This project has moved and is read-only. For the latest updates, please go here.

Windows Service account for User profile Sync

Feb 10, 2012 at 9:34 AM

Hello I installed my farm with installer. All works ok.  Only in log this is shown

Updating User Profile Synchronization Service to run as SPDEV\SVC_SP_SRVCS

When I go to security in CA and look at this service the account above is shown. But in services overview the windows service runs as farm account

Feb 11, 2012 at 4:01 AM

That's normal, and expected. User Profile Sync should/will always really run as the farm account, we're just 'tricking' SharePoint into thinking it's running as another non-farm account so that we don't get the Health Analyzer warning.


Feb 22, 2012 at 3:40 PM

When I try to create a AD sync connection I get error.Access to resource denied or other see this thread

When changing account back to farm account I can create AD sync connection. Is this a known issue?

Feb 27, 2012 at 10:07 AM
Edited Feb 27, 2012 at 10:08 AM

The autospinstaller removes the farm account from local admin, But it doesn't grant the allow local login right. This is needed for the forefront software. And also creating AD sync connections don't work.

Feb 28, 2012 at 1:57 AM

I've never needed to grant the log on locally right to the farm account, unless there was a restrictive GPO in place that explicitly or effectively removed this right. And even then, the script wouldn't do much good to grant that right, because the GPO would override it the next time it was applied.

So this is something that needs to be raised in advance with the domain admins to ensure the farm account doesn't have that right revoked (or is excluded from the GPO).


Feb 29, 2012 at 9:57 AM

I have several SP2010 installations. By default the farm account has no logon locally rights. When this account is in group local admins it does have logon local right. Om my developer box I have to change default domain controller policy to get the job done. On a multi server install all what has to be done is change local securtiy policy.

Also see Spencer Harbars guide. There it is also mentioned that local local rights are needed.