This project has moved and is read-only. For the latest updates, please go here.


Distributed Cache service account (during setup)


Hi Brian,

Thank you for the incredible effort that you have put in to create this tool! It makes deployment such a piece of cake!!

Just realized that when the Distributed Cache service is being setup, the script is using the app pool account for the service; specifically it uses the ManagedAccount with CommonName="spservice".

I am referring to line# 1681 in the "AutoSPInstallerFunctions.ps1", function "UpdateProcessIdentity".
Specifically it is as shown below:
$managedAccountGen = Get-SPManagedAccount | Where-Object {$_.UserName -eq $($spservice.username)}

However the TechNet article ( suggests that the "Farm Account" is used to setup the service.

Should this be changed to the default Farm Account?

Thank you
Closed Jan 19 at 2:28 AM by brianlala


AshokGopalan wrote Jan 19 at 12:56 AM

Hello again!

Thought of something additional as I was working through this in my mind.

Do you think it would be beneficial to have additional ManagedAccount elements defined with specific CommonName attributes like:

and the same could be used in the corresponding service activation scripts? This will even take care of the MS security best practice recommendations of using least-privileged accounts for services.

I am thinking that this would be really useful for organizations that have the business need to implement least-privileged security model in their SharePoint environment.

Thank you

brianlala wrote Jan 19 at 2:28 AM

No, that's the whole idea - SharePoint by default sets it to the Farm Account, but it's advised to change it to something else which Is exactly what AutoSPInstaller does. We use spservice to avoid a proliferation of accounts and because it's well-suited for this purpose. It would be overkill to use separate accounts for each and every service.


wrote Jan 19 at 2:28 AM

AshokGopalan wrote Jan 19 at 2:54 AM

Hi Brian,

thanks for the prompt response.

i think I may have not clarified my statement or may have misunderstood the current default values used in the script. My apologies for that.

I see that the default managed account for the "spservice" currently uses CONTOSO\SP_Services. This tells me that all almost Service Applicaitions, except Search and some other using specific accounts, will be provisioned using the CONTOSO\SP_Services account.

I am not suggesting using separate account for each and every service, that will surely be an overkill. Just that, the script could have different CommonNames defined for each service with a default value set to CONTOSO\SP_Services. Folks could then choose to either go with a common account for all services or use specific domain accounts if they so choose to depending upon their requirements. It just makes it a little simpler to configure the farm.

Just a thought.

Thanks once again!