SharePoint makes use of various
domain-level accounts to operate securely. Even if your SharePoint
installation operates on a single server and is part of a work group,
all accounts used in SharePoint 2013 require the full domain name
syntax: DOMAIN\username (domain is the machine name in a stand-alone installation). SharePoint 2010 had the same requirement.
As with its predecessor, SharePoint 2013 uses managed accounts.
Managed accounts allow administrators to maintain Windows system
accounts, in use by SharePoint, in a central location. Thus, if you
need to change SharePoint to use a different service account, you have
to change it in only one place in Central Administration, and not
across various services and applications (except for a few rare
circumstances). Managed accounts also allow SharePoint to manage
password change, enforced by Domain Group Policy.
I will discuss managed accounts further, or now I am focusing on the various
accounts required in the domain and their purposes as managed accounts.
Table 1
lists the accounts that Microsoft recommends for a maintainable and
secure SharePoint farm (you can choose the account names, as long as
you can assign the permissions as listed).
Table 1. Recommended Domain Accounts for SharePoint 2013
You need only the first three accounts in Table 1
to install SharePoint 2013, and in many test and development
environments, you can live with just the first five accounts for all
aspects of the farm configuration. However, in the spirit of good
practice and in preparation for the day when you have to stand up a
production SharePoint 2013 farm, I recommend getting in the habit of
creating all of these accounts for configuration.
Note To
ensure smooth installation of the User Profile Synchronization Service,
grant the farm account Replicating Directory Changes permission in the
domain.
