Installing SharePoint CUs- Update Service Account Permissions before Patching?

Hello,

I have a client who experiences a lot of errors with SharePoint 2013 Production patching (cumulative updates). There are multiple reasons for this and I am currently in the process of trying to get the client to resolve those; for example, the Dev and QA environments are not parallel to the Prod environment even in terms of simple configurations. However this question is specifically about service account permissions, as my immediate goal is to convince the client of the necessity to get these in order. 

Before each patch, my client is in the habit of asking the DBAs to give DBOwner and sometimes securityAdmin and DBCreator to every database in the farm to the Setup account, the Farm account, and the App Pool account. He says that patching fails if this is not done, and believes that building a new web application or host named site collection (and thus a new content database) between patches is causing the requirement for these permissions updates. He uses the Setup account for patching and Farm account for running the configuration wizard. 

I don't recall having to do this for past patching, and don't believe it's necessary (or a good idea), but I'm willing to admit possible gaps in my knowledge. It's my position that this activity causes permissions creep, violates least privilege and masks some kind of underlying problem (probably with existing service account permissions). 

Toward resolving this problem, I am compiling a list of the permissions that Setup, Farm and App pool ought to have (from http://technet.microsoft.com/en-us/library/cc678863(v=office.15).aspx ). I'd like to get permissions for his Setup, Farm and App Pool accounts matching those outlined in the article, and remove/avoid adding anything that isn't outlined there. 

So I have the following questions. I believe I know the answer to many but want to make sure I'm making the right recommendations. If you can point me to any supporting material that would be helpful. 

  • Is it correct to use Setup account for patching and Farm for configuration wizard?
  • Article states that setup "must have access to the SharePoint databases." What does this mean at a minimum?
  • Article states that the setup account needs "member of the db_owner role... If you use any Windows PowerShell operations that affect a database." Does setup need DBOwner on every database (for patching) on the grounds that configuration wizard is a PowerShell activity affecting a database? Seems not, partly because he uses Farm for configuration wizard.
  • If so, is it normal to need to re-apply this permission to every database via the DBAs before every patch?
  • Are the other permissions he wants to add necessary? Or are they a bad idea?
  • If all is configured correctly, shouldn't permissions remain sufficient for patching without permissions updates, even if new content databases have been recently built?
  • And if permissions updates are not necessary, any idea what underlying problems might be causing permissions failures during patching? I realize this question may require way more info but was just wondering if there are any obvious contenders to pursue. 

For what it's worth, the SharePoint farm is running 2013 Enterprise, has 2 app servers, 2 web front ends, and one SQL server, SharePoint servers are on Windows Server 2012 R2 Standard, SQL is on Windows Server 2008 R2. 

Thanks in advance for any help you can give.

Shae




December 1st, 2014 5:07pm

Nobody?

If the above is daunting, this is the gist of my question:

Is it necessary/normal to have to go into SQL and grant DBOwner (or any other permissions) to every database in the farm to the Setup account, the Farm account, and the App Pool account before every single SharePoint CU?

Thanks,

Shae

Free Windows Admin Tool Kit Click here and download it now
December 2nd, 2014 5:34pm

Hi Shae,

For Setup user:

  • Domain user account.
  • Member of the Administrators group on each server on which Setup is run.
  • SQL Server login on the computer that runs SQL Server.
  • Member of the following SQL Server roles:
    • securityadmin fixed server role
    • dbcreator fixed server role

For server farm account:

  • dbcreator fixed server role
  • securityadmin fixed server role
  • db_owner fixed database role for all SharePoint databases in the server farm

For service account:

  • The application pool accounts for Web applications are assigned to the SP_DATA_ACCESS role for the content databases.
  • This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the farm configuration database.
  • This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the SharePoint_Admin content database.

More information:

http://technet.microsoft.com/en-us/library/ee662513(v=office.15).aspx

http://technet.microsoft.com/en-us/library/cc678863(v=office.15).aspx

Best Regards,

Wendy

January 2nd, 2015 3:16am

Thanks for this info. Yes, I understand what permissions each service account is supposed to have per Technet guidelines. 

However, my question is not what permissions they should have, but whether it is normal to have to add permissions again in SQL every time a new content database is created. 

In a correctly set up farm, shouldn't service accounts automatically have the right permissions to newly added content databases?


Thanks,

Shae

Free Windows Admin Tool Kit Click here and download it now
April 13th, 2015 10:03pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics