This is an attempt to clarify mostly for myself on how to install SharePoint 2010 with best practice/least privilege. It is always tempting to give full access to all your installation accounts and just keep on trucking. At some point this approach might come back and bite you.
SharePoint will elevate the following accounts as necessary during installation.
This account will be used as the installation account(white wizard). This account will also run the timer service and User Code Host service on the server.
- MyDomain\domain users
- local\admin (On installation server)
Create a new login in SQL Server Management Studio for the sp_admin account assign the following rights.
Logon as a service right(GPO):
Give the user Logon as a service right, this can be done through your domain controller or locally on the server.
- The MyDomain\sp_admin account must be given the logon as a service right on the server running SharePoint.
Start -> Administrative Tools -> Group Policy Management
This account will be used for DB connection(grey wizard). This account only need MyDomain\domain users rights, will be elevated as necessary on installation(Installation account will take care of that).
- MyDomain\domain users
This account will be used for the following services:
- Windows SharePoint Services Timer V4
- Windows SharePoint Services User Code Host V4
- Application Pool SharePoint Central Administration
- Topology Web Service
- Security Token Service(Claims )
This account also needs batch logon rights(GPO)
- See description of setting the GPO above, Log on as a batch job is just above Log on as a service.
This account is used when creating new Service Applications in SharePoint 2010.
How to deal with new application pools?
Some say that you should make a new new account for every application pool. Seems like an overkill that are not practical.
How many application pools do you need?
Testing has shown that you should keep your application pools to a minimum to preserve resources. Creating a new dedicated application pool is not recommended from a performance perspective, it will drain a lot of RAM from your box.
- If IIS gives you get an Event ID: 5059 Error you need to give your application pool account batch logon rights
I did not figure out this by myself, there is a lot of smart people out there.