Alexander’s Blog

For security reasons, it is best to ensure that the service accounts used with Microsoft Office SharePoint Server (MOSS) 2007 run with only the minimum permissions necessary. This is referred to as the principle of least privilege.

Microsoft recommends two general rules that you should apply to all your MOSS 2007 service accounts:
- Use separate domain user accounts for services with different security requirements.
- Do not use domain user accounts with the local administrator or domain administrator privileges to run any services.

Microsoft suggests in one of its white paper that you can use a single service account with administrative privileges to install MOSS 2007 and when everything is working perfectly then you can go back and assign the services with different accounts with minimum permissions. Here’s the exact quote from Microsoft:

To reduce troubleshooting time, you can install an Office SharePoint Server 2007 server farm by using a single service account with administrative privileges. When you are sure that everything works correctly, you can then assign the services to different accounts with minimum permissions.

However, I am totally against this recommendation. On paper this may sound like a good idea but in the real world this can potentially become a nightmare. It’s bad enough that you need so many different accounts to run SharePoint, once you start messing with the service accounts you may end up running around in circles and troubleshooting can become very difficult.

If you must change service accounts and passwords, then check out my blog from December 2008: How to Change Service Accounts and Service Passwords in MOSS 2007 & WSS 3.0.

Here’s a table of Minimum Permissions Required for MOSS 2007 Service Accounts. The information is based on a Microsoft TechNet document. If you are interested in only the necessary SharePoint service accounts then check out Sharee’s blog Necessary SharePoint Service Accounts. She uses her vast SharePoint knowledge to explain things in more detail. There are so many lists out there that document MOSS accounts necessary to install SharePoint properly and some of them are really convoluted. Because Sharee has done tons of successful  installations at our clients based on the table that she has put together, I’ve created a table of accounts based on her table and then I also put together a script that creates all the accounts in an OU called Service Accounts. I have tested the script and it works great. Make sure you check out her blog because she has additional valuable information that I have not included in this post.

Table of Necessary MOSS Accounts (based on Sharee’s recommendation)

Here’s a table of necessary MOSS 2007 accounts. This is a fancy version of Sharee’s table. The table includes the purpose of each account, and its group, domain and SQL rights. You can use your own naming convention. I started my accounts with SP (for SharePoint….or SeattlePro) so I can recognize them as the accounts that were created by me, rather than the system.

WARNING! Although standard Active Directory accounts can have spaces and can be longer than 20 characters, I suggest you limit your account names to 20 characters because the Pre-Windows 2000 login names are limited to 20 characters in WS08 and can’t have spaces. You may not run into any issues in the near future if you don’t follow my advice but I think it is better to be safe than sorry.

Script to Create Necessary MOSS Accounts

To create all the above necessary accounts and the OU, you can download the script here. The results will look like this. This script adds all the necessary permissions required for the accounts in the description so you can easily verify that you have the permissions set properly.

WARNING! Make sure you change the password in the script to match with the password that you want to use for your service accounts.

Troubleshooting Tip

You may encounter a problem when you try to give the service accounts permission to impersonate a client after authentication. On your WS08 Domain Controller you can start Group Policy Management Console, go to Group Policy Objects, right-click Default Domain Controllers Policy and select Edit. In the Group Policy Management Editor, go to Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies, User Rights Assignment and double-click Impersonate a client after authentication. Check the box Define these policy settings. If you simply add the service accounts you created and then click Apply or OK you won’t get anywhere. Notice that the warning at the bottom is telling you that you need to add the Administrators and the SERVICE account.

It may not be obvious but what that means is that you need to literally add the Administrators and SERVICE account as shown below in the screenshot and then when you click Apply the warning message will disappear and you will be able to click OK to proceed.

Certification Magazine published it’s 2009 salary survey this month and the results are very encouraging for the IT professionals. Here are some of the highlights.

- This year’s Certification Magazine’s Salary Survey received more than 40,000 responses from IT professionals in over 150 countries around the world.

- In 2009, the average U.S. total salary, including benefits and incentives, was a generous $96,677. That is a 9 percent gain over last year’s average of $88,640.

- 30% respondents said they they got a raise between 10 and 20 percent.

- Most respondents (52%) said the raise was 5% or less this year, compared to last year when the raise was 5%-10%.

- The total number of people who earned at least one certification this year was more than 67%.

- A full 96 percent of respondents from the top five countries with the highest salaries said they were certified.

- The cert that commanded the highest salary this year was the Brocade Certified Network Engineer (BCNE, formerly FNCNE) with a whopping average total salary of $146,250.

- The cert that connoted the lowest salary was the CIW (Certified Internet Web Professional), with an average salary of $59,290. This was followed by the Microsoft Certified Desktop Support Technician (MCDST) with $62,030.

- 90 percent of respondents were men.

- The largest number of responses (27 percent) came from the 25 to 29 age group, followed by the 30 to 34 demographic (roughly 21 percent).

- Approximately 42 percent of respondents have a bachelor’s degree, and 22 percent have a master’s degree. Nearly 12 percent have received technical training but no degree, and nearly 10 percent have just a high school diploma.

These are only the highlights. If you are in the IT industry, you definitely want to read the rest of the survey here.

When I am looking for information on SharePoint that I can’t find, Sharee’s Blog is one of my first stops. I stumbled on this post she wrote about SharePoint Price Calculator that you will find very useful.

Hopefully, Bamboo Solutions will update the calculator so it will calculate price for Windows Server 2008 and other newer products. At the time of writing, the tool only calculates prices for older products, such as Windows Server 2003 and SQL Server 2005. However, it’s a good tool to get an idea of how much it will cost to implement various Microsoft solutions related to SharePoint. Click here to access the SharePoint Price Calculator.

Update: Bamboo Solutions has updated the price calculator to reflect pricing for Windows Server 2008 and SharePoint Server 2010, as of October 1, 2010.

Microsoft offers several spreadsheets that contain all the settings for group policies. These spreadsheets list the policy settings for computer and user configurations included in the Administrative template files delivered with the Windows operating systems specified. You can configure these policy settings when you edit Group Policy objects (GPOs).

Using column filters, you can filter the information in these spreadsheets by operating system, component, or computer or user configuration. You can also search for information by using text or keywords.

These spreadsheets include the following categories of security policy settings: Account Policies (Password Policy, Account Lockout Policy, and Kerberos Policy), Local Policies (Audit Policy, User Rights Assignment, and Security Options), Event Log, Restricted Groups, System Services, Registry, and File System policy settings. These spreadsheets do not include security settings that exist outside of the Security Settings extension (scecli.dll), such as Wireless Network extension, Public Key Policies, or Software Restriction Policies.

• Group Policy Settings Reference for Windows Server 2008 R2 and Windows 7: This spreadsheet lists the policy settings for computer and user configurations included in the Administrative template files (.admx/.adml) delivered with Windows Server 2008 R2 and Windows 7. The policy settings included in this spreadsheet cover Windows 7, Windows Server 2008 R2, Windows Server 2008, Windows Vista with SP1, Windows Server 2003 with SP2 and earlier service packs, Windows XP Professional with SP2 and earlier service packs, and Windows 2000 with SP4 and earlier service packs.
• Group Policy Settings Reference for Windows Server 2008 and Windows Vista Service Pack 1: This spreadsheet lists the policy settings for computer and user configurations included in the Administrative template files (.admx/.adml) delivered with Windows Server 2008 and Windows Vista with Service Pack 1 (SP1). The policy settings included in this spreadsheet cover Windows Server 2008, Windows Vista with SP1, Windows Server 2003, Windows XP Professional with SP2 or earlier service packs, and Windows 2000 with SP4 or earlier service packs.
• Group Policy Settings Reference for Windows Vista: This spreadsheet lists the policy settings for computer and user configurations included in the Administrative template files (.admx/.adml) delivered with Windows Vista with no service packs installed. The policy settings included in this spreadsheet cover Windows Vista, Microsoft Windows Server 2003, Windows XP Professional with SP2 or earlier service packs, and Windows 2000 with SP4 or earlier service packs.
• Group Policy Settings Reference for Windows Server 2003 Service Pack 2: This spreadsheet lists the policy settings for computer and user configurations included in the Administrative template (.adm) files and Security Settings that shipped with Windows Server 2003 with SP2. The policy settings included in this spreadsheet cover Microsoft Windows Server 2003 with SP2 or earlier service packs, Windows XP Professional with SP3 or earlier service packs, and Microsoft Windows 2000 with SP4 or earlier service packs.This spreadsheet includes separate worksheets for each of the .adm files and the security policy settings that shipped in Windows XP SP3, a consolidated worksheet for easy searching, and an Update History worksheet that lists policy settings that have been added since the Windows Server 2003 operating systems were released.

Windows Server 2008 offers new features but also has some limitations that you should be aware of.  Here’s some information that you may find useful.

- Windows Server Backup Tool is not installed by default.

- You can’t backup data to tape cartridges.

- You can’t backup data to a dynamic volume.

- You can’t backup individual files or folders. You can only backup entire volumes.

- You can schedule a backup using wbadmin.exe command line tool.

- Scheduled backups reformat the target drive that hosts the backup files. Therefore, Microsoft recommends that you use a dedicated volume for backup.

- Windows Server 2008 supports backing up data to DVD/CD.

- Backup MMC is not available in WS08 Standard and Core editions. You must use either command line tools or use the snap-in on another computer to backup Standard or Core editions.

- You can use NTbackup.exe tool to mount tapes from previous backup versions but you can’t create new backups on Windows Server 2008 using NTbackup.exe.