Understanding the role of each Service Account in SharePoint can be confusing. Setup, Administrator, Application Pool, Application Services, there are a lot of places where we can input a service account to run a specific application. So let’s clarify it.
Why do we need to secregate applications in SharePoint? The first and most important reason is for Content Security. We want to make sure that every users see what they are allowed to see. Don’t forget, in many companies, SharePoint 2010 is used most of the time as an Intranet plateform. Sensitive information is usually stored in it. The system need to be trusted and configuration is the key to insure it.
So, who are these service accounts? Well, all of them are Active Directory Accounts members of the same AD as the servers are.
And they are:
Setup Account
This is an administrative rights account on all SharePoint servers including SQL Server. Why using this account instead of an Administrator Account? Well, in a small business where the Administrator is the same person for all systems, it may be overkill. However, big organization usually spread the administrator role over different people. A database administrator isn’t a security administrator nor an Exchange administrator. So create this account, give all administrative rights over the SharePoint Farm and delete it after the configuration is done.
Farm Account
This is the most important account of all. The Farm account is responsible to run the Central administration Application Pool and many sub services. Farm Account has full administrative rights in SharePoint. At some point, in the configuration process, it might be necessary to give it server administrator rights. We input it when we start the SharePoint Product Configuration Wizard to setup de farm
Application Pool Account
This account is used for all Web Application Pool identity. Every time, we create a Web Application, this account is input in.
Search Service Account
This account runs the Search service. Search service has specific accounts because, by definition, the search service has the ability to crawl all the content in the farm. It’s imperative to secure it with its own service accounts. The search service account is input when the Search service is configured.
Default Content Access Account and Content Access Account
The default Content Access Account (or Crawl Service Account) is the account responsible to crawl all the content in the farm. This account is a sensitive one because it has full read access in every corner of the farm. The Default Content Access Account is input on the Search Administration page in Central Admin.
Optionally, another Content Access Account could be required ifSharePoint Search Service is used to crawl external content (like Shared Drives).
Other Service Application Account
This account is used to run any other service applications. Most of these applications required an Application Pool Identity. The best practice is to share the same Application Pool between them.
Active Directory synchronisation Account
This account is used to establish the connection in order to synchronize user profiles with Active directory. The account is input in the User Profile Administration Page.
My Sites Service Account
This account is used to run the My Sites Web Application.
For more information, check this TechNet Article
