First published on TECHNET on Sep 24, 2012
Not sure how often others see this, but I seem to hit this question all the time. I usually show up and the environment is built and in production, users are connected and working and the security team has told the SharePoint Admins that they have to move to a Least-Privilege environment. We have to minimize issues and downtime that could happen from a change like this. And these are the steps I recommend.
To setup least privilege in a SPS2010 farm that has already be configured with a single account here is what I would do.
Decide what accounts you want to use for what functions. There are many different opinions out there and I will not say any are wrong but you could certainly use the word 'complex' to describe some of them. Here is what I would do based on my experiences.
We need to decide what you will do with the single account that is currently in use. My suggestion is that it becomes the Farm Account that way we will need to make only a few changes in its permissions.
We need to assign permissions to the remaining six accounts. I will list all six account and you can decide which account you will use for Step#2 (Don't need to add anything for that account). You will need to add the following permissions for your newly created accounts.
Now that we have assigned all the permissions we need to place those accounts into the proper permissions in the farm. This step should be performed during off hours as it could cause small (~15 min outages as the system changes log on accounts and resets app pools)
Then to configure the crawl account perform the following
Then to configure the Active Directory Connection Account perform the following
Then we will have to remove permissions from the account in Step#2 to secure the farm. If we assume that your single account became the farm admin account you would have to remove the following permissions:
Articles of Interest
Plan for administrative and service accounts (SharePoint Server 2010) http://technet.microsoft.com/en-us/library/cc263445.aspx
Account permissions and security settings (SharePoint Server 2010) http://technet.microsoft.com/en-us/library/cc678863.aspx
Initial deployment administrative and service accounts (SharePointServer 2010) http://technet.microsoft.com/en-us/library/ee662513.aspx
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.