Had some issues and uncertainty today involving assigning the proper logon accounts to service applications, windows services, and application pools. I've read a bunch on this topic but I may not have something straight. Before doing anything, I had the systems admin. create 4 new user accounts in AD: sp_farm sp_admin sp_sql sp_service I then installed SharePoint Server 2010 standard edition on a new server running newly installed SQL 2008 R2, with another identical server for the database. I installed as the user MYDOMAIN\sp_admin (after making sure sp_admin and sp_farm were members of the local administrators group). MYDOMAIN\sp_farm was designated as the farm account during installation. Once SP was installed, I installed the latest cumulative updates for SP, then had a single health analyzer issue saying that the user account associated with the application pool for Central Administration should not be in the local administrator group (in my case the user was MYDOMAIN\sp_farm). Based on a discussion I found online, I had the system admin grant "replicate directory changes" permission for the sp_farm account in AD...this didn't resolve the issue. I also found where an MS guy said to basically ignore the issue because sp_farm is supposed to be a local admin. Is that correct? How do you handle this warning? I went through all of my services available in CA and checked the user accounts associated with each. Most things I assigned to "MYDOMAIN\sp_service." In Windows services (I was looking for the Timer service) I checked all the SharePoint services and anything with "Local System" as the logon I changed to "sp_service." Although the server appears to be up and running fine now, I had some trouble with the application pool for the main default application (port 80) stopping and getting the 503 error in the browser, although after creating a site collection in that web application this seems to have been OK. I guess some specific questions I have would be: Which Sharepoint service applications, windows services, and application pools in IIS need to have MYDOMAIN\sp_farm designated as the logon? Do any of these accounts need to have sp_admin for the logon? Can all the rest of the accounts use sp_service? Thanks a lot.

Hi, You will find the following links very useful and sets out clearly what accounts and level of privileges required. http://technet.microsoft.com/en-us/library/ee662513.aspx http://technet.microsoft.com/en-us/library/cc678863.aspx hth,Chirag Patel, MCTS Blog: techChirag.com Twitter: @techChirag

First, if there's a moderator out there reading this, would you please move this thread to the SP2010 category? I thought that's where I posted but it looks like not. Chirag, thanks for the links. I'd seen the first one. Still isn't clear reading the second one what logon is used for the application pools in IIS--unless I'm misreading things.