I’ve been working on a number of MOSS implementations lately, and I always get a lot of questions about what service accounts are needed to get the implementation rolling. Microsoft has a really nice, but very long article on the accounts (http://technet2.microsoft.com/Office/en-us/library/f07768d4-ca37-447a-a056-1a67d93ef5401033.mspx?mfr=true), but most of my clients do not have the time or want to read that article. So I put together some basic guidelines on MOSS service accounts…
The following covers the most common service accounts that need to be setup and their typical permissions in order for MOSS to function properly. Note that each deployment is different, so these accounts may differ based upon individual requirements. There are some additional accounts that you may need for other optional services, but they are not mentioned here.
Running MOSS Setup
On every server where MOSS is to be installed, the account you run setup with must belong to the local administrators group. In addition, this account must be a Domain User and be a member of the following SQL server security roles: Logins, Securityadmin & Dbcreator. This account is going to be doing a lot – creating new databases, and also creating new IIS sites – so make sure you have enough permissions! Typically, an account such as the domain administrator is used to run the installation, which addresses all of the security requirements.
SQL Server (SQL_Service)
This account is specified when a new SQL server is being brought online or a new instance installed. It typically is used for running both the SQL Server & SQL Server Agent, however, each can have their own account. For our purposes, we will utilize one account for both SQL Server & the Agent. The account only needs to be a basic Domain Account with no specific permissions set. When SQL Server is installed, all of the other appropriate permissions will be granted to the account.
Database Access Account / Farm Account (Farm_Service)
This account serves a few roles. The first is that it is used by MOSS to access the databases… it acts as the account by which the server(s) MOSS is installed on communicates back and forth to SQL with (read/write). Additionally, it is used as the identity for the Central Administration application pool & the WSS Timer service. This account needs to be a Domain Account – but note that it is believed to have to be a local admin on every MOSS box – this is not true, as Spence points out very eloquently.
Shared Service Provider (SSP#_Service)
Each shared service provider can run under its own account, therefore, it is desirable to name the account using a number. This way, if your MOSS farm ends up having a large number of SSPs, you can map the SSPs back to their specific service accounts easily. This account is used for the SSP web services & the SSP timer jobs. The account only needs to be a basic Domain Account with no specific permissions set.
Office SharePoint Server Search (Search_Service)
This account is utilized by all of the Shared Service Provider to crawl local & remote content. This account should be a Domain Account & have local administrator permissions on each MOSS server.
Default Content Access Account (SSP#ContentAccess_Service)
When a shared service provider crawls content, this is the default account used if a specific account (see below) is not specified for the content source being crawled. This account is specific for each individual SSP. This account should be a Domain Account & have read access to the content sources it needs to crawl.
Content Access Account (XXXXContent_Service)
If you have specific content sources that need to be crawled, and you do not want to allow the default content access account to crawl them, then you specify an individual content access account (specified at the time a Crawl Rule is setup). This account is a Domain Account with read permissions specifically on the content source it crawls.
Windows SharePoint Services Search Account (WSSSearch_Service)
The WSS Services Search is used only to provide search capabilities within the Help content. If this search feature is desired, then this account should be configured as a Domain Account with no specific permissions.
Application Pool Process Account (XXXXPool_Service)
When each application pool is setup, you must specify an account that will be used for that specific application pool’s identity. This account will be used to access the content databases associated with the web application. It is recommended that a new service account is created for each application pool. This should be a Domain Account with no specific permissions. When the account is specified & SharePoint creates the application pool, it automatically grants the account additional needed permissions.
Jack of all that is Microsoft, Master of None 
Nice post. A bit easier to read than the Official Microsoft one. 🙂 Thanks.
Comment by Kaisa — January 4, 2007 @ 10:25 am
5 Things you dont know about me (Thanks Heather)
The epidemic is spreading… I have been tagged by my bud Heather
Happy New Year to all and here goes…
Trackback by Bob Fox's Sharepoint Blog — January 6, 2007 @ 12:41 am
Ya – nice
Comment by PH — January 25, 2007 @ 2:14 am
Thanks!!
Comment by sten — February 7, 2007 @ 7:56 am
can most accounts not just be superuser’s on the server instead of administrator?
Comment by craig — July 30, 2007 @ 5:50 am
Craig – you don’t want most of these accounts to have ‘superuser’ (aka Administrator) rights. Most of them require very few permissions, and you want to limit the ways in which you can be compromised, hence why I break things out into so many accounts. Each one is limited in what it can do… so if one gets hijacked, you aren’t completely hosed.
Comment by cregan — October 2, 2007 @ 5:43 pm
Thanks. I needed this post. Microsoft explanations often don’t explain. Howver, I’m confused. You say the Farm_service account and the SSP#_Service accounts are also used for application pool identities. But then you finish by indicating the each pool gets it’s own account for the pool identity, such as XXXPool_Service.
Comment by Phill — February 22, 2008 @ 12:14 pm
And what’s the difference between the Search_Service, which you indicate is used by the SSPs to crawl content, and the SSP#ContentAccess_Service, which you indicate is used to crawl content?
Comment by Phill — February 22, 2008 @ 12:44 pm
Hi Phil,
The Farm_Service account is used as the identity for the Central Administration application pool. That’s actually a mistake about the SSP#_Service account – as that account isn’t the application pool identity as well (thanks for checking me on this – I’ll make an update to the post).
With the application pools, I create new XXXPool_Service accounts for the following app pools:
-MySites
-SSP
-Content Sites
With regards to the XXXContentAccess_Service & the Search_Service – the different really comes into play when you have multiple application pools due to legal/regulatory reasons. Because for a single SSP implementation, there really is no difference between the accounts, and you could use just the Search_Service account to crawl all of your content. But if you then have an App Pool specific to the legal department, you’ll want a separate XXXContentAccess_Service account to crawl the legal content.
I hope that clarifies things.
Thanks,
Chris
Comment by cregan — February 22, 2008 @ 12:55 pm
[…] off the bat there is eight, and more to come with each new app pool account. Check the post here, its […]
Pingback by MOSS service accounts and passwords…made easy. « The New MOSSness — April 23, 2008 @ 11:51 am
good
Comment by the rock — April 25, 2008 @ 9:01 am
OK NOT BAD
Comment by RAMA KRISHNA . VEDULA — April 25, 2008 @ 9:02 am
What if I built a MOSS farm and used my domain account for everything? How do I go about changing this after the fact? We need to get my domain account out of there as we take the system into production
Comment by Mike — May 7, 2008 @ 7:16 pm
MOSS service accounts and passwords…made easy….
There is a great post floating out there about all of the se ……
Trackback by Mini-Boss of Moss! — May 14, 2008 @ 4:10 pm
1. SQL Server need not be a domain account. We have numerous implementation running local/system account.
2. Also, I agree with Chris, need seperate app pools for MySite, SSP.
Comment by Chetan — May 30, 2008 @ 8:13 pm
Back from Orlando…
So as most people were arriving for the IT week at TechEd I ……
Trackback by SharePoint Brain Freeze - Josh Carlisle's Blog — June 11, 2008 @ 11:19 pm
We’re running all application pools under one account here. Is it really important to split these up? Then for every web application we create we would need to create a new app pool AND a new service account for that app pool. Seems like overkill to me… please correct me if I’m wrong.
Comment by Jonas — August 8, 2008 @ 2:47 am
Jonas – It’s not overkill, when you think that if someone hijacks your one account, that all of your web apps are at risk of exposure. In addition, if your web app has an account issue (password changes / gets locked out / etc.) all of your web apps will come to a screeching hault vs. just one of them. How much you break things out depends on your own security and governance requirements. If you’re extending things to the internet or extranet, the web apps that are extended should be isolated with their own app pools as well.
Comment by cregan — August 8, 2008 @ 9:19 am
Thank you for answering, will certainly take this under consideration.
“On every server where MOSS is to be installed, the account you run setup with must belong to the local administrators group” – Can I remove the user from the administrators group when installation is done? Should I? Think I’ve read it could/should be done somewhere, but can’t seem to find it.
Comment by Jonas — August 12, 2008 @ 4:29 am
Back from Orlando…
So as most people were arriving for the IT week at TechE ……
Trackback by SharePoint Brain Freeze - Joshua Carlisle — September 29, 2008 @ 10:52 pm
Back from Orlando…
So as most people were arriving for the IT we ……
Trackback by SharePoint Brain Freeze - Josh Carlisle's Blog — October 3, 2008 @ 1:31 am
Thanks for this – much easier to understand than the msft one
— can ou tell me why the search service account needs to be a local admin – according the the msft doc – it does not need that
and according to the Spence article you refernce – we should NOT be giving individual accts local admin rights
Comment by paze — October 10, 2008 @ 4:55 pm
Hi,
I have a issue where my MOSS admin account gets locked everytime i start a manual full crawl. I have ran the update farmcredentials utility, I am using a single domain user account which is a local admin on all MOSS servers.
I have also checked and changed the default content access account but it still gets locked.
Any ideas are greatly appreciated.
Thanks,
Comment by Speed — January 15, 2009 @ 1:18 am
Clear and excellent.
Thanks
Comment by Venkateswara Rao — September 16, 2009 @ 6:29 am
[…] creagan: MOSS Setup / Service Accounts […]
Pingback by MOSS 2007 Service Account Setup – Bryan's Tech KB — October 11, 2009 @ 12:48 am
Back from Orlando…
So as most people were arriving for the IT week at T ……
Trackback by SharePoint Brain Freeze — November 12, 2009 @ 2:06 am
[…] MOSS Setup / Service Accounts « Jack of all that is Microsoft, Master of None (tags: sharepoint security microsoft) […]
Pingback by links for 2010-01-26 « Jet Grrl — January 26, 2010 @ 9:00 pm
Super awesome read. Truely.
Comment by Johnnie Fuentes — May 27, 2010 @ 6:43 am
Hai.. nice article 🙂
Thanks.
Comment by panca — August 9, 2010 @ 3:23 am
[…] MOSS Setup / Service Accounts « Jack of all that is Microsoft, Master …Dec 8, 2006 … Running MOSS Setup. On every server where MOSS is to be installed, the account you run setup with must belong to the local administrators … […]
Pingback by Moss setup | F1services — March 30, 2012 @ 6:46 am
Every weekend i sed to go to see this web page, bexause i want enjoyment,
since this this website conations actually pleasant funny material too.
Comment by Jaime — September 10, 2013 @ 6:20 pm
Very soon this web page will be famous amid all blog visitors, ddue to it’s pleasant articles
Comment by Esperanza — September 16, 2013 @ 3:21 am
Thanks for the good writeup. It in reality used to be a enjoyment account it.
Look complicated to more introduced agreeable from you!
By the way, how can we keep up a correspondence?
Comment by youtube marketing — September 14, 2014 @ 4:00 am