Skip to main content

Installing SharePoint 2010 using Least Privilege Service Accounts

SharePoint 2010 is definitely generating a lot of buzz out there in the community, especially amongst partners and customers and with the official launch only a day away, I thought it would be ideal to update my installation which I first blogged about here using all the RTM bits.  For those of you that aren’t aware, SharePoint 2010 and SQL 2008 R2 are now available for download via TechNet or MSDN and will be available to Volume Licensing customers post launch, 12 May 2010.
The below setup will be based on SharePoint 2007 best practices and SharePoint 2010 TechNet documentation on “proposed” best practices with this setup utilising the least privilege model for our SharePoint service accounts.  Before delving into the setup which will form the basis of all future blog posts on SharePoint 2010, I have provided the below summary of the environment that I will be working with.
Environment
  • Windows 2008 R2 server running Active Directory Domain Services
  • Windows 2008 R2 server running SQL 2008 R2
  • Windows 2008 R2 server running SharePoint 2010 RTM
  • Windows 2008 R2 server running Exchange 2010 RTM
  • Windows 7 client running Office 2010 RTM
The Preparation
Before we delve into the actual installation, let’s begin to talk about what service accounts are required for the new SharePoint Farm setup. TechNet has a great article on the service accounts required and their respective privileges which you can read in some detail here.  In summary, these are not much different to the SharePoint 2007 best practices for utilising the Least Privilege model for service accounts and goes as follows;
  1. SQL Server Service AccountThis should be a standard domain user account which will be used to run the MSSQLSERVER and SQLSERVERAGENT services on your SQL server.
    e.g. DOMAIN\sp_sql
  2. SharePoint Setup User AccountThis should be a standard domain user account that will be used as the logged in user when installing SharePoint and for when running the SharePoint Products Configuration Wizard.  This account must be a member of the Local Administrators group for each server where SharePoint 2010 will be installed.  You will also need to create a SQL server login with the following SQL server security roles; “securityadmin” and “dbcreator”.  Instructions below.
    e.g. DOMAIN\sp_admin
  3. Server Farm/Database Access AccountYou guessed it, this should also be a standard domain user account, however we do not need to grant any necessary permissions to this account as this is handled by the SharePoint Setup User Account during the SharePoint Products Configuration Wizard.  This is the account that we nominate as the “Database Access” account during the SharePoint Configuration Wizard.  This account will be applied against the SharePoint Foundation Workflow Timer Service and the SharePoint Central Administration Web Site Application Pool.
    e.g. DOMAIN\sp_farm
It’s imperative that these accounts are created and provisioned before attempting any installation of the SharePoint 2010 bits.  This article is assuming that SQL 2008 R2 has already been installed in your environment using the SQL server service account.
Firstly, have your Active Directory Administrator create the above accounts in Active Directory as standard domain users.   Then navigate to each server in which you will install SharePoint 2010 and add the DOMAIN\sp_admin account (SharePoint Setup User Account) to the Local Administrator’s group of that respective server.
Navigate to Start / Administrative Tools / Server Manager / Local Users and Groups and then click on the Groups folder.
Add the DOMAIN\sp_admin user to the Administrator’s group.
image thumb Installing SharePoint 2010 using Least Privilege Service Accounts
We next venture to our SQL 2008 R2 server to configure our sp_admin account as a SQL server login.
Launch the SQL 2008 R2 Management Console and navigate to Security / Logins.
clip image006 thumb Installing SharePoint 2010 using Least Privilege Service Accounts
Right click on Logins and select New Login;
Search for the newly created sp_admin domain account
clip image008 thumb Installing SharePoint 2010 using Least Privilege Service Accounts
Click on Server Roles and select dbcreator and securityadmin as your server roles.  Public will be selected by default.
clip image009 thumb Installing SharePoint 2010 using Least Privilege Service Accounts
Now that our environment is prepped up with your service accounts, we can now proceed with the installation, so let the *games* begin!!
The Install
Launch the SharePoint 2010 splash installation screen and ensure you have met the necessary hardware and software requirements.  You can find more details in the following TechNet article. It’s important that you download and install the WCF hotfix listed in the above TechNet article.   This hotfix is specific to the OS version that you are installing SharePoint 2010 on.
clip image001 thumb Installing SharePoint 2010 using Least Privilege Service Accounts
Run the Install software prerequisites first! This preparation tool will actually install the majority of the prerequisites listed in the TechNet article.
clip image002 thumb Installing SharePoint 2010 using Least Privilege Service Accounts
Click Next
Accept the terms of the License Agreement
The preparation tool begins installing the pre-requisites. It’s imperative that your SharePoint server has an internet connection as it will connect to the internet during the preparation and download the necessary software listed above.
clip image003 thumb Installing SharePoint 2010 using Least Privilege Service Accounts
After the installation of the prerequisites is complete, you will be asked to re-start your computer.
clip image004 thumb Installing SharePoint 2010 using Least Privilege Service Accounts
After your server has restarted, the preparation tool should pick up from where it last left and finalise any further configuration that is required. You should then receive a successful completed installation dialog window as per the below.
clip image005 thumb Installing SharePoint 2010 using Least Privilege Service Accounts
Click Finish.
You will then be required to re-launch the install splash screen and this time round click on Install SharePoint Server.
Enter your product key
Accept the Microsoft Software License Terms.
clip image010 thumb Installing SharePoint 2010 using Least Privilege Service Accounts
Select Server Farm (we all know not to select Standalone right?! Big no no in production)
clip image011 thumb Installing SharePoint 2010 using Least Privilege Service Accounts
Again, don’t be fooled into selecting the Stand-alone option which is identical to the Stand-alone option in the previous screen.  Be sure to select Complete and click Next to proceed with the installation.
Once SharePoint has copied it’s files, the Run Configuration Wizard window will appear.
clip image012 thumb Installing SharePoint 2010 using Least Privilege Service Accounts
Click Close
The SharePoint Products Configuration Wizard will then launch
clip image013 thumb Installing SharePoint 2010 using Least Privilege Service Accounts
Click Next
Click Yes on the following warning.
clip image014 thumb Installing SharePoint 2010 using Least Privilege Service Accounts
Select “Create a new server farm”
clip image015 thumb Installing SharePoint 2010 using Least Privilege Service Accounts
Click Next
Enter the name of your SQL 208 R2 server and keep the default database name for SharePoint 2010 Configuration database.  Then enter the SharePoint Farm account as the Database Access Account.  i.e. DOMAIN\sp_farm.
clip image016 thumb Installing SharePoint 2010 using Least Privilege Service Accounts
Click Next
Enter a Passphrase. As mentioned below, this designated passphrase is configured to ensure that no other SharePoint servers can join this farm unless the passphrase is provided.  The passphrase must meet the following requirements;
  • Contains at least eight characters
  • Contains at least three of the following four character groups:
  • English uppercase characters (from A through Z)
  • English lowercase characters (from a through z)
  • Numerals (from 0 through 9)
  • Nonalphabetic characters (such as !, $, #, %)
clip image017 thumb Installing SharePoint 2010 using Least Privilege Service Accounts
Configure your SharePoint Central Administration Web Application settings. I always like to change the default port number to something that is easier to remember.
You are also presented with the authentication provider options for your CA Web Application in which it is usually best practice to utilise Kerberos for your SharePoint Web Sites, however NTLM will suffice for your SharePoint CA Web Application.
clip image018 thumb Installing SharePoint 2010 using Least Privilege Service Accounts
Click Next
clip image019 thumb Installing SharePoint 2010 using Least Privilege Service Accounts
Click Next.
The infamous performing configuration task screen is displayed.  All we can do now is cross our fingers and wait…
clip image020 thumb Installing SharePoint 2010 using Least Privilege Service Accounts
Upon completion you should receive the following confirmation that the configuration was a success.
clip image021 thumb Installing SharePoint 2010 using Least Privilege Service Accounts
Click Finish
The SharePoint 2010 Central Administration website that was just created should launch.
The Customer Experience Improvement Program which is available with most Microsoft products will pop up in a separate Window.
clip image023 thumb Installing SharePoint 2010 using Least Privilege Service Accounts
After answering Yes or No the Customer Experience Improvement Program the Configure your SharePoint farm wizard option will appear.  We will click Cancel and go through the configuration of our service applications in subsequent future articles.
clip image025 thumb Installing SharePoint 2010 using Least Privilege Service Accounts
That’s all that is to it.  Before signing out, let’s venture into a couple of key areas to confirm the details of our farm configuration and then venture across to our SQL server and launch SQL Management Studio to determine what databases are created by default.
Let’s begin by navigating to Central Administration / System Settings / Manage servers in this farm.  After confirming the server listing as per our installation, navigate to your SQL 2008 R2 server and launch SQL Management studio. Browse to databases to see our SharePoint 2010 Databases listed, namely the SharePoint config database and the SharePoint Central Administration Database.
I hope this article has some shed some light with your SharePoint 2010 deployment and we will continue our focus in near future articles in configuring our SharePoint farm and focusing on the service applications that are on offer.
Resources
Administrative and service accounts required for initial deployment (SharePoint Server 2010) http://technet.microsoft.com/en-us/library/ee662513%28office.14%29.aspx
Prepare for deployment (SharePoint Server 2010) http://technet.microsoft.com/en-us/library/ff608031(office.14).aspx
Deployment scenarios (SharePoint Server 2010) http://technet.microsoft.com/en-us/library/cc303424(office.14).aspx

Comments

Popular posts from this blog

Sharepoint 2010 Subsites webpart

This posting was originally made by Arild Aarnes and it is in here . This is a simple webpart to show a list (with links) of subsites immediately below the current site. This webpart will work on both Sharepoint 2010 and Sharepoint Foundation. On Sharepoint 2010 you could have used the built in “Table of Contents” webpart to do similar things but this one can also display the list as a dropdown list to save space on the webpage and it can open links in a new window. All the settings can by edited in the webpart configuration panel. The settings are: Show bullet in list – this will display the small square gif in front of the site name Open link in new window – this will open the subsite in a new window Show Site Description – this will show the description you entered when you created the subsite Show icon – Shows a icon for the type of subsite, see picture. Show as dropdown list – Will display the subsites in a dropdown box to save space. The webpart can be downl

Configuring the User Profile Service in SharePoint 2010

I will share with you my step by step guide in setting up the User Profile Service application, focusing on its configuration and administration and how we can enable the creation of user profiles via an Active Directory import . SharePoint 2010 introduces the notion of “Service Applications” which build’s upon the “Shared Services Provider (SSP)” which was introduced in SharePoint 2007.  Service Applications are individual services that can be configured independently and can be shared across other sites within your farm with some service applications that can also be configured across farms. The individual service applications provided with SharePoint 2010 are listed as follows; Access Services Business Data Connectivity Document Conversion Excel Services Managed Metadata Service PerformancePoint Search Service Secure Store State Service Visio Graphics Service User Profile Service This article will build upon our initial SharePoint 2010 install utilizing the least privi

The Text Filter Web Part – Without Having To Filter Exact Text

This posting I took it from  Here   This applies to both SharePoint 2007 and 2010.  In MOSS Enterprise, and the 2010 version of Enterprise.  There is an out-of-box web part called the Text Filter Web Part .  Basically, when you put this web part on a page, and put a list or library web part on the same page, you then create a web part connection that sends the text typed in the box as a filter to one of the columns in the web part, like this: The name Molly Clark had to be typed in exactly.  So, if you typed “Molly”, this record would not come up.  People use the text filter web part when they just want to search a single column in a list or library.  Otherwise, you’d simply use the “Search” box at the top of the screen, choose “This List” or “This Site” and perform SharePoint searches that way. One more note before I get into today’s solution: If you’re making use of site columns in your lists, there’s a setting where you can specifically select which columns you do N

Telephone format for a text box on infopath form

If you want to create a Telephone format on a infopath form : 1. Add a text field to the form (Even if it is the list or a blank form) 2. Select the text box and click on Manage Rules 4. Add a rule to your textbox control with the following conditions (make sure to select "and" operator):     a. field "does not match pattern" Phone number     b. the expression: string-length(translate(., "()- ", "")) = 10     c. the expression: string-length(translate(., "()- 0123456789", "")) = 0 5. Add action to the rule:     a. Set a field's value     b. Select your textbox field     c. Insert formula for the value (click the fx button): concat("(", substring(translate(., "()- ", ""), 1, 3), ") ", substring(translate(., "()- ", ""), 4, 3), "-", substring(translate(., "()- ", ""), 7, 4)) Link for the detailed explanation :  http:

HOWTO: change the home button text on the top link bar in sharepoint 2010

Hi All, I got a requirement that the title of the site collection which shows the first button on the top link bar to be different from the title. for example: my sharepoint site title is " Srikanth SharePoint Blog" and I need to show"Home" on the top link bar. It shows Home when the publishing features are not enabled. But once the publishing features are enabled it shows the same as the title("srikanth sharepoint blog" in my case instead of "Home").In other blogs I saw the solution as "in SITE ACTIONS>SITE SETTINGS>LOOK AND FEEL> TOP LINK BAR" , but once the publishing features are enabled, you don't see the "TOP LINK BAR" under "LOOK AND FEEL"(ofcourse it is changed to "NAVIGATION" , when publishing features are enabled). In this case : 1. Hide the initial button by adding code in css.    .s4-tn li.static > a{ display: none !important; } .s4-tn li.static > ul a{ display: bloc

SharePoint Branding and Design in 2010-2

Update: Really Small SharePoint Calendar I really was not that happy with the look of the first calendar so after some modifications and a bit of CSS magic I have come up with a really good looking small calendar. At least I think so… Basically I have replaced the text of an event item with a color coded box. The benefit that you get out of this is that you don’t have to try and read the even within the small calendar but if you hover over and click on the color block you get the list Item display. Orange is for single event items (8am-10am, etc) Green is for full day events or repeat events Another nice feature to this is that I have also simplified the visual indicator when there are more then two event items in one day. Instead of seeing the arrow and text all you see is the arrow. Once you click on the arrow it will show the other blocks of events (Right image). Here is the CSS Code: Download Here Simply place a content editor web part on the same page as the calendar

SharePoint Branding and Design in 2010

Hide First Tab in SharePoint 2010 Navigation I created a blog post on this for SharePoint 2007 HERE : But SharePoint 2010 is a bit more complex. Since it uses UL’s and Li’s for it’s navigation it is a bit harder to hide just one element. You will notice that the Home tab actually is the first node and then has a child UL which represents the rest of the navigation Items. So the approach is to hide the first <li> <a> (display: none) and then simply just use (display:block ) to show the hidden <ul> <li> <a> tags. Here is the CSS you could use to hide just the first node (home) tab in a SharePoint 2010 application: .s4-tn li.static > a{ display: none !important; } .s4-tn li.static > ul a{ display: block !important; } Enjoy! Posted by Erik Swenson at 12:12 PM 2 comments Labels: Branding , CSS , SharePoint 2010 Wednesday, August 18, 2010 How To: Hide Left Side Navigation on Home Page I was recently asked: " How can I hide the sid

Data View conditional formatting using SharePoint Designer

Data View conditional formatting using SharePoint Designer This article demonstrates how to use SharePoint Designer 2010conditional formatting to format items in a SharePoint (SPS 2010) list based on item metadata. The example uses a standard SharePoint task list and formats tasks based on the due date. The end result is a list view sorted by due date with item text or background coloured to represent the number of days until the due date. The Process In this example I have started with a standard task list and have created a few sample items for testing / demonstration. From the task list, create a new view, starting from the default “Active Items” view (filtered to only display incomplete tasks). The view created in the example is called “Active – Coloured” Open the view using SharePoint Designer. Right click on the List View Web Part and select “Convert to XSL Data View”. This will automatically convert settings for the current view into da