May 03
Accounts used by application pools or service identities are in the local machine Administrators group

Who hasn't seen this error!?

I recently worked a Microsoft Premier Account case to address this issue.
Title Accounts used by application pools or service identities are in the local machine Administrators group.

What this error is telling me is that I want to remove the IIS application pool account that runs the CA service – SharePoint Central Administration v4.

The problem with this is that if you remove this SharePoint account that is also running as a local admin server account, you will no longer be able to create web applications (IIS Sites) or manage services on the server(s). The alternative is to change the account to something that doesn't have admin rights and change the local policy of the server manually so that this new account can locally manage and access these services.

Depending on your security requirements, you may opt to accept this as a low risk since it may interrupt services…

 

Otherwise you can reference this Microsoft security hardening article - http://technet.microsoft.com/en-us/library/cc262849.aspx

Things to consider about your own Farm security!

  • Point 1

    When installing SharePoint, use an account that has only temporary access as an administrator to the local server(s) (WFE/APP), not your personal admin account, and not the farm account!!!


    After you have installed SharePoint/Web Apps/FAST, etc… you can remove this account from the Administrators group since it is no longer required in the Farm.

     

  • Point 2

    The Database Access account (The one you used to connect to the DB during install – See picture) does not need to be an admin on the Database server, however it does need dbcreator and securityadmin rights to the database. You can leave public since it's there by default.

Hope this helps clarify this one CA rule and helps harden your Farm further!

Comments

There are no comments for this post.

 ‭(Hidden)‬ Blog Tools