Sep 24, 2010

Thoughts on Installing Sharepoint with least privileges

Lately I have followed the "least privileges" rule while deploying SharePoint 2010 for a MCS customer. Immediately after core installation followed by a creation of BI site, I decide to apply June CU update first before provisioning the User Profile Sync service application. Without any second thought, I just kept using the same setup account to install CU. The setup account has only dbcreator and securityAdmin roles, based on "least privileges" rule. The result is very "surprising": each server's status is hanging with "upgrade available", and CU is not applied as it is indicated by Sharepoint version.

What is wrong? the setup account unfortunately doesn't have any access to sharepoint content database under least privileges, but which account should be used then? A farm account certainly has all accesses to every sharepoint database, but again by least privilege rule, it is not supposed to be a local admin, otherwise you get warnings from Sharepoint Health Analyzer. Actually, the farm account, as a service account, might not even be given the right to log on locally. So what is the workaround? the answer to this dilemma: break the least privilege rule by giving setup account a SA server role in the database, and then re-run the configuration wizard to fix the problem.