none
DPM 2010 / SharePoint 2010 Farm Account RRS feed

  • Question

  • Hello,

    I'm just wondering what account people are using for configurehsarepoint.exe. I have one environment configured with the farm admin account, but I'm not sure how I feel about that because I'd rather not use the main SharePoint Farm account for other things. If I were to use another account, it seems like I would need to add it to the farm admins group and also give it DBO in SQL over the configuration database.

    Has anyone else done this? Any tips?

    Thanks,

    Aaron

    Tuesday, April 5, 2011 2:44 PM

Answers

  • Hi Aaron,

    As Deepan mentioned, we need farm admin to set the run as credentials for DCOM object named WssCmdLetWrapper. You won't be able to do sharepoint specific operations without this.


    Thanks, Nutesh Garg [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights
    Tuesday, April 19, 2011 5:45 AM

All replies

  • Hi Aaron!

    When you run the ConfigureSharePoint.exe executable it will associate the account inputed account with the log on for the VSS service for SharePoint. A good thing is to use a VSS account for SharePoint.


    Best Regards

    Robert Hedblom

    MVP DPM


    Check out my DPM blog @ http://robertanddpm.blogspot.com

    Monday, April 11, 2011 12:02 PM
    Moderator
  • Robert, a minor correction,

    We don't associate the input account with the Vss Writer credentials. We don't control that. We just register the writer and that typically enables the Vss Writer with a farm admin credential. However we don't control what is the account that will get used.

    However we do set the input account as the run as credentials of a DCOM Object called WssCmdletWrapper. This component is a DPM developed component as acts as an interface with the SharePoint API.


    Regards, Deepan [This posting is provided "AS IS" with no warranties, and confers no rights.] [P.S. If the post answers your question or guides you about what you're looking for, please mark it as answered.]
    Friday, April 15, 2011 4:48 PM
    Moderator
  • Thanks for the information, but I am still unsure on the proper permissions required for DPM.

    For example, initially I used the farm account which obviously has access to everything. In testing, I'm able to do item, site, and site collection restores without issue. However, I try to follow Microsoft's best practices in terms of least privileged accounts and whatnot, so I want to use an account specifically for DPM. So I created a new account, make it a local admin on the web front end used for DPM, configured it with the configuresharepoint.exe tool on the WFE, and gave it sysadmin privileges on the SQL server I am using (I'm not using a separate recovery farm). Item recoveries work fine but if I try to do a site collection restore, I get as far as the export step and I get this error in the export log:

    4/15/2011 2:08:04 PM] Start Time: 4/15/2011 2:08:04 PM.
    [4/15/2011 2:08:04 PM] Progress: Initializing Export.
    [4/15/2011 2:08:04 PM] Progress: Starting Export.
    [4/15/2011 2:08:04 PM] Progress: Calculating Objects to Export.
    [4/15/2011 2:08:10 PM] Progress: Serializing Objects to Disk.
    [4/15/2011 2:08:10 PM] FatalError: The specified user domain\account could not be found.
    [4/15/2011 2:08:10 PM] Debug:    at Microsoft.SharePoint.Deployment.DeploymentStreamingContext..ctor(ObjectManager objectManager, DataFileManager fileManager, ViewFormsList viewForms) 
       at Microsoft.SharePoint.Deployment.ExportStreamingContext..ctor(XmlTextWriter xmlWriter, SPExportSettings settings, ExportObjectManager objectManager, ExportDataFileManager exportFileManager, ExportRequirementsManager requirementsManager, ViewFormsList viewForms)
       at Microsoft.SharePoint.Deployment.SPExport.SerializeObjects()
       at Microsoft.SharePoint.Deployment.SPExport.Run()
    [4/15/2011 2:08:10 PM] Progress: Export did not complete.

    The domain\account in the log is the new account I created and gave all the permissions to on the WFE and in SQL. What is perplexing is that I don't know why the export is trying to export that account in the first place. I also tried with both security selections (use original or target computer) in the restore settings, but I get the same failure.

    Any tips for this? Am I missing permissions somewhere?

    Thanks!

    Friday, April 15, 2011 7:53 PM
  • Hi Aaron,

    As Deepan mentioned, we need farm admin to set the run as credentials for DCOM object named WssCmdLetWrapper. You won't be able to do sharepoint specific operations without this.


    Thanks, Nutesh Garg [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights
    Tuesday, April 19, 2011 5:45 AM
  • Thanks, I will use the farm admin account.
    Thursday, April 21, 2011 7:23 PM
  • aaronzott

    Can you mark this thread as answered if you feel you have the answer?

    Roopesh

    Thursday, May 12, 2011 5:59 AM
    Moderator