基本上有四类管理用户账户需要在SPS解决方案中被赋予权限.
- Account(s) which the SPS services will run as i.e. service accounts
- Database configuration account
- Content crawler access account
- Application pool account
Services Accounts
===============
有四中服务, 如下:
- SharePointPSSearch(mssearch.exe) - Microsoft SharePoint Portal Server Search service - 该服务账户应当在所有服务器场的机器中都属于"Power Users"用户组. SPS uses SMB to propagate the Indexes (from Index to Search server), the reason the service account needs the power user role will have to do with the fact that it needs to maintain a “share” for the copying.
- SPSAlert (SPSNotificationService.exe) - 该服务账户应当在所有服务器场的机器中都属于"Power Users"用户组.
- SPSAdmin (Spsadmin.exe) - SharePoint portal administration - 应该使用SharePoint Portal Server 管理员权限的账号来运行, 即在场中所有服务器上都属于"Power Users"组.
- SSOSRV - Single sign on service - 该服务账户应当在所有服务器场的机器中都属于"Power Users"用户组.
- SPTimer (OWSTIMER.EXE) – 这实际上是一个WSS Service 而不是SPS Service. 该服务账户应当在所有服务器场的机器中都属于"Power Users"用户组.
注意, 在安装SPS的时候, 以上的这些服务都会被配置为database configuration的账号.
Database configuration account
==============
这个账号被用来进行一些管理工作, 比如对配置数据库和内容数据库的创建, 修改, 赋予权限访问. 配置数据库管理账号(The configuration database administration account) 就是SharePoint Portal Server用来连接配置数据库时, 或者是在从索引服务器向搜索服务器传播索引时使用的用户名和密码.
默认情况下, SharePoint管理中心站点的Application Pool Identity也被配置为这个账号.
这里有一点混淆.
在微软的SPS Admin guide中指明应该将这个用户账户配置为"Power Users", 还明确指出"Specifying an account that is a member of the local Administrators group on the server on which you are installing SharePoint Portal Server is not recommended". 然而在Microsoft Solution for Intranets Guide中却说suggest that this be given “Local administrator rights on search and index servers”.
所以呢, 最好的方式就是先配置为Power Users, 如果不行, 再换成Local Administrator.
这个账户还必须在SQL Server实例上拥有Database Creators 和 Security Administrators的服务器角色.
另外, 如果你的服务器场中有多台机器, 那么这个账户必须是域账户.
如下的本机用户权限会被自动的赋给这个账户(Database configuration account):
- Replace a process level token
- Adjust memory quotas for a process
- Log on as a service
注意: 所有的服务都会都会在安装SPS的过程中被配置为这个账号.
Content Access Crawler Account
=============
这个账户的作用是在制作Content 索引的时候, 作为爬content source的默认账号. 这个账号必须拥有对内容的读取权限. 推荐设置: 尤其是当有好几个WSS的Virtual Server需要被爬时, 这个账号使用拥有Windows SharePoint Services Administrator权限的用户账户. 要么, 你就得挨个WSS的站点去设置这个账号的读取权限.
默认情况下这个账户是属于Windows SharePoint Services Administrator权限的用户账户的.
进一步的推荐:
It is recommended that you create a new Windows security group, and add both the content access account and the spsadmin service account to this group. Then, using the Windows SharePoint Services administration Web pages, you should change the Windows SharePoint Services administrator account to be this Windows security group.
这里指的修改Windows SharePoint Services Administrator account的页面应该就是这个:
Application Pool Identity
=================
Application Pool Identity本质上就是ASP.NET的代码执行时的账户.
这个账户必须具备标准的能够运行Application pool的权限, 而且显然必须拥有读, 写Portal的SQL Server数据库的权限. 在Portal创建的时候, 目标用户会被自动地赋予这些权限.
关于如何修改Application Pool Identity, 有一篇文章讲到. How to change the application pool identity for Windows SharePoint Services administration and content virtual servers
这个用户必须拥有如下的权限:
- 必须是这些数据库的DB_Owner: portal site _SITE database, _SERV database, _PROF database, 还有configuration database (默认是SPS01_Config_db)
- 必须在Web Server上属于IIS_WPG, SPS_WPG, 和STS_WPG用户组.
总结起来, 推荐的配制方法
=================
制定一个单独的用户账户作为所有SPS Services的服务账户, 制定另一个单独的账户作为爬网账户.
比如说, 在场中所有服务器上添加“Domain\ServiceAcc” 到"Power Users” 组中. 这个账户用来运行所有的SPS服务, 同时作为数据库配置账户和管理中心站点的Application pool的identity. 在SQL server中给这个用户Database Creators 和Security Administrators 角色.
其余步骤如下:
- During SPS install specify the Domain\ServiceAcc as the database configuration account
- Just after SPS installation, during SPS configuration specify the Domain\ContentCrawlUserAcc as the content crawler account and Domain\PortalAppPoolUser as the application pool identity for the default portal application pool
- Create custom “SharePoint Administrators” group
- Add “Domain\ContentCrawlUserAcc” to the custom “SharePoint Administrators” Group
- Add “Domain\ServiceAcc” to the custom “SharePoint Administrators” Group
- Using the Windows SharePoint Services administration Web pages, you should change the Windows SharePoint Services administrator account to the custom “SharePoint Administrators” group
- Ensure that user cannot change password and password never expires are selected for these user accounts in AD.
- A good practice is to ensure that "user user cannot change password" and "password never expires" are selected for these user accounts in AD
原文地址: http://blogs.msdn.com/modonovan/archive/2005/06/14/428862.aspx