When you are going to deploy a SharePoint Farm, you need a set of user accounts with proper roles and permissions, in this blog post I am going to share the list of recommended user accounts required for a SharePoint 2016 Farm with their roles.
I will share the installation details in later blog posts. Below are the user accounts required for SQL Server and SharePoint:
User Accounts for SQL Server
| Name | Description | Local Rights | Domain Rights |
| SQLAdmin | SQL Admin on the SQL Server. It needs Local Administrator rights in order to install the SQL server. | Local Administrator on the SQL Server | Domain User |
| SQLServices | It is the service account for the following SQL Server services: MSSQLSERVER SQLSERVERAGENT. | None | Domain User |
User Accounts for SharePoint Server
| Name | Description | Local Rights | Domain Rights |
| SPFarm | The server farm account is used to perform the following tasks: -Configure and manage the server farm. -Act as the application pool identity for the SharePoint Central Administration Web site. -Run the Microsoft SharePoint Foundation Workflow Timer Service. |
SecurityAdmin and DB_Creator rights on the SQL Instance | Domain User
Local Administrator during installation and upgrades |
| SPAdmin | The server farm account is used to perform the following tasks: -Setup -SharePoint Products Configuration Wizard |
Local Administrator on all the SharePoint Servers. SecurityAdmin and DB_Creator rights on the SQL Instance | Domain User |
| SPPool | The Pool account is used to run the Web Application Pools | None | Domain User |
| SPServices | The Services Account is used to run the Service Application Pool | None | Domain User |
| SPCrawl | The Default Content Access Account for the Search Service Application | None | Domain User |
| SPSearch | Service Account to run the SharePoint Search “Windows Service” | None | Domain User |
| SPUserProfiles | The User Profile Synchronization Account | None | Replicate Directory Changes permission on the domain. |
Account Details
SQLAdmin: This will be your main SQL Administrator. It needs Local Administrator rights in order to install the SQL server.
SQLServices: This account does not have any local rights, it is only used to run the SQL Agent and Database Engine windows services.
SPFarm is a domain account that the SharePoint Timer service and the web application for Central Administration use to access the SharePoint content database. This account does not need to be a local administrator. The SharePoint configuration wizard grants the proper minimal privilege in the back-end SQL Server database. The minimum SQL Server privilege configuration is membership in the roles SecurityAdmin and DBcreator.
SPadmin is a domain account you use to install the farm. It is the account used to run the SharePoint Configuration Wizard for SharePoint. The SPAdmin account is the only account that requires local Administrator rights. To configure the SPAdmin account in a minimum privilege scenario, it should be a member of the roles securityadmin and dbcreator on the SQL server.
SPPool is a domain account used for application pool identity.. ex: When you create a Web Application, and you create a pool for it, you select this account!
SPServices is a domain account used for the Service Applications Pools. ex: When you create a Managed Metadata Service application and create a pool for it, you select this account!
SPCrawl is used within the Search Service Application to crawl content. The Search Service Application will automatically grant this account read access on all Web Applications.
SPSearch Is used to run the SharePoint Windows Search Service.
SPUserProfiles is the account used for the User Profile Synchronization between your Service Application and your Active Directory. This account does not need any local rights, however you need to give it Replicate Directory Changes rights on the Active Directory in order to allow the synchronization.
Managed Accounts
Service Accounts
SharePoint
SharePoint 2016
SharePoint Farm
SQL Server
User Accounts
Adnan, a distinguished professional, boasts an impressive track record as a Microsoft MVP, having achieved this prestigious recognition for the eighth consecutive year since 2015. With an extensive career spanning over 18 years, Adnan has honed his expertise in various domains, notably excelling in SharePoint, Microsoft 365, Microsoft Teams, the .Net Platform, and Microsoft BI. Presently, he holds the esteemed position of Senior Microsoft Consultant at Olive + Goose. Notably, Adnan served as the MCT Regional Lead for the Pakistan Chapter from 2012 to 2017, showcasing his leadership and commitment to fostering growth within the tech community. His journey in the realm of SharePoint spans 14 years, during which he has undertaken diverse projects involving both intranet and internet solutions for both private and government sectors. His impact has transcended geographical boundaries, leaving a mark on projects in the United States and the Gulf region, often collaborating with Fortune 500 companies. Beyond his roles, Adnan is a dedicated educator, sharing his insights and knowledge as a trainer. He also passionately advocates for technology, frequently engaging with the community through speaking engagements in various forums. His multifaceted contributions exemplify his dedication to the tech field and his role in driving its evolution.
One reply on “SharePoint Farm User Accounts”
This is very useful, thanks Adnan.
If the farm admin deleted from database, how o reinstate it? Tried to add it back, but failed and reported
“cannot access the local farm. Verify that the local farm is properly configured, currently available, and that you have the appropriate permissions to access the database before trying again”.