SharePoint 2003中的賬号和權限小結

基本上有四類管理使用者賬戶需要在SPS解決方案中被賦予權限.

1. Account(s) which the SPS services will run as i.e. service accounts
2. Database configuration account
3. Content crawler access account
4. Application pool account

Services Accounts

===============

有四中服務, 如下:

1. SharePointPSSearch(mssearch.exe) - Microsoft SharePoint Portal Server Search service - 該服務賬戶應當在所有伺服器場的機器中都屬于"Power Users"使用者組. SPS uses SMB to propagate the Indexes (from Index to Search server), the reason the service account needs the power user role will have to do with the fact that it needs to maintain a “share” for the copying.
2. SPSAlert (SPSNotificationService.exe) - 該服務賬戶應當在所有伺服器場的機器中都屬于"Power Users"使用者組.
3. SPSAdmin (Spsadmin.exe) - SharePoint portal administration - 應該使用SharePoint Portal Server 管理者權限的賬号來運作, 即在場中所有伺服器上都屬于"Power Users"組.
4. SSOSRV - Single sign on service - 該服務賬戶應當在所有伺服器場的機器中都屬于"Power Users"使用者組.
5. SPTimer (OWSTIMER.EXE) – 這實際上是一個WSS Service 而不是SPS Service. 該服務賬戶應當在所有伺服器場的機器中都屬于"Power Users"使用者組.

注意, 在安裝SPS的時候, 以上的這些服務都會被配置為database configuration的賬号.

==============

這個賬号被用來進行一些管理工作, 比如對配置資料庫和内容資料庫的建立, 修改, 賦予權限通路. 配置資料庫管理賬号(The configuration database administration account) 就是SharePoint Portal Server用來連接配接配置資料庫時, 或者是在從索引伺服器向搜尋伺服器傳播索引時使用的使用者名和密碼.

預設情況下, SharePoint管理中心站點的Application Pool Identity也被配置為這個賬号.

這裡有一點混淆.

在微軟的SPS Admin guide中指明應該将這個使用者賬戶配置為"Power Users", 還明确指出"Specifying an account that is a member of the local Administrators group on the server on which you are installing SharePoint Portal Server is not recommended". 然而在Microsoft Solution for Intranets Guide中卻說suggest that this be given “Local administrator rights on search and index servers”.

是以呢, 最好的方式就是先配置為Power Users, 如果不行, 再換成Local Administrator.

這個賬戶還必須在SQL Server執行個體上擁有Database Creators 和 Security Administrators的伺服器角色.

另外, 如果你的伺服器場中有多台機器, 那麼這個賬戶必須是域賬戶.

如下的本機使用者權限會被自動的賦給這個賬戶(Database configuration account):

• Replace a process level token
• Adjust memory quotas for a process
• Log on as a service

注意: 所有的服務都會都會在安裝SPS的過程中被配置為這個賬号.

Content Access Crawler Account

=============

這個賬戶的作用是在制作Content 索引的時候, 作為爬content source的預設賬号. 這個賬号必須擁有對内容的讀取權限. 推薦設定: 尤其是當有好幾個WSS的Virtual Server需要被爬時, 這個賬号使用擁有Windows SharePoint Services Administrator權限的使用者賬戶. 要麼, 你就得挨個WSS的站點去設定這個賬号的讀取權限.

預設情況下這個賬戶是屬于Windows SharePoint Services Administrator權限的使用者賬戶的.

進一步的推薦:

It is recommended that you create a new Windows security group, and add both the content access account and the spsadmin service account to this group. Then, using the Windows SharePoint Services administration Web pages, you should change the Windows SharePoint Services administrator account to be this Windows security group.

這裡指的修改Windows SharePoint Services Administrator account的頁面應該就是這個:

Application Pool Identity

=================

Application Pool Identity本質上就是ASP.NET的代碼執行時的賬戶.

這個賬戶必須具備标準的能夠運作Application pool的權限, 而且顯然必須擁有讀, 寫Portal的SQL Server資料庫的權限. 在Portal建立的時候, 目标使用者會被自動地賦予這些權限.

關于如何修改Application Pool Identity, 有一篇文章講到. ​​How to change the application pool identity for Windows SharePoint Services administration and content virtual servers​​

這個使用者必須擁有如下的權限:

1. 必須是這些資料庫的DB_Owner: portal site _SITE database, _SERV database, _PROF database, 還有configuration database (預設是SPS01_Config_db)
2. 必須在Web Server上屬于IIS_WPG, SPS_WPG, 和STS_WPG使用者組.

總結起來, 推薦的配制方法

制定一個單獨的使用者賬戶作為所有SPS Services的服務賬戶, 制定另一個單獨的賬戶作為爬網賬戶.

比如說, 在場中所有伺服器上添加“Domain\ServiceAcc” 到"Power Users” 組中. 這個賬戶用來運作所有的SPS服務, 同時作為資料庫配置賬戶和管理中心站點的Application pool的identity. 在SQL server中給這個使用者Database Creators 和Security Administrators 角色.

1. During SPS install specify the Domain\ServiceAcc as the database configuration account
2. Just after SPS installation, during SPS configuration specify the Domain\ContentCrawlUserAcc as the content crawler account and Domain\PortalAppPoolUser as the application pool identity for the default portal application pool
3. Create custom “SharePoint Administrators” group
4. Add “Domain\ContentCrawlUserAcc” to the custom “SharePoint Administrators” Group
5. Add “Domain\ServiceAcc” to the custom “SharePoint Administrators” Group
6. Using the Windows SharePoint Services administration Web pages, you should change the Windows SharePoint Services administrator account to the custom “SharePoint Administrators” group
7. Ensure that user cannot change password and password never expires are selected for these user accounts in AD.
8. A good practice is to ensure that "user user cannot change password" and "password never expires" are selected for these user accounts in AD