SSPs)

Account Role	example name	Description	When Configured	Priviledges
SSP Service	sp_sspservice	SSP Web services for inter-server communication Application pool identity of the application pool that is associated with the virtual directory associated with a given SSP	Central Administration for each SSP created	N/A
SSP App Pool	sp_sspapppool	SSP administration site application pool account. This account is used to run the application pool for the Web Application that hosts the SSP administration site.	Central Administration for each SSP created	N/A
SSP My Site App Pool	sp_mysitesapppool	SSP My Sites application pool account.	Central Administration for each SSP My Sites created	N/A

PowerShell script

The below script works with Windows Server 2008 R2.

Unable to find source-code formatter for language: ps. Available languages are: actionscript, html, java, javascript, none, sql, xhtml, xml

import-module servermanager 
Add-WindowsFeature -Name "RSAT-AD-PowerShell" -IncludeAllSubFeature 
import-module activedirectory 
cd AD:
cd "DC=demo,DC=readify,DC=net"
cd "CN=Users"

New-ADUser -Name "sp_service" -SamAccountName sp_service -DisplayName "sp_service" -Title "SQL Service" -Enabled $true -ChangePasswordAtLogon $false -AccountPassword (ConvertTo-SecureString "P@ssword1" -AsPlainText -force) -PassThru
New-ADUser -Name "sp_farm" -SamAccountName sp_farm -DisplayName "sp_farm" -Title "SharePoint Farm account" -Enabled $true -ChangePasswordAtLogon $false -AccountPassword (ConvertTo-SecureString "P@ssword1" -AsPlainText -force) -PassThru
New-ADUser -Name "sp_wsssearch" -SamAccountName sp_wsssearch -DisplayName "sp_wsssearch" -Title "Windows SharePoint Services Search service" -Enabled $true -ChangePasswordAtLogon $false -AccountPassword (ConvertTo-SecureString "P@ssword1" -AsPlainText -force) -PassThru
New-ADUser -Name "sp_wsscontent" -SamAccountName sp_wsscontent -DisplayName "sp_wsscontent" -Title "Windows SharePoint Services Search content access" -Enabled $true -ChangePasswordAtLogon $false -AccountPassword (ConvertTo-SecureString "P@ssword1" -AsPlainText -force) -PassThru
New-ADUser -Name "sp_mosssearch " -SamAccountName sp_mosssearch  -DisplayName "sp_mosssearch" -Title "Office SharePoint Server Search Service" -Enabled $true -ChangePasswordAtLogon $false -AccountPassword (ConvertTo-SecureString "P@ssword1" -AsPlainText -force) -PassThru
New-ADUser -Name "sp_sspservice" -SamAccountName sp_sspservice -DisplayName "sp_sspservice" -Title "SSP service" -Enabled $true -ChangePasswordAtLogon $false -AccountPassword (ConvertTo-SecureString "P@ssword1" -AsPlainText -force) -PassThru
New-ADUser -Name "sp_sspapppool" -SamAccountName sp_sspapppool -DisplayName "sp_sspapppool" -Title "SSP Application Pool" -Enabled $true -ChangePasswordAtLogon $false -AccountPassword (ConvertTo-SecureString "P@ssword1" -AsPlainText -force) -PassThru
New-ADUser -Name "sp_mysitesapppool" -SamAccountName sp_mysitesapppool -DisplayName "sp_mysitesapppool" -Title "MySite Application Pool" -Enabled $true -ChangePasswordAtLogon $false -AccountPassword (ConvertTo-SecureString "P@ssword1" -AsPlainText -force) -PassThru

Active Directory Module for Windows PowerShell - Quick start guide
Further details on how to connect to Active Directory using PowerShell

Labels

powershell powershell Delete

configuration configuration Delete

security security Delete

installation installation Delete

Recently Updated