As part of some internal training I captured the details of which groups the various accounts that can be used for Project Server 2007 end up belonging to. I though this might be useful to share. The key thing here is that you do not normally need to do any of this manually - and even if you change some accounts then as long as you use the UI or stsadm the group memberships should be set correctly.
So for my scenario I have 4 users. FarmAdmin, SSPAdmin, DefAppPool and SSPAppPool and these are going to used as the farm administrator of Windows SharePoint Services (FarmAdmin), the admin account for the Shared Services Provider (SSPAdmin) and the identities for the two application pools for the initial Port 80 site (DefAppPool) and the random port for the SSP (SSPAppPool). In a farm environment these would all need to be domain accounts. In my tests they were all local in a Virtual Server image. These could all be the same account - but some customers prefer each to be different - thus allowing each to have minimum permissons. I carried out the install as myself - an administrator on the server.
Once I had finished my installation the following groups had added the following members:-
IIS_WPG - FarmAdmin, SSPAdmin, DefAppPool, SSPAppPoolWSS_ADMIN_WPG - FarmAdminWSS_RESTRICTED_WPG - FarmAdminWSS_WPG - FarmAdmin, SSPAdmin, DefAppPool, SSPAppPool
And in SQL Server the following logins had been added with roles set as noted below:-
FarmAdminServer roles - dbcreator and securityadminUser mappings to the PWA, SSP and WSS content databases with dboUser mappings to the SharePoint_Config and SharePoint_AdminContent with dbo and WSS_Content_Application_Pools role
SSPAdminNo server rolesUser mapping to PWA Archive draft and published with datareader, datawriter and ProjectServerRoleUser mapping to PWA reporting as above plus ddladminUser mapping to SharedServices and WSS Content databases with dbo roleUser mappings to the SharePoint_Config and SharePoint_AdminContent with WSS_Content_Application_Pools role
DefAppPool and SSPAppPoolNo server rolesUser mapping to SharedServices database and their respective WSS_Content databases as dboUser mappings to the SharePoint_Config and SharePoint_AdminContent with WSS_Content_Application_Pools role
In my next posting I will take this to the next level and document other settings and permissions required to get Project Server 2007 working with SQL Server 2005 Analysis Services.
Technorati Tags: Project Server 2007
Very interesting article, Brian.
Before starting the installation in what local groups were each of these accounts.
I have noticed that they need to be at least in the Users or Power users groups, no ?
If not it seems ASP.Net has some problems to create temporary files when startint the web site.
Hi Steven - thanks for the feedback. Yes, on my system the service users were in the "Users" group (automatically as I created them - so left them in there) but were not in the Power Users group. If you have some tighter controls on certain drives or directories you may need to give further permissions. Also if you are working on a farm install and using domain accounts you would need to put these domain accounts in the groups as necessary.
I have installed MOSS 2007 and sql server on the same machine.
I can locate IIS_WPG ,WSS_ADMIN_WPG, WSS_RESTRICTED_WPG and WSS_WPG as groups under computer management but could not find FarmAdmin, SSPAdmin, DefAppPool, SSPAppPool as users or groups under computer management and also checked under security->login->server roles.
Am i checking at the wrong place.
Also needs to know something about some accounts mentioned in one of t he microsft website:
a)SQL Server Service Account: Account used by SQL
to run all SQL services
b)Server Farm Account -is it farm administartor account
c)SSP Service Account -same as of yours
d)Office SharePoint Server Search Account
e)Default Content Access Account
f)User Profile and Properties Content Access
g)Excel Services Unattended Account
h)One account per application pool: This is typically three accounts; SSPAdministration, MySite and your main 'Portal' or 'Intranet'.
How and where these group are created.
The accounts named in my blog and I think the others you have referred to do not exist until you create them. I created accounts with these names in the operating system and then used the accounts during the installation - they do not get created for you. Hope this helps.
A very informative article, however it brings me to the serucity permissions for Portfolio Server 2007 accounts. I'm trying out integration of Project Server 2007 with Portfolio Server 2007 but I'm unable to complete the Project Server Gateway setup.... "Attribute Template" mapping.
The error i get is " The file you are attempting to save or retrieve has been blocked from this Web site by the server administrators."
Troubleshoot issues with Windows SharePoint Services.
Can you shed some light on this ? I'm using only one account, which is a domain account and is also local admin on both DB and Portfolio Server machines.
Any help or suggestions will be appreciated. Thanks
Hi Sadaf, One or other of these might work for you.
1: changed Security of Web Application Pool for Default Web Site and PPS from
Network Service to domain\user account. Add domain\user account in WSS-> App
Management -> Grant or Config Shared services between farms --> Select This farm
will provide shared service to other farm
2: Add Network Service account in WSS-> App Management -> Grant or Config Shared
services between farms --> Select This farm will provide shared service to other
I will be going deeper in this posting, particularly on the scenario of moving just the databases and