Installing SharePoint 2010 using Least Privilege Service Accounts

Posted by on May 11, 2010 in SharePoint, SharePoint 2010

SharePoint 2010 is definitely generating a lot of buzz out there in the community, especially amongst partners and customers and with the official launch only a day away, I thought it would be ideal to update my installation which I first blogged about here using all the RTM bits.  For those of you that aren’t aware, SharePoint 2010 and SQL 2008 R2 are now available for download via TechNet or MSDN and will be available to Volume Licensing customers post launch, 12 May 2010.

The below setup will be based on SharePoint 2007 best practices and SharePoint 2010 TechNet documentation on “proposed” best practices with this setup utilising the least privilege model for our SharePoint service accounts.  Before delving into the setup which will form the basis of all future blog posts on SharePoint 2010, I have provided the below summary of the environment that I will be working with.


  • Windows 2008 R2 server running Active Directory Domain Services
  • Windows 2008 R2 server running SQL 2008 R2
  • Windows 2008 R2 server running SharePoint 2010 RTM
  • Windows 2008 R2 server running Exchange 2010 RTM
  • Windows 7 client running Office 2010 RTM

The Preparation

Before we delve into the actual installation, let’s begin to talk about what service accounts are required for the new SharePoint Farm setup. TechNet has a great article on the service accounts required and their respective privileges which you can read in some detail here.  In summary, these are not much different to the SharePoint 2007 best practices for utilising the Least Privilege model for service accounts and goes as follows;

  1. SQL Server Service Account
    This should be a standard domain user account which will be used to run the MSSQLSERVER and SQLSERVERAGENT services on your SQL server.
    e.g. DOMAIN\sp_sql
  2. SharePoint Setup User Account
    This should be a standard domain user account that will be used as the logged in user when installing SharePoint and for when running the SharePoint Products Configuration Wizard.  This account must be a member of the Local Administrators group for each server where SharePoint 2010 will be installed.  You will also need to create a SQL server login with the following SQL server security roles; “securityadmin” and “dbcreator”.  Instructions below.
    e.g. DOMAIN\sp_admin
  3. Server Farm/Database Access Account
    You guessed it, this should also be a standard domain user account, however we do not need to grant any necessary permissions to this account as this is handled by the SharePoint Setup User Account during the SharePoint Products Configuration Wizard.  This is the account that we nominate as the “Database Access” account during the SharePoint Configuration Wizard.  This account will be applied against the SharePoint Foundation Workflow Timer Service and the SharePoint Central Administration Web Site Application Pool.
    e.g. DOMAIN\sp_farm

It’s imperative that these accounts are created and provisioned before attempting any installation of the SharePoint 2010 bits.  This article is assuming that SQL 2008 R2 has already been installed in your environment using the SQL server service account.

Firstly, have your Active Directory Administrator create the above accounts in Active Directory as standard domain users.   Then navigate to each server in which you will install SharePoint 2010 and add the DOMAIN\sp_admin account (SharePoint Setup User Account) to the Local Administrator’s group of that respective server.

Navigate to Start / Administrative Tools / Server Manager / Local Users and Groups and then click on the Groups folder.

Add the DOMAIN\sp_admin user to the Administrator’s group.


We next venture to our SQL 2008 R2 server to configure our sp_admin account as a SQL server login.

Launch the SQL 2008 R2 Management Console and navigate to Security / Logins.


Right click on Logins and select New Login;

Search for the newly created sp_admin domain account


Click on Server Roles and select dbcreator and securityadmin as your server roles.  Public will be selected by default.


Now that our environment is prepped up with your service accounts, we can now proceed with the installation, so let the *games* begin!!

The Install

Launch the SharePoint 2010 splash installation screen and ensure you have met the necessary hardware and software requirements.  You can find more details in the following TechNet article. It’s important that you download and install the WCF hotfix listed in the above TechNet article.   This hotfix is specific to the OS version that you are installing SharePoint 2010 on.


Run the Install software prerequisites first! This preparation tool will actually install the majority of the prerequisites listed in the TechNet article.


Click Next

Accept the terms of the License Agreement

The preparation tool begins installing the pre-requisites. It’s imperative that your SharePoint server has an internet connection as it will connect to the internet during the preparation and download the necessary software listed above.


After the installation of the prerequisites is complete, you will be asked to re-start your computer.


After your server has restarted, the preparation tool should pick up from where it last left and finalise any further configuration that is required. You should then receive a successful completed installation dialog window as per the below.


Click Finish.

You will then be required to re-launch the install splash screen and this time round click on Install SharePoint Server.

Enter your product key

Accept the Microsoft Software License Terms.


Select Server Farm (we all know not to select Standalone right?! Big no no in production)


Again, don’t be fooled into selecting the Stand-alone option which is identical to the Stand-alone option in the previous screen.  Be sure to select Complete and click Next to proceed with the installation.

Once SharePoint has copied it’s files, the Run Configuration Wizard window will appear.


Click Close

The SharePoint Products Configuration Wizard will then launch


Click Next

Click Yes on the following warning.


Select “Create a new server farm”


Click Next

Enter the name of your SQL 208 R2 server and keep the default database name for SharePoint 2010 Configuration database.  Then enter the SharePoint Farm account as the Database Access Account.  i.e. DOMAIN\sp_farm.


Click Next

Enter a Passphrase. As mentioned below, this designated passphrase is configured to ensure that no other SharePoint servers can join this farm unless the passphrase is provided.  The passphrase must meet the following requirements;

  • Contains at least eight characters
  • Contains at least three of the following four character groups:
  • English uppercase characters (from A through Z)
  • English lowercase characters (from a through z)
  • Numerals (from 0 through 9)
  • Nonalphabetic characters (such as !, $, #, %)


Configure your SharePoint Central Administration Web Application settings. I always like to change the default port number to something that is easier to remember.

You are also presented with the authentication provider options for your CA Web Application in which it is usually best practice to utilise Kerberos for your SharePoint Web Sites, however NTLM will suffice for your SharePoint CA Web Application.


Click Next


Click Next.

The infamous performing configuration task screen is displayed.  All we can do now is cross our fingers and wait…


Upon completion you should receive the following confirmation that the configuration was a success.


Click Finish

The SharePoint 2010 Central Administration website that was just created should launch.

The Customer Experience Improvement Program which is available with most Microsoft products will pop up in a separate Window.


After answering Yes or No the Customer Experience Improvement Program the Configure your SharePoint farm wizard option will appear.  We will click Cancel and go through the configuration of our service applications in subsequent future articles.


That’s all that is to it.  Before signing out, let’s venture into a couple of key areas to confirm the details of our farm configuration and then venture across to our SQL server and launch SQL Management Studio to determine what databases are created by default.

Let’s begin by navigating to Central Administration / System Settings / Manage servers in this farm.  After confirming the server listing as per our installation, navigate to your SQL 2008 R2 server and launch SQL Management studio. Browse to databases to see our SharePoint 2010 Databases listed, namely the SharePoint config database and the SharePoint Central Administration Database.

I hope this article has some shed some light with your SharePoint 2010 deployment and we will continue our focus in near future articles in configuring our SharePoint farm and focusing on the service applications that are on offer.

Subscribe to this blog and join our Facebook page and Twitter Page to keep up to date and be notified of our latest articles.

If you require any assistance with your SharePoint or other IT needs, the team at GKM2 are happy to assist.  You can contact us via or 1300 797 288 within Australia.


Administrative and service accounts required for initial deployment (SharePoint Server 2010)

Prepare for deployment (SharePoint Server 2010)
Deployment scenarios (SharePoint Server 2010)


  1. Hi Everyone,

    We are having a problem with SharePoint. We cannot publish an
    access database to SharePoint server 2010 as we get this error “An error
    occurred while initializing access services database.” whenever we try to
    publish the default contact database. By the way, we are using the single
    server environment (standalone). If you need more details just let me know. Any
    help would be appreciated guys, thanks.

  2. Hello. I have followed letter by letter you instructions. My target is to start the user profile sync. I had done it once, following the very famous Harbar’s post. But after uninstalling i could not manage to make it work again. Have you posted instructions about how to continue with UPS??
    thank you.
    George T.

  3. Hi George,

    Thanks for the article , it did help me a lot.

    After installing sharepoint as explained in article, I am not able to see the configuration wizard with sp_farm account, where as the same is available with sp_admin account. Can you please tell me how to fix this (to have configuration wizard for sp_farm account rather than sp_admin account)

  4. This is a wonderful article. This article, and the subsequent discussion, is dated about three years ago. In my case, I am just about to begin building a production multiple server SP 2010 farm. I have only created a single server dev machine before, and so I am just wanting to pick your brain as to what else I should expect to encounter during my process.
    For instance, I have read articles that talk – for SP 2007 – about needing to perform certain parts of these steps on each server of the farm before doing some final step.
    Is that the case with SP 2010 as well?
    Are there other things that have discovered in the past 3 years that would be useful for a first time effort to know about before starting?
    Thank you so much!

  5. Hi there, there’s no real sequence of steps apart from what’s listed in the article. Once you have gone through the above you can add as many SP servers as you like at any stage of the farm life-cycle.

  6. So the idea is that in SP 2010, you do a full install on the first server, then go through all the steps for each subsequent one?
    So how do I distinguish a web front end from a app server? Just by the choices of services to run?


  1. Visual Studio 2005 and SQL Server problem? | BingSite - [...] Installing SharePoint 2010 using Least Privilege Service Accounts | SharePoint George [...]
  2. Tweets that mention Installing SharePoint 2010 using Least Privilege Service Accounts | SharePoint George -- - [...] This post was mentioned on Twitter by Planet SharePoint, George Khalil. George Khalil said: Installing #SharePoint 2010 using Least…
  3. Can someone recommend me a book about running a dedicated webs server? | BingSite - [...] Installing SharePoint 2010 using Least Privilege Service Accounts | SharePoint George [...]
  4. Active Directory Domain Services - [...] domain services (adds) on windows ... Access sql server with wcf kerberos and allow double hop ... Installing sharepoint…
  5. Installing SharePoint 2010 Beta on a Windows 2008 R2 Server | SharePoint George - [...] Installing SharePoint 2010 Beta on a Windows 2008 R2 Server Posted by George Khalil in SharePoint 2010 on Nov…
  6. Configuring incoming email in SharePoint 2010 | SharePoint George - [...] article builds on the SharePoint Farm setup that I have documented here. It consists of the following servers which…
  7. Sharepoint Active Directory - [...] edition – a linux-based ... Sharepoint active directory fba configuration references « the ... Installing sharepoint 2010 using least…
  8. Configuring the User Profile Service in SharePoint 2010 - Step by Step Guide | SharePoint George - [...] our initial SharePoint 2010 install utilizing the least privilege model which I have documented here, so check it out if you…
  9. Configuring My Site in SharePoint 2010 | SharePoint George - [...] Installing SharePoint 2010 using Least Privilege Service Accounts [...]
  10. SharePoint 2010 Install Error « Merlin Martel's Blog - [...] Instructions : [...]
  11. Tuttis Sharepoint Server Links « Unternehmensweites Wissensmanagement mit Microsoft Sharepoint Server - [...] [...]
  12. Sarvesh Bhardwaj › links for 2010-12-27 - [...] Installing SharePoint 2010 using Least Privilege Service Accounts | SharePoint George (tags: sharepoint2010 installation sharepoint administration 2010 server serviceaccounts…
  13. links for 2010-12-27 « Sarvesh’s Blog - [...] Installing SharePoint 2010 using Least Privilege Service Accounts | SharePoint George (tags: sharepoint2010 installation sharepoint administration 2010 server serviceaccounts…
  14. SharePoint 2010 Kurulumu için Servis Hesapları - [...] [...]
  15. Installing SharePoint 2010 on a single server « ehsy - [...] GA_googleAddAttr("AdOpt", "1"); GA_googleAddAttr("Origin", "other"); GA_googleAddAttr("LangId", "1"); GA_googleAddAttr("Autotag", "technology"); GA_googleFillSlot("wpcom_below_post"); [...]
  16. How i setup my virtual SharePoint development machine | iDevteam | Our blog about SharePoint - [...] Installing SharePoint 2010 using Least Privilege Service Accounts [...]
  17. Admin Test Question Details – 9 « SharePoint Certification - [...] Here is a link about this: [...]