Cascade Skyline - with Microsoft Logo and Project Support header - author Brian Smith

Operating System and SQL Permissions for the Microsoft Office Project Server 2007 Service Accounts

Operating System and SQL Permissions for the Microsoft Office Project Server 2007 Service Accounts

  • Comments 7

As part of some internal training I captured the details of which groups the various accounts that can be used for Project Server 2007 end up belonging to.  I though this might be useful to share.  The key thing here is that you do not normally need to do any of this manually - and even if you change some accounts then as long as you use the UI or stsadm the group memberships should be set correctly. 

So for my scenario I have 4 users.  FarmAdmin, SSPAdmin, DefAppPool and SSPAppPool and these are going to used as the farm administrator of Windows SharePoint Services (FarmAdmin), the admin account for the Shared Services Provider (SSPAdmin) and the identities for the two application pools for the initial Port 80 site (DefAppPool) and the random port for the SSP (SSPAppPool).  In a farm environment these would all need to be domain accounts.  In my tests they were all local in a Virtual Server image.  These could all be the same account - but some customers prefer each to be different - thus allowing each to have minimum permissons.  I carried out the install as myself - an administrator on the server.

Once I had finished my installation the following groups had added the following members:-

IIS_WPG - FarmAdmin, SSPAdmin, DefAppPool, SSPAppPool
WSS_ADMIN_WPG - FarmAdmin
WSS_RESTRICTED_WPG - FarmAdmin
WSS_WPG - FarmAdmin, SSPAdmin, DefAppPool, SSPAppPool

And in SQL Server the following logins had been added with roles set as noted below:-

FarmAdmin
Server roles - dbcreator and securityadmin
User mappings to the PWA, SSP and WSS content databases with dbo
User mappings to the SharePoint_Config and SharePoint_AdminContent  with dbo and WSS_Content_Application_Pools role

SSPAdmin
No server roles
User mapping to PWA Archive draft and published with datareader, datawriter and ProjectServerRole
User mapping to PWA reporting as above plus ddladmin
User mapping to SharedServices and WSS Content databases with dbo role
User mappings to the SharePoint_Config and SharePoint_AdminContent  with WSS_Content_Application_Pools role


DefAppPool and SSPAppPool
No server roles
User mapping to SharedServices database and their respective WSS_Content databases as dbo
User mappings to the SharePoint_Config and SharePoint_AdminContent  with WSS_Content_Application_Pools role

In my next posting I will take this to the next level and document other settings and permissions required to get Project Server 2007 working with SQL Server 2005 Analysis Services.

Technorati Tags:

Leave a Comment
  • Please add 5 and 4 and type the answer here:
  • Post
  • Very interesting article, Brian.

    Before starting the installation in what local groups were each of these accounts.

    I have noticed that they need to be at least in the Users or Power users groups, no ?

    If not it seems ASP.Net has some problems to create temporary files when startint the web site.

    steven

  • Hi Steven - thanks for the feedback.  Yes, on my system the service users were in the "Users" group (automatically as I created them - so left them in there) but were not in the Power Users group.  If you have some tighter controls on certain drives or directories you may need to give further permissions. Also if you are working on a farm install and using domain accounts you would need to put these domain accounts in the groups as necessary.

    Brian.

  • Hi,

    I have installed MOSS 2007 and sql server on the same machine.

    I can locate IIS_WPG ,WSS_ADMIN_WPG, WSS_RESTRICTED_WPG and WSS_WPG as groups under computer management but could not find FarmAdmin, SSPAdmin, DefAppPool, SSPAppPool as users or groups under computer management and also checked under security->login->server roles.

    Am i checking at the wrong place.

    Also needs to know something about some accounts mentioned in one of t he microsft website:

     a)SQL Server Service Account: Account used by SQL

       to run all SQL services

     b)Server Farm Account -is it farm administartor account

     c)SSP Service Account -same as of yours

     d)Office SharePoint Server Search Account

     e)Default Content Access Account

     f)User Profile and Properties Content Access

       Account

     g)Excel Services Unattended Account

     h)One account per application pool: This is typically three accounts; SSPAdministration, MySite and your main 'Portal' or 'Intranet'.

    How and where these group are created.

  • Hi Leo,

    The accounts named in my blog and I think the others you have referred to do not exist until you create them.  I created accounts with these names in the operating system and then used the accounts during the installation - they do not get created for you.  Hope this helps.

    Brian.

  • Hi Brian,

    A very informative article, however it brings me to the serucity permissions for Portfolio Server 2007 accounts. I'm trying out integration of Project Server 2007 with Portfolio Server 2007 but I'm unable to complete the Project Server Gateway setup.... "Attribute Template" mapping.

    The error i get is " The file you are attempting to save or retrieve has been blocked from this Web site by the server administrators."

    Troubleshoot issues with Windows SharePoint Services.

    Can you shed some light on this ? I'm using only one account, which is a domain account and is also local admin on both DB and Portfolio Server machines.

    Any help or suggestions will be appreciated. Thanks

  • Hi Sadaf, One or other of these might work for you.

    1: changed Security of Web Application Pool for Default Web Site and PPS from

    Network Service to domain\user account. Add domain\user account in WSS-> App

    Management -> Grant or Config Shared services between farms --> Select This farm

    will provide shared service to other farm

    2: Add Network Service account in WSS-> App Management -> Grant or Config Shared

    services between farms --> Select This farm will provide shared service to other

    farm

    Best regards,

    Brian.

  • I will be going deeper in this posting, particularly on the scenario of moving just the databases and

Page 1 of 1 (7 items)