none
Separate Service Account for Sharepoint farm and Project Server Service Application and oher services, what's Best RRS feed

  • Question

  • I want to know about the best practice about usage of different service account for different services ,  I have installed and configures share point with Service account "SPAdmin" and now want to use different Service Account for "Project Server Service Application Name" and "Excel Services" Etc.

    I got answer previously that it is up to the organization ploicy, but it is crucial decision so want to have a clarity on following point before taking a decision.

    1) If Sharepoint farm Admin accout would be having problems then these acconts would continue to work , In my of Share point will not work then these services will also not work so what's the benefit of keeping additional account.

    2) Particulary for project server, If we use differnt accout then would there be any security problem or not , while adding the project and users in the PWA.

    3) Will different account create problem on running any tool like, Playbook and Solution Starter, etc.

    4) Will there be impact on any backup restoration  with the different account.

    Thanks in Advance .


    Vinay Gupta
    Tuesday, October 4, 2011 6:44 PM

Answers

  • Hi,

    Best practices typically exist for good reason, in the case of service account usage you have touched on many of the reasons for their use in your questions.

    But I guess in summary, splitting out the Project Service account, the application pool, the Excel Services account, etc when setup correctly will cost you nothing other than the effort required to manage those accounts. (However in my experience this alone can be a blocking factor! Especially when it takes a handful of forms and a 6 week waiting for a single account to be created!)

     

    In terms of administration, "best practices" says that you shouldn't be using these service accounts for either SharePoint administration or Project Server, so your questions 2-4 are made somewhat redundant by that as you should have your own separate delegated admin account and any service account is managed with a randomly generated SharePoint "Managed Password" policy. As such assuming your permissions delegation is setup completely there will be no affect on user management, updates, installs or backups.

     

     

    HTH, 


    Martin Laukkanen (Project Server Blog - www.nearbaseline.com/blog)
    • Marked as answer by Kvingupta Wednesday, October 5, 2011 5:50 AM
    Wednesday, October 5, 2011 1:16 AM
  • Hi Vinay,

    1) If Sharepoint farm Admin accout would be having problems then these acconts would continue to work , In my of Share point will not work then these services will also not work so what's the benefit of keeping additional account.
    - If your Sharepoint account which is a Farm Administrator, gets locked out/account deactivated or any change in password, It will stop the Sharepoint services so you will not be able to access neither SP or PS. This Farm Administrator servers the application pool account for the SharePoint Central Administration Web site & The process account for the SharePoint 2010 Timer (SPTimerV4) service

    2) Particulary for project server, If we use differnt accout then would there be any security problem or not , while adding the project and users in the PWA.
    - No it should bot be a problem. When you install PS2010 with Farm credentials, It will be by default the system account for PS & will have all security to run the workflows, PDSs etc.

    3) Will different account create problem on running any tool like, Playbook and Solution Starter, etc.
    - As far as, if Account never locks out is set, You should not be facing the issue but it's always good to have separate the accounts so that secured information will not be shared if not required.

    4) Will there be impact on any backup restoration  with the different account.
    -  You can use the Farm account to take the backup & restore process.

    I would recommand you to read the accounts/permissions setup as per MSDN article:
    http://technet.microsoft.com/en-us/library/cc197607.aspx

     

     


    Thanks, Amit Khare |EPM Consultant| Blog: http://amitkhare82.blogspot.com http://www.linkedin.com/in/amitkhare82
    • Marked as answer by Kvingupta Wednesday, October 5, 2011 5:50 AM
    Wednesday, October 5, 2011 4:48 AM

All replies

  • Hi,

    Best practices typically exist for good reason, in the case of service account usage you have touched on many of the reasons for their use in your questions.

    But I guess in summary, splitting out the Project Service account, the application pool, the Excel Services account, etc when setup correctly will cost you nothing other than the effort required to manage those accounts. (However in my experience this alone can be a blocking factor! Especially when it takes a handful of forms and a 6 week waiting for a single account to be created!)

     

    In terms of administration, "best practices" says that you shouldn't be using these service accounts for either SharePoint administration or Project Server, so your questions 2-4 are made somewhat redundant by that as you should have your own separate delegated admin account and any service account is managed with a randomly generated SharePoint "Managed Password" policy. As such assuming your permissions delegation is setup completely there will be no affect on user management, updates, installs or backups.

     

     

    HTH, 


    Martin Laukkanen (Project Server Blog - www.nearbaseline.com/blog)
    • Marked as answer by Kvingupta Wednesday, October 5, 2011 5:50 AM
    Wednesday, October 5, 2011 1:16 AM
  • Hi Vinay,

    1) If Sharepoint farm Admin accout would be having problems then these acconts would continue to work , In my of Share point will not work then these services will also not work so what's the benefit of keeping additional account.
    - If your Sharepoint account which is a Farm Administrator, gets locked out/account deactivated or any change in password, It will stop the Sharepoint services so you will not be able to access neither SP or PS. This Farm Administrator servers the application pool account for the SharePoint Central Administration Web site & The process account for the SharePoint 2010 Timer (SPTimerV4) service

    2) Particulary for project server, If we use differnt accout then would there be any security problem or not , while adding the project and users in the PWA.
    - No it should bot be a problem. When you install PS2010 with Farm credentials, It will be by default the system account for PS & will have all security to run the workflows, PDSs etc.

    3) Will different account create problem on running any tool like, Playbook and Solution Starter, etc.
    - As far as, if Account never locks out is set, You should not be facing the issue but it's always good to have separate the accounts so that secured information will not be shared if not required.

    4) Will there be impact on any backup restoration  with the different account.
    -  You can use the Farm account to take the backup & restore process.

    I would recommand you to read the accounts/permissions setup as per MSDN article:
    http://technet.microsoft.com/en-us/library/cc197607.aspx

     

     


    Thanks, Amit Khare |EPM Consultant| Blog: http://amitkhare82.blogspot.com http://www.linkedin.com/in/amitkhare82
    • Marked as answer by Kvingupta Wednesday, October 5, 2011 5:50 AM
    Wednesday, October 5, 2011 4:48 AM