1

Closed

Distributed Cache service account (during setup)

description

Hi Brian,

Thank you for the incredible effort that you have put in to create this tool! It makes deployment such a piece of cake!!

Just realized that when the Distributed Cache service is being setup, the script is using the app pool account for the service; specifically it uses the ManagedAccount with CommonName="spservice".

I am referring to line# 1681 in the "AutoSPInstallerFunctions.ps1", function "UpdateProcessIdentity".
Specifically it is as shown below:
$managedAccountGen = Get-SPManagedAccount | Where-Object {$_.UserName -eq $($spservice.username)}

However the TechNet article (https://technet.microsoft.com/en-us/library/jj219613.aspx#changesvcacct) suggests that the "Farm Account" is used to setup the service.

Should this be changed to the default Farm Account?

Thank you
Ashok
Closed Jan 19 at 1:28 AM by brianlala
Q&A

comments

AshokGopalan wrote Jan 18 at 11:56 PM

Hello again!

Thought of something additional as I was working through this in my mind.

Do you think it would be beneficial to have additional ManagedAccount elements defined with specific CommonName attributes like:
CommonName="SecureSote",
CommonName="DistCache"
etc..

and the same could be used in the corresponding service activation scripts? This will even take care of the MS security best practice recommendations of using least-privileged accounts for services.

I am thinking that this would be really useful for organizations that have the business need to implement least-privileged security model in their SharePoint environment.

Thank you
Ashok

brianlala wrote Jan 19 at 1:28 AM

No, that's the whole idea - SharePoint by default sets it to the Farm Account, but it's advised to change it to something else which Is exactly what AutoSPInstaller does. We use spservice to avoid a proliferation of accounts and because it's well-suited for this purpose. It would be overkill to use separate accounts for each and every service.

Brian

wrote Jan 19 at 1:28 AM

AshokGopalan wrote Jan 19 at 1:54 AM

Hi Brian,

thanks for the prompt response.

i think I may have not clarified my statement or may have misunderstood the current default values used in the script. My apologies for that.

I see that the default managed account for the "spservice" currently uses CONTOSO\SP_Services. This tells me that all almost Service Applicaitions, except Search and some other using specific accounts, will be provisioned using the CONTOSO\SP_Services account.

I am not suggesting using separate account for each and every service, that will surely be an overkill. Just that, the script could have different CommonNames defined for each service with a default value set to CONTOSO\SP_Services. Folks could then choose to either go with a common account for all services or use specific domain accounts if they so choose to depending upon their requirements. It just makes it a little simpler to configure the farm.

Just a thought.

Thanks once again!
Ashok