规划在 SharePoint 服务器的管理和服务帐户Plan for administrative and service accounts in SharePoint Server

适用范围: yes2013 yes2016 yes2019 无SharePoint OnlineAPPLIES TO: yes2013 yes2016 yes2019 noSharePoint Online

若要安装 SharePoint Server,您必须在运行 SharePoint Server 和 SQL Server 的服务器上拥有适当的管理帐户和服务帐户。To install SharePoint Server, you have to have appropriate administrative and service accounts on servers running SharePoint Server and SQL Server. 在完成安装之后,您需要具有适当的管理和服务帐户才能修改和维护环境。After installation, you need to have appropriate administrative and service accounts to modify and maintain the environment. 完成这些任务组所需的帐户不必相同。The accounts that you require to complete these groups of tasks are not necessarily the same. 本文介绍对于单服务器环境和服务器场环境在安装后分别需要的帐户。This article describes the accounts that you require after installation for a single server environment and a server farm environment.

重要

请勿使用包含符号 $ 的服务帐户名称,但在使用 SQL Server 的组托管服务帐户时除外。Do not use service account names that contain the symbol $ with the exception of using a Group Managed Service Account for SQL Server.

重要

SharePoint services 不支持托管服务帐户或组托管服务帐户。SharePoint services do not support Managed Service Accounts or Group Managed Service Accounts.

将本文与SharePoint Server 中的初始部署管理和服务帐户结合使用。Use this article along with Initial deployment administrative and service accounts in SharePoint Server.

初始部署管理和服务帐户文章介绍特定帐户和运行安装程序前需要授予的权限。The initial deployment administrative and service accounts article describes the specific account and permissions that you need to grant prior to running Setup.

本文不介绍在 SharePoint Server 中使用 Secure Store service 的帐户要求。This article does not describe the account requirements for using Secure Store service in SharePoint Server. 有关详细信息,请参阅在 SharePoint Server 中规划 Secure Store ServiceFor more information, see Plan the Secure Store Service in SharePoint Server.

关于管理帐户和服务帐户About administrative and service accounts

本节列出并介绍了为管理运行 SQL Server 或 SharePoint Server 的服务器而必须规划的帐户。This section lists and describes the accounts that you must plan for to manage servers running SQL Server or SharePoint Server. 这些帐户按范围进行了分组。The accounts are grouped according to scope.

在您完成安装和配置帐户之后,确保您不使用本地系统帐户执行管理任务或浏览网站。After you complete installation and configuration of accounts, ensure that you do not use the Local System account to perform administration tasks or to browse sites.

服务器场级帐户Server farm-level accounts

下表介绍了用于配置 SQL Server 数据库软件和安装 SharePoint Server 的帐户。The following table describes the accounts that are used to configure SQL Server database software and to install SharePoint Server.

AccountAccount 用途Purpose RequirementsRequirements
SQL Server 服务帐户SQL Server service account SQL Server 服务帐户用于运行 SQL Server。它是以下 SQL Server 服务的服务帐户:The SQL Server service account is used to run SQL Server. It is the service account for the following SQL Server services:
MSSQLSERVERMSSQLSERVER
SQLSERVERAGENTSQLSERVERAGENT
如果不使用默认 SQL Server 实例,则在 Windows 服务控制台中,这些服务将如下所示:If you do not use the default SQL Server instance, in the Windows Services console, these services will be shown as the following:
MSSQL<InstanceName>MSSQL<InstanceName>
SQLAgent<InstanceName>SQLAgent<InstanceName>
可以使用域用户帐户,也可以是首选的组托管服务帐户Use either a domain user account or preferably, a Group Managed Service Account.
如果计划备份到外部资源或从外部资源还原,则必须向适当的帐户授予对外部资源的权限。If you plan to back up to or restore from an external resource, permissions to the external resource must be granted to the appropriate account. 如果对 SQL Server 服务帐户使用域用户帐户或组托管服务帐户,则向该域用户帐户授予权限。If you use a domain user account or Group Managed Service Account for the SQL Server service account, grant permissions to that domain user account. 但是,如果使用 Network Service 帐户或本地系统帐户,则向计算机帐户 (<domain_name>\<SQL_hostname>) 授予对外部资源的权限。However, if you use the Network Service or the Local System account, grant permissions to the external resource to the machine account (<domain_name>\<SQL_hostname>).
实例名称是一个任意名称,并且是在安装 SQL Server 时创建的。The instance name is arbitrary and was created when SQL Server was installed.
服务器场管理员用户帐户Farm administrator user account 服务器场管理员用户帐户是分配给 SharePoint 管理员的唯一可识别帐户。The farm administrator user account is a uniquely identifiable account assigned to a SharePoint administrator. 它用于运行以下内容:It is used to run the following:
安装Setup
SharePoint 产品配置向导SharePoint Products Configuration Wizard
域用户帐户。Domain user account.
服务器场中每个 SharePoint 服务器上 Administrators 组的成员。Member of the Administrators group on each SharePoint server in the farm.
以下 SQL Server 角色的成员(可选): sysadmin固定服务器角色。Member of the following SQL Server role (optional): sysadmin fixed server role.
如果您运行的是影响数据库的 Windows PowerShell cmdlet,则此帐户必须是该数据库的db_owner固定数据库角色的成员,或者是 SQL 中sysadmin固定服务器角色的成员。If you run Windows PowerShell cmdlets that affect a database, this account must be a member of the db_owner fixed database role for the database or a member of the sysadmin fixed server role on SQL.
服务器场服务帐户Farm service account 服务器场服务帐户用于执行以下任务:The farm service account is used to perform the following tasks:
充当 SharePoint 管理中心网站的应用程序池标识。Act as the application pool identity for the SharePoint Central Administration website.
运行 Microsoft SharePoint Foundation 工作流定时服务。Run the Microsoft SharePoint Foundation Workflow Timer Service.
域用户帐户。Domain user account.
在加入到服务器场中的 Web 服务器和应用程序服务器上,会自动为服务器场帐户授予其他权限。Additional permissions are automatically granted for the server farm account on Web servers and application servers that are joined to a server farm.
服务器场帐户将作为 SQL Server 登录名自动添加到运行 SQL Server 的计算机上。该帐户将添加到以下 SQL Server 安全角色中:The server farm account is automatically added as a SQL Server login on the computer that runs SQL Server. The account is added to the following SQL Server security roles:
* dbcreator固定服务器角色* dbcreator fixed server role
* securityadmin固定服务器角色* securityadmin fixed server role
* 为服务器场中的所有 SharePoint 数据库db_owner固定数据库角色* db_owner fixed database role for all SharePoint databases in the server farm
管理员不应以交互方式使用此帐户。This account should not be used interactively by an administrator.

服务应用程序帐户Service application accounts

下表介绍用于设置和配置服务应用程序的帐户。为计划实现的每个服务应用程序计划一组应用程序池和代理组。The following table describes the accounts that are used to set up and configure a service application. Plan one set of an application pool and proxy group for each service application that you plan to implement.

有关服务应用程序终结点的更多信息,请参阅使用服务终结点For more information about service application endpoints, see Using Service Endpoints.

备注

Excel Services 和用户配置文件同步服务仅适用于 SharePoint 2013。Excel Services and User Profile Synchronization Service only apply to SharePoint 2013.

帐户Account 服务Service 用途Purpose 要求Requirements
服务应用程序终结点Service Application Endpoint 运行 SharePoint Services 实例和 Windows 服务Run SharePoint Services Instances and Windows Services 域用户帐户Domain user account
服务名称Service name 在 SharePoint Server 中In SharePoint Server 在 SharePoint Foundation 中In SharePoint Foundation
Access ServicesAccess Services XX
Business Data Connectivity ServiceBusiness Data Connectivity service XX XX
Secure Store ServiceSecure Store Service XX
Usage and Health Data Collection ServiceUsage and Health Data Collection Service XX
User Profile ServiceUser Profile Service XX
Visio Graphics ServiceVisio Graphics Service XX
Word Automation servicesWord Automation services XX
Excel ServicesExcel Services XX
Managed Metadata ServiceManaged Metadata Service XX
PerformancePoint ServicePerformancePoint Service XX
Search ServiceSearch Service XX

备注

此帐户用作服务应用程序终结点应用程序池的标识。This account is used as the identity for the service application endpoint application pool. 除非存在特定隔离要求,该应用程序池可用于承载多个服务应用程序终结点。Unless there are specific isolation requirements, the application pool can be used to host multiple service application endpoints. 对于 Excel Services、Managed Metadata service、PerformancePoint service 和搜索服务,您必须是域用户帐户。For Excel Services, Managed Metadata service, PerformancePoint service, and Search service you must be a domain user account. 此外,Excel Services 仅在 SharePoint Server 2013 中可用。Also Excel Services is only available in SharePoint Server 2013.

服务名称Service name 在 SharePoint Server 中In SharePoint Server 在 SharePoint Foundation 中In SharePoint Foundation
Security Token ServiceSecurity Token Service XX
Application Discovery and Load Balancer ServiceApplication Discovery and Load Balancer Service XX XX

备注

此帐户用作服务应用程序终结点应用程序池的标识。This account is used as the identity for the service application endpoint application pool. 此帐户必须是场服务帐户,SharePoint 产品配置向导 自动创建该应用程序池。This account must be the Farm Service Account and the SharePoint Products Configuration Wizard automatically creates the application pool.

帐户Account 服务Service 用途Purpose 要求Requirements
无人参与服务Unattended Service 不适用N/A 用于代表用户或服务执行函数Used to execute functions on behalf of the user or service 不适用N/A
服务名称Service name 在 SharePoint Server 中In SharePoint Server 在 SharePoint Foundation 中In SharePoint Foundation
Excel ServicesExcel Services XX
PerformancePoint ServicePerformancePoint Service XX
Visio Graphics ServiceVisio Graphics Service XX

备注

用于工作簿刷新数据的 Excel Services。Excel Services used with workbooks to refresh data. 当工作簿连接为身份验证指定"无"或者将 Windows 凭据之外的任何凭据用于刷新数据时需要。It is required when workbook connections specify "None" for authentication, or when any credentials that are notWindows credentials are used to refresh data. PerformancePoint service 用于对数据源进行身份验证。PerformancePoint service is used for authenticating with data sources. Visio 服务与文档一起用来刷新数据。Visio service is used with documents to refresh data. 连接到 SharePoint Server 外部的数据源(如 SQL Server)时是必需的。It is required when connecting to data sources that are external to SharePoint Server, such as SQL Server.

帐户Account 服务Service 用途Purpose 要求Requirements
默认内容访问Default Content Access 搜索Search 爬网内容Crawl content 对要爬网的内容的读取访问权限Read access to the content being crawled
服务名称Service name 在 SharePoint Server 中In SharePoint Server 在 SharePoint Foundation 中In SharePoint Foundation
SharePoint Server 搜索SharePoint Server Search XX

备注

对内容进行爬网的默认帐户。The default account for crawling content. Search Service 应用程序管理员可以创建爬网规则,以指定可对特定内容进行爬网的其他帐户。A Search service application administrator can create crawl rules to specify other accounts to crawl specific content. 必须具有要爬网的内容的读取访问权限。Must have Read Access to the content being crawled. 必须明确授予对本地场之外的内容的“完全读取”权限。Full Read permissions must be granted explicitly to content that is outside the local farm. 自动为本地场中的内容数据库配置"完全读取"权限。Full Read permissions are automatically configured for content databases in the local farm. 在配置为爬网的 Windows 文件服务器上的本地用户策略中,"需要管理审核和安全日志" 权限。Requires Manage auditing and security log right in the Local User Policy on Windows file servers it is configured to crawl.

帐户Account 服务Service 用途Purpose 要求Requirements
Search ServiceSearch Service 搜索Search 运行 Windows Search 服务Run the Windows Search services 是域用户帐户Be a domain user account
服务名称Service name 在 SharePoint Server 中In SharePoint Server 在 SharePoint Foundation 中In SharePoint Foundation
SharePoint Server 搜索SharePoint Server Search XX
帐户Account 服务Service 用途Purpose 要求Requirements
服务器场管理员Farm administrator 用户配置文件同步服务User Profile Synchronization Service 运行 Forefront Identity Manager 服务Runs the Forefront Identity Manager services 服务器场管理员帐户;启动用户配置文件同步服务的本地管理员Farm administrator account; Local administrator where the User Profile Synchronization Service is started
服务名称Service name 在 SharePoint Server 中In SharePoint Server 在 SharePoint Foundation 中In SharePoint Foundation
用户配置文件同步服务User Profile Synchronization Service XX 不适用N/A
帐户Account 服务Service 用途Purpose 要求Requirements
同步连接Synchronization Connection User Profile ServiceUser Profile Service 连接到用户标识存储Connect to user identity stores 复制目录更改(Active Directory)、读取访问权限(其他目录)Replicate directory changes (Active Directory), read access (other directories)
服务名称Service name 在 SharePoint Server 中In SharePoint Server 在 SharePoint Foundation 中In SharePoint Foundation
User Profile ServiceUser Profile Service XX 不适用N/A

备注

如果 NetBIOS 名称与完全限定的域名 (FQDN) 名称不匹配,则同步域的配置分区上的"复制目录更改"权限。Replicating Directory Changes permissions on the configuration partition of the domains being synchronized if the NetBIOS and fully qualified domain name (FQDN) names do not match.

帐户Account 服务Service 用途Purpose 要求Requirements
App Management ServiceApp Management Service 不适用N/A 用于安装 SharePoint 外接程序Used to install SharePoint Add-ins 不适用N/A
服务名称Service name 在 SharePoint Server 中In SharePoint Server 在 SharePoint Foundation 中In SharePoint Foundation
应用程序管理App management XX XX
帐户Account 服务Service 用途Purpose 要求Requirements
PowerPoint 转换服务PowerPoint Conversion Service PowerPoint 转换服务PowerPoint Conversion Services 将 PowerPoint 文件转换为其他文件格式Convert PowerPoint files to other file formats 服务器场管理员角色(仅适用于 SharePoint Server 2013)Farm administrator role (SharePoint Server 2013 only)
服务名称Service name 在 SharePoint Server 中In SharePoint Server 在 SharePoint Foundation 中In SharePoint Foundation
PowerPoint Conversion ServicePowerPoint conversion service XX
AccountAccount 服务Service 用途Purpose RequirementsRequirements
Machine Translation ServiceMachine Translation service Machine Translation ServiceMachine Translation service 执行自动机器翻译Perform automated machine translations 不适用N/A
服务名称Service name 在 SharePoint Server 中In SharePoint Server 在 SharePoint Foundation 中In SharePoint Foundation
机器翻译服务Machine Translation service XX
AccountAccount 服务Service 用途Purpose RequirementsRequirements
Access Services 2013Access Services 2013 Access ServicesAccess Services 在浏览器中与 Access 2013 数据库进行交互Interact with Access 2013 databases in a browser 不适用N/A
服务名称Service name 在 SharePoint Server 中In SharePoint Server 在 SharePoint Foundation 中In SharePoint Foundation
SharePoint Server 2013 中的 Access ServicesAccess Services in SharePoint Server 2013 XX
AccountAccount 服务Service 用途Purpose RequirementsRequirements
工作管理Work Management 工作管理服务Work Management service 提供跨 SharePoint、Exchange 和 Project Server 的任务聚合。Provides task aggregation across SharePoint, Exchange, and Project Server. 不适用N/A
服务名称Service name 在 SharePoint Server 中In SharePoint Server 在 SharePoint Foundation 中In SharePoint Foundation
工作管理Work management XX
AccountAccount 服务Service 用途Purpose RequirementsRequirements
分布式缓存Distributed Cache AppFabric Windows 服务AppFabric Windows service 运行分布式缓存操作Runs Distributed Cache operations 不适用N/A
服务名称Service name 在 SharePoint Server 中In SharePoint Server 在 SharePoint Foundation 中In SharePoint Foundation
分布式缓存Distributed Cache XX XX

备注

使用分布式缓存服务的一些功能包括:新闻源、身份验证、OneNote 客户端访问、安全修整以及提高页面加载性能。Some of the features that use the Distributed Cache service include:Newsfeeds, Authentication, OneNote client access, Security Trimming, and improves Page load performance. 服务器场中至少需要一个分布式缓存服务器。At least one Distributed Cache server is required in the farm.

其他应用程序池标识帐户Additional application pool identity accounts

如果创建其他应用程序池以承载网站,则需规划其他应用程序池标识帐户。下表介绍应用程序池标识帐户。为您要实现的每个应用程序池规划一个应用程序池帐户。If you create additional application pools to host sites, plan for additional application pool identity accounts. The following table describes the application pool identity account. Plan one application pool account for each application pool that you plan to implement.

帐户Account 用途Purpose
应用程序池标识Application pool identity 工作器处理应用程序池用作其进程标识的服务的用户帐户。此帐户用于访问与应用程序池中驻留的 Web 应用程序关联的内容数据库。The user account that the worker processes that service the application pool use as their process identity. This account is used to access content databases that are associated with the web applications that reside in the application pool.

单服务器标准要求Single server standard requirements

如果要部署到一台服务器上,则大大减少了帐户要求。If you are deploying to a single server, account requirements are greatly reduced. 在评估环境中,可以将单个帐户用于所有帐户目的。In an evaluation environment, you can use a single account for all of the account purposes. 在生产环境中,确保您创建的帐户具有用于其目的的适当权限。In a production environment, ensure that the accounts that you create have the appropriate permissions for their purposes.

有关单服务器环境的帐户权限列表,请参阅SharePoint server 中的初始部署管理和服务帐户For a list of account permissions for single server environments, see Initial deployment administrative and service accounts in SharePoint Server.

服务器场要求Server farm requirements

如果要部署到多台服务器,请使用服务器场标准要求,以确保帐户具有在多台计算机上执行其进程的适当权限。If you are deploying to more than one server, use the server farm standard requirements to ensure that accounts have the appropriate permissions to perform their processes across multiple computers. 服务器场标准要求具体介绍在服务器场环境中执行操作所需的最低要求。The server farm standard requirements detail the minimum configuration that is necessary to operate in a server farm environment.

有关服务器场环境的标准要求列表,请参阅本文的技术参考:不同方案的帐户要求中所列要求。For a list of standard requirements for server farm environments, see the requirements listed in the Technical reference: Account requirements by scenario section of this article.

对于某些帐户,在运行配置向导时,将配置其他权限或对数据库的访问。For some accounts, additional permissions or access to databases are configured when you run the Configuration Wizard. 这些帐户规划工具中都有说明。These are noted in the accounts planning tool. 数据库管理员需要明白的重要配置是添加 WSS_Content_Application_Pools 数据库角色。An important configuration for database administrators to be aware of is the addition of the WSS_Content_Application_Pools database role. 配置向导将此角色添加到以下数据库:The Configuration Wizard adds this role to the following databases:

  • SharePoint_Config 数据库(配置数据库)SharePoint_Config database (configuration database)

  • SharePoint_Admin 内容数据库SharePoint_Admin content database

系统授予 WSS_Content_Application_Pools 数据库角色的成员对数据库的存储过程子集的执行权限。此外,还授予此角色的成员对 SharePoint_AdminContent 数据库中版本表 (dbo.Versions) 的选择权限。Members of the WSS_Content_Application_Pools database role are granted the Execute permission to a subset of the stored procedures for the database. Additionally, members of this role are granted the Select permission to the Versions table (dbo.Versions) in the SharePoint_AdminContent database.

对于其他数据库,帐户规划工具指示会自动配置从这些数据库读取内容的访问权限。在某些情况下,还会自动配置写入数据库的有限的访问权限。若要提供这一访问权限,需要配置针对存储过程的权限。For other databases, the accounts planning tool indicates that access to read from these databases is automatically configured. In some cases, limited access to write to a database is also automatically configured. To provide this access, permissions to stored procedures are configured.

技术参考:不同方案的帐户要求Technical reference: Account requirements by scenario

本节列出不同方案的帐户要求:This section lists account requirements by scenario:

单服务器标准要求Single server standard requirements

重要

我们不建议在生产环境中使用此配置。We do not recommend this configuration in a production environment.

服务器场级别帐户Server farm-level accounts

帐户Account 要求Requirements
SQL Server 服务SQL Server service 本地系统帐户(默认值)Local System account (default)
服务器场管理员用户帐户Farm administrator user account 本地计算机上的 Administrators 组的成员。Member of the Administrators group on the local computer.
服务器场服务Farm service 网络服务(默认值)无需手动配置。Network Service (default) No manual configuration is necessary.

服务应用程序帐户Service application accounts

重要

此表中的帐户仅适用于 SharePoint Server。Accounts in this table apply only to SharePoint Server.

帐户Account 要求Requirements
SharePoint Server 搜索服务SharePoint Server Search Service 默认情况下,此帐户作为本地系统帐户运行。By default, this account runs as the Local System account. 如果您希望通过更改默认内容访问帐户或者通过使用爬网规则爬网远程内容,则将此帐户更改为域用户帐户。If you want to crawl remote content by changing the default content access account or by using crawl rules, change this to a domain user account. 如果不将此帐户更改为域用户帐户,则无法将默认内容访问帐户更改为域用户帐户,或者添加爬网规则以爬网此内容。If you do not change this account to a domain user account, you cannot change the default content access account to a domain user account or add crawl rules to crawl this content. 此限制设计用于防止提升对作为本地系统帐户运行的任何其他进程的权限。This restriction is designed to prevent elevation of privilege for any other process running as the Local System account.
默认内容访问Default Content Access 如果此帐户仅爬网本地场内容,则无需手动配置。如果希望通过使用爬网规则爬网远程内容,则将此帐户更改为域用户帐户,并应用为服务器场列出的要求。No manual configuration is necessary if this account is only crawling local farm content. If you want to crawl remote content by using crawl rules, change this to a domain user account, and apply the requirements listed for a server farm.
内容访问Content Access 与默认内容访问帐户的要求相同。Same requirement as the default content access account.
配置文件同步帐户Profile Synchronization account 与服务器场的要求相同。Same requirements as server farm.
Excel Services 无人参与服务Excel Services Unattended Service 必须是域用户帐户。Must be a domain user account.

其他应用程序池标识帐户Additional application pool identity accounts

帐户Account 要求Requirements
应用程序池标识Application pool identity 无需手动配置。No manual configuration is necessary. 网络服务 帐户用于在安装和配置过程中创建的默认网站。The Network Service account is used for the default web site that is created during Setup and configuration.

服务器场标准要求Server farm standard requirements

服务器场级别帐户Server farm-level accounts

AccountAccount 用途Purpose RequirementsRequirements
SQL Server 服务帐户SQL Server service account
SQL Server 服务帐户用于运行 SQL Server。它是以下 SQL Server 服务的服务帐户:The SQL Server service account is used to run SQL Server. It is the service account for the following SQL Server services:
MSSQLSERVERMSSQLSERVER
SQLSERVERAGENTSQLSERVERAGENT
如果不使用默认 SQL Server 实例,则在 Windows 服务控制台中,这些服务将如下所示:If you do not use the default SQL Server instance, in the Windows Services console, these services will be shown as the following:
MSSQL<InstanceName>MSSQL<InstanceName>
SQLAgent<InstanceName>SQLAgent<InstanceName>
可以使用域用户帐户,也可以是首选的组托管服务帐户Use either a domain user account or preferably, a Group Managed Service Account.
如果计划备份到外部资源或从外部资源还原,则必须向适当的帐户授予对外部资源的权限。If you plan to back up to or restore from an external resource, permissions to the external resource must be granted to the appropriate account. 如果对 SQL Server 服务帐户使用域用户帐户或组托管服务帐户,则向该域用户帐户授予权限。If you use a domain user account or Group Managed Service Account for the SQL Server service account, grant permissions to that domain user account. 但是,如果使用 Network Service 帐户或本地系统帐户,则向计算机帐户 (<domain_name>\<SQL_hostname>) 授予对外部资源的权限。However, if you use the Network Service or the Local System account, grant permissions to the external resource to the machine account (<domain_name>\<SQL_hostname>).
实例名称是一个任意名称,并且是在安装 SQL Server 时创建的。The instance name is arbitrary and was created when SQL Server was installed.
服务器场管理员用户帐户Farm administrator user account
服务器场管理员用户帐户是分配给 SharePoint 管理员的唯一可识别帐户。The farm administrator user account is a uniquely identifiable account assigned to a SharePoint administrator. 它用于运行以下内容:It is used to run the following:
安装Setup
SharePoint 产品配置向导SharePoint Products Configuration Wizard
域用户帐户。Domain user account.
服务器场中每个 SharePoint 服务器上 Administrators 组的成员。Member of the Administrators group on each SharePoint server in the farm.
以下 SQL Server 角色的成员(可选): sysadmin固定服务器角色。Member of the following SQL Server role (optional): sysadmin fixed server role.
如果您运行的是影响数据库的 Windows PowerShell cmdlet,则此帐户必须是该数据库的db_owner固定数据库角色的成员,或者是 SQL 中sysadmin固定服务器角色的成员。If you run Windows PowerShell cmdlets that affect a database, this account must be a member of the db_owner fixed database role for the database or a member of the sysadmin fixed server role on SQL.
服务器场服务帐户Farm service account
服务器场服务帐户用于执行以下任务:The farm service account is used to perform the following tasks:
充当 SharePoint 管理中心网站的应用程序池标识。Act as the application pool identity for the SharePoint Central Administration website.
运行 Microsoft SharePoint Foundation 工作流定时服务。Run the Microsoft SharePoint Foundation Workflow Timer Service.
域用户帐户。Domain user account.
在加入到服务器场中的 Web 服务器和应用程序服务器上,会自动为服务器场帐户授予其他权限。Additional permissions are automatically granted for the server farm account on Web servers and application servers that are joined to a server farm.
服务器场帐户将作为 SQL Server 登录名自动添加到运行 SQL Server 的计算机上。该帐户将添加到以下 SQL Server 安全角色中:The server farm account is automatically added as a SQL Server login on the computer that runs SQL Server. The account is added to the following SQL Server security roles:
* dbcreator固定服务器角色* dbcreator fixed server role
* securityadmin固定服务器角色* securityadmin fixed server role
* 为服务器场中的所有 SharePoint 数据库db_owner固定数据库角色* db_owner fixed database role for all SharePoint databases in the server farm
管理员不应以交互方式使用此帐户。This account should not be used interactively by an administrator.

Service 应用程序服务帐户Service application service accounts

重要

配置文件同步帐户和 Excel Services 无人参与服务帐户仅适用于 SharePoint Server。Profile Synchronization account and Excel Services unattended service account only apply to SharePoint Server.

帐户Account 要求Requirements
SharePoint Server 搜索服务帐户SharePoint Server Search service account 必须是域用户帐户。Must be a domain user account. 不得是 Farm 管理员组 的成员。Must not be a member of the Farm Administrators group. 将自动配置以下内容:从配置数据库、管理内容数据库、搜索管理数据库、爬网数据库读取的访问权限。The following are automatically configured: Access to read from the configuration database, administration content database, the search administration database, crawl databases. 查询服务器上索引分区的完全控制访问权限。Full Control access to the index partitions on the query servers.
默认内容访问帐户Default content access account 必须是域用户帐户。Must be a domain user account. 不得是 Farm 管理员组 的成员。Must not be a member of the Farm Administrators group. 要通过使用此帐户爬网的外部源或安全内容源的读取访问权限。Read access to external or secure content sources that you want to crawl by using this account. 对于不是服务器场一部分的网站,必须明确授予此帐户承载这些网站的 Web 应用程序上的"完全读取"权限。For sites that are not a part of the server farm, this account must explicitly be granted Full Read permissions on the web applications that host the sites. 将自动配置以下内容:对服务器场承载的内容数据库自动授予 "完全读取" 权限。The following are automatically configured: Full Read permissions are automatically granted to content databases hosted by the server farm.
内容访问帐户Content access account 对将此帐户配置为有权访问的外部源或安全内容源的读取访问权限。Read access to external or secure content sources that this account is configured to access. 对于不是服务器场一部分的 Web 网站,必须在承载这些网站的 Web 应用程序上明确授予此帐户"完全读取"权限。For web sites that are not a part of the server farm, this account must explicitly be granted Full Read permissions on the web applications that host the sites.
配置文件同步帐户Profile Synchronization account 目录服务的读取访问权限。Read access to the directory service. 该帐户必须具有 Active Directory 中的 "复制更改" 权限。The account must have the Replicate Changes permission in Active Directory. 管理用户配置文件演示文稿服务权限。Manage User Profiles personalization services permission. 业务数据目录导入连接中使用的实体上的查看权限。View permissions on entities used in Business Data Catalog import connections.
Excel Services 无人参与服务帐户Excel Services unattended service account 必须是域用户帐户。Must be a domain user account.

其他应用程序池标识帐户Additional application pool identity accounts

帐户Account 要求Requirements
应用程序池标识Application pool identity 无需手动配置。No manual configuration is necessary. 将自动配置以下内容: SP_DATA_ACCESS内容数据库和与 web 应用程序关联的搜索数据库的角色中的成员身份。The following are automatically configured: Membership in the SP_DATA_ACCESS role for content databases and search databases associated with the web application. 配置数据库和 SharePoint_AdminContent 数据库的特定应用程序池角色中的成员资格。Membership in specific application pool roles for the configuration and the SharePoint_AdminContent databases. 自动授予此帐户对前端 Web 服务器和应用程序服务器的其他权限。Additional permissions for this account to front-end web servers and application servers are automatically granted.