Sep 24, 2010

Thoughts on Installing Sharepoint with least privileges

Lately I have followed the "least privileges" rule while deploying SharePoint 2010 for a MCS customer. Immediately after core installation followed by a creation of BI site, I decide to apply June CU update first before provisioning the User Profile Sync service application. Without any second thought, I just kept using the same setup account to install CU. The setup account has only dbcreator and securityAdmin roles, based on "least privileges" rule. The result is very "surprising": each server's status is hanging with "upgrade available", and CU is not applied as it is indicated by Sharepoint version.

What is wrong? the setup account unfortunately doesn't have any access to sharepoint content database under least privileges, but which account should be used then? A farm account certainly has all accesses to every sharepoint database, but again by least privilege rule, it is not supposed to be a local admin, otherwise you get warnings from Sharepoint Health Analyzer. Actually, the farm account, as a service account, might not even be given the right to log on locally. So what is the workaround? the answer to this dilemma: break the least privilege rule by giving setup account a SA server role in the database, and then re-run the configuration wizard to fix the problem.

By setup account, i mean the log on window account when running Sharepoint Wizard. During wizard configuration, this account is used to connect to sql and setup sql privilege of farm account, which in turn setup other service accounts in sql. The following infamous error occurring during wizard configuration is simply saying, the setup account needs to have sql privilege:

"Cannot connect to database master at SQL server at SERVER-SQL. The database might not exist, or the current user does not have permission to connect to it."