Plan for administrative and service accounts (Project Server)
This Office product will reach end of support on October 10, 2017. To stay supported, you will need to upgrade. For more information, see , Resources to help you upgrade your Office 2007 servers and clients.
Topic Last Modified: 2016-11-14
In this article:
About administrative and service accounts
Standard account requirements
Planning recommendations for accounts
Use this article to plan for the account requirements and recommendations for accounts that are required to install, configure, and use Microsoft Office Project Server 2007.
You must provide credentials for these accounts when you run Setup and during configuration. This article does not discuss accounts for which you do not need to configure or provide credentials.
About administrative and service accounts
This section lists and describes the accounts that you must plan for. The accounts are grouped according to scope. If an account has a limited scope, you might need to plan multiple accounts for this category.
For example, if you are implementing multiple Shared Services Providers (SSPs), you must designate multiple SSP accounts.
Note
All Office Project Server 2007 and SharePoint Products and Technologies service accounts must be granted interactive logon permissions for the computer where the service is running. Such permissions are normally granted by default when a new account is set up, but you may need to make manual adjustments if your organization normally denies interactive logon permissions for service accounts. For more information about configuring interactive logon access, see Allow log on locally (https://go.microsoft.com/fwlink/?LinkId=129546&clcid=0x409) in the Windows Server 2003 Product Help on Microsoft TechNet.
Server farm-level accounts
The following table describes the accounts that are used to configure Microsoft SQL Server and to install Office Project Server 2007.
| Account | Purpose |
|---|---|
SQL Server service account |
SQL Server prompts for this account during SQL Server Setup. This account is used as the service account for the following SQL Server services:
If you are not using the default instance, these services will be shown as:
|
Setup user account |
The user account that is used to run Setup on each server |
Server farm account |
This account is also referred to as:
This account is:
|
SSP accounts
The following table describes the accounts that are used to set up and configure an SSP.
| Account | Purpose |
|---|---|
SSP application pool security account |
Security account for the application pool that the SSP resides in. |
SSP service account |
Used by the following:
|
Windows SharePoint Services Search accounts
The following table describes the accounts that are used to set up and configure Windows SharePoint Services Search. In Office Project Server 2007, this service is referred to as the Windows SharePoint Services Help Search service because this service is used to provide search capability for Help. If you are installing Office Project Server 2007, plan for these accounts only if you plan to implement the service to search Help content.
| Account | Purpose |
|---|---|
Windows SharePoint Services Search service account |
Used as the service account for the Windows SharePoint Services Search service. There is only one instance of this service in a farm. |
Windows SharePoint Services Search content access account |
Used by the Windows SharePoint Services Search application server role to crawl content across sites. |
Content application pool accounts
The following table describes the application pool account. Plan one application pool account for each application pool you plan to implement.
| Account | Purpose |
|---|---|
Application Pool process account |
Used to access content databases associated with the Web application |
Standard account requirements
This section details the requirements for each of the accounts. The specific requirements for each account depend on whether you are configuring a single server environment or a server farm environment. The account requirements detail the specific permissions that you need to grant prior to running Setup. In some cases, additional permissions that are automatically granted by running Setup are noted.
At this time, this article does not include account requirements for environments that use SQL authentication.
Server farm-level accounts
The following table describes the standard account requirements for server farm-level accounts.
| Account | Single server requirements | Server farm requirements |
|---|---|---|
SQL Server service account |
Local system account (default) |
|
Setup user account |
Member of the Administrators group on the local computer |
|
Server farm account |
Network Service (default) No manual configuration is necessary. |
|
SSP accounts
The following table describes the standard account requirements for SSP accounts.
| Account | Single server requirements | Server farm requirements |
|---|---|---|
SSP application pool account |
No manual configuration is necessary. |
The following permissions are automatically granted for this account when Office Project Server 2007 is installed:
|
SSP service account |
No manual configuration is necessary. |
The same permissions as the SSP application pool account are automatically granted. |
Windows SharePoint Services Search accounts
The following table describes the standard account requirements for Windows SharePoint Services Search accounts.
| Account | Single server requirements | Server farm requirements |
|---|---|---|
Windows SharePoint Services Search service account |
By default, this account runs as the local service account. If you want to crawl remote content by using crawl rules, change this to a domain account. If you do not change this account to a domain account, you cannot change the default content access account to a domain account. This behavior is designed to prevent elevation of privilege for any other process running as the local service account. |
Permissions are automatically granted for this account when Office Project Server 2007 is installed:
|
Windows SharePoint Services Search Content access account |
Must not be a member of the Farm Administrators group Read access to Web applications |
Permissions are automatically granted for this account when Office Project Server 2007 is installed:
|
Application pool accounts
The following table describes the standard account requirements for application pool accounts.
| Account | Single server requirements | Server farm requirements |
|---|---|---|
Application pool process account |
No manual configuration is necessary. |
The following SQL Server roles and permissions are automatically assigned to this account:
Additional permissions for this account on front-end Web servers and application servers are automatically granted by Office Project Server 2007. |
Planning recommendations for accounts
This section describes planning recommendations for implementing accounts in the following two deployment scenarios:
Secure farm environment
Single-server environment
These recommendations are practical for most environments.
Secure farm environment
These planning recommendations are for individual accounts in a secure farm environment.
Server farm-level accounts
The following table describes the planning recommendations for server farm-level accounts in a secure farm environment.
| Account | Recommendation |
|---|---|
SQL Server service account |
A domain account is recommended over a SQL Server account or a local account. No special domain permissions are required. Do not use the server farm account for this account. |
Setup user account |
A domain account is recommended. For a workgroup environment, this can be a local Windows account. Note Using a local Windows account is only valid in a single-server environment. |
Server farm account |
A domain account is recommended. |
SSP accounts
The following table describes the planning recommendations for SSP accounts in a secure farm environment.
| Account | Recommendation |
|---|---|
SSP Application Pool account |
A domain account is recommended. Use a domain account that is unique (different from the farm or content application pool accounts). |
SSP service account |
Use the SSP application pool account. |
Windows SharePoint Services Search accounts
The following table describes the planning recommendations for Windows SharePoint Services Search accounts in a secure farm environment.
| Account | Recommendation |
|---|---|
Windows SharePoint Services Search service account |
The local service account is used by default. After completing Setup, change this account to a domain account. |
Windows SharePoint Services Search content access account |
The local service account is used by default. After completing Setup, change this account to a domain account. You can use the same account used by the Windows SharePoint Services Search service. However, if you implement multiple search servers for isolation, use a separate account. It is recommended that you select a unique user account that cannot modify content and is not a member of the Administrators group on your front-end Web servers or on your database servers. |
Application pool accounts
The following table describes the planning recommendations for application pool accounts in a secure farm environment.
| Account | Recommendation |
|---|---|
Application pool process account |
Plan a unique domain account for each application pool. We recommend that you select a unique user account that does not have administrative rights on any server or resource in the server farm. |
Single-server environment
The following table describes the planning recommendations for several different single-server environments. These are environments where a single server hosts all server roles.
| Scenario | Recommendation |
|---|---|
Microsoft SQL Server 2005 Express Edition |
Use the standard administrator account to run Setup. Use the default accounts assigned by Setup. Assign to the Network Service account the necessary permissions to SQL Server. |
SQL Server in a domain environment |
Use the recommendations provided for a secure farm environment. |
SQL Server in a workgroup environment |
Use the recommendations provided for a secure farm environment, except use Windows accounts instead of domain accounts. |
Download this book
This topic is included in the following downloadable book for easier reading and printing:
See the full list of available books at Downloadable content for Project Server 2007.