However, I am totally against this recommendation. On paper this may sound like a good idea but in the real world this can potentially become a nightmare. It’s bad enough that you need so many different accounts to run SharePoint, once you start messing with the service accounts you may end up running around in circles and troubleshooting can become very difficult.<\/p>\n
If you must change service accounts and passwords, then check out my blog from December 2008: How to Change Service Accounts and Service Passwords in MOSS 2007 & WSS 3.0<\/a>.<\/p>\n Here’s a table of Minimum Permissions Required for\u00a0MOSS 2007 Service Accounts<\/a>. The information is based on a Microsoft TechNet document. If you are interested in only the necessary SharePoint service accounts then check out Sharee’s blog<\/strong> Necessary SharePoint Service Accounts<\/a>. She uses her vast SharePoint knowledge to explain things in more detail. There are so many lists out there that document MOSS accounts necessary to install SharePoint properly and some of them are really convoluted. Because Sharee has done tons of successful\u00a0 installations at our clients based on the table that she has put together, I’ve created a table of accounts based on her table and then I also put together a script that creates all the accounts in an OU called Service Accounts. I have tested the script and it works great. Make sure you check out her blog<\/a> because she has additional valuable information that I have not included in this post.<\/p>\n Table of Necessary MOSS Accounts (based on Sharee’s recommendation)<\/strong><\/p>\n Here’s a table of necessary MOSS 2007 accounts. This is a fancy version of Sharee’s table. The table includes the purpose of each account, and its group, domain and SQL rights. You can use your own naming convention. I started my accounts with SP (for SharePoint….or SeattlePro) so I can recognize them as the accounts that were created by me, rather than the system.<\/p>\n WARNING!<\/strong><\/span> Although standard Active Directory accounts can have spaces and can be longer than 20 characters, I suggest you limit your account names to 20 characters because the Pre-Windows 2000 login names are limited to 20 characters in WS08 and can’t have spaces. You may not run into any issues in the near future if you don’t follow my advice but I think it is better to be safe than sorry.<\/p>\n Script to Create Necessary MOSS Accounts<\/strong><\/p>\n To create all the above necessary accounts and the OU, you can download the script here<\/a>. The results will look like this. This script adds all the necessary permissions required for the accounts in the description so you can easily verify that you have the permissions set properly.<\/p>\n WARNING!<\/strong><\/span> Make sure you change the password in the script to match with the password that you want to use for your service accounts.<\/p>\n Troubleshooting Tip You may encounter a problem when you try to give the service accounts permission to impersonate a client after authentication. On your WS08 Domain Controller you can start Group Policy Management Console, go to Group Policy Objects, right-click Default Domain Controllers Policy and select Edit. In the Group Policy Management Editor, go to Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies, User Rights Assignment and double-click Impersonate a client after authentication<\/em>. Check the box Define these policy settings<\/em>. If you simply add the service accounts you created and then click Apply or OK you won’t get anywhere. Notice that the warning at the bottom is telling you that you need to add the Administrators and the SERVICE account.<\/p>\n![\"moss_2007_accts\"](\"https:\/\/www.zubairalexander.com\/blog\/wp-content\/uploads\/2009\/12\/moss_2007_accts-300x187.jpg\" "\\"moss_2007_accts\\"")
<\/a><\/p>\n![\"srvcaccts\"](\"https:\/\/www.zubairalexander.com\/blog\/wp-content\/uploads\/2009\/12\/srvcaccts-300x114.jpg\" "\\"srvcaccts\\"")
<\/a><\/p>\n
\n<\/strong><\/p>\n
![\"impersonatingclient1\"](\"https:\/\/www.zubairalexander.com\/blog\/wp-content\/uploads\/2009\/12\/impersonatingclient1-300x252.jpg\" "\\"impersonatingclient1\\"")
<\/a><\/p>\n![\"impersonatingclient2\"](\"https:\/\/www.zubairalexander.com\/blog\/wp-content\/uploads\/2009\/12\/impersonatingclient2-300x251.jpg\" "\\"impersonatingclient2\\"")
<\/a><\/p>\n