What are the main reasons for installing WSS 3.0 and Microsoft Office Sharepoint Server 2007 using a dedicated setup account rather than local admin or a non-shared domain account? What are the consequences of not doing so?
Is this account to be maintained post-install?
How do you reconcile this requirement with high-security organisations?
Refer http://technet.microsoft.com/en-us/library/cc263445(office.12).aspx)
It's not really a SharePoint specific thing, it's good practice for any services installed to use service accounts with the least privileges required to perform the tasks they are intended to perform.
This document covers the topic pretty well.
If implemented properly, it's a more secure setup, so I'm not sure there is anything to reconcile in "high-security organisations" they should already be doing this.
Server 2008 R2 has some nice improvements to make life easier in this regard.
I remember watching a video with Shane Young (I think) on this subject so I thought I'd ping the guys at SharePoint 911. Chris Caravajal replied with this:
In extreme disaster recovery situations, we have seen where this is the only account that perform any type of action within the SharePoint environment, especially if you have to run the Configuration Wizard. It is also highly recommended that this account be used for all updates (patches, service pack installations, etc.) and migrations. Even though you may have other accounts in the Farm Admin group, this setup account still tends to have more privileges.
-Chris Caravajal
Thanks Chris!
