I have a client who experiences a lot of errors with SharePoint 2013 Production patching (cumulative updates). There are multiple reasons for this and I am currently in the process of trying to get the client to resolve those; for example, the Dev and QA environments are not parallel to the Prod environment even in terms of simple configurations. However this question is specifically about service account permissions, as my immediate goal is to convince the client of the necessity to get these in order.
Before each patch, my client is in the habit of asking the DBAs to give DBOwner and sometimes securityAdmin and DBCreator to every database in the farm to the Setup account, the Farm account, and the App Pool account. He says that patching fails if this is not done, and believes that building a new web application or host named site collection (and thus a new content database) between patches is causing the requirement for these permissions updates. He uses the Setup account for patching and Farm account for running the configuration wizard.
I don't recall having to do this for past patching, and don't believe it's necessary (or a good idea), but I'm willing to admit possible gaps in my knowledge. It's my position that this activity causes permissions creep, violates least privilege and masks some kind of underlying problem (probably with existing service account permissions).
Toward resolving this problem, I am compiling a list of the permissions that Setup, Farm and App pool ought to have (from http://technet.microsoft.com/en-us/library/cc678863(v=office.15).aspx ). I'd like to get permissions for his Setup, Farm and App Pool accounts matching those outlined in the article, and remove/avoid adding anything that isn't outlined there.
So I have the following questions. I believe I know the answer to many but want to make sure I'm making the right recommendations. If you can point me to any supporting material that would be helpful.
- Is it correct to use Setup account for patching and Farm for configuration wizard?
- Article states that setup "must have access to the SharePoint databases." What does this mean at a minimum?
- Article states that the setup account needs "member of the db_owner role... If you use any Windows PowerShell operations that affect a database." Does setup need DBOwner on every database (for patching) on the grounds that configuration wizard is a PowerShell activity affecting a database? Seems not, partly because he uses Farm for configuration wizard.
- If so, is it normal to need to re-apply this permission to every database via the DBAs before every patch?
- Are the other permissions he wants to add necessary? Or are they a bad idea?
- If all is configured correctly, shouldn't permissions remain sufficient for patching without permissions updates, even if new content databases have been recently built?
- And if permissions updates are not necessary, any idea what underlying problems might be causing permissions failures during patching? I realize this question may require way more info but was just wondering if there are any obvious contenders to pursue.
For what it's worth, the SharePoint farm is running 2013 Enterprise, has 2 app servers, 2 web front ends, and one SQL server, SharePoint servers are on Windows Server 2012 R2 Standard, SQL is on Windows Server 2008 R2.
Thanks in advance for any help you can give.