Necessary privileges for accounts

Topics: General Questions
Nov 10, 2013 at 12:41 AM
Edited Nov 10, 2013 at 12:42 AM
Could someone help me with the necessary permissions for all these different accounts in a SharePoint 2013 install? There's quite a few accounts you come across with the default settings, but it's really unclear what access each one needs.

I found this site: http://blog.fpweb.net/understanding-autospinstaller-what-you-need-to-know/ but this doesn't seem to be very accurate.

SP_Install
SP_Farm
SP_Services
SP_PortalAppPool
SP_ProfilesAppPool
SP_SearchService
SP_CacheSuperUser
SP_CacheSuperReader
SP_ExcelUser
SP_VisioUser
SP_PerfPointUser
SP_ProfileSync
SP_SearchContent
Coordinator
Nov 10, 2013 at 1:40 AM
SharePoint itself, and/or AutoSPInstaller will automatically grant the required rights for each account (including very temporarily adding some to the local Administrators group). They just need to be regular domain users which have NOT denied the right to log on locally.

The only exception is SP_Install, which must have local Admin rights on all target farm servers, as well as dbcreator and securityadmin on the SQL instance (minimum; sysadmin rights can be granted to be safe in case it needs to change instance-level settings on SQL like MaxDOP).

NONE of the other accounts need to remain in local Admins on the SharePoint servers, except in rare circumstances.

See http://technet.microsoft.com/en-us/library/cc263445.aspx for more info.

Brian
Nov 10, 2013 at 2:07 AM
Thank you for that very succinct answer.