規劃 SharePoint Server 中的管理及服務帳戶Plan for administrative and service accounts in SharePoint Server

摘要:了解用來管理 SharePoint 2013 和 SharePoint Server 2016 部署案例和服務帳戶。Summary: Learn about the accounts to use to manage SharePoint 2013 and SharePoint Server 2016 deployment scenarios and services.

若要安裝 SharePoint Server,您必須具備執行 SharePoint Server 與 SQL Server 的伺服器上的適當管理及服務帳戶。安裝之後,您需要有適當系統管理帳戶與服務帳戶來修改及維護環境。您需要完成的工作這些群組的帳戶不一定相同。本文說明您需要在單一伺服器環境及伺服器陣列環境的安裝後的帳戶。To install SharePoint Server, you have to have appropriate administrative and service accounts on servers running SharePoint Server and SQL Server. After installation, you need to have appropriate administrative and service accounts to modify and maintain the environment. The accounts that you require to complete these groups of tasks are not necessarily the same. This article describes the accounts that you require after installation for a single server environment and a server farm environment.

重要

[!重要事項] 請不要使用含有符號 $ 的服務帳戶名稱。Do not use service account names that contain the symbol $.

使用本文以及初始部署管理帳戶與 SharePoint Server 中的服務帳戶Use this article along with Initial deployment administrative and service accounts in SharePoint Server.

初始部署管理及服務帳戶文章說明需要在執行「設定」之前授與的特定帳戶和權限。The initial deployment administrative and service accounts article describes the specific account and permissions that you need to grant prior to running Setup.

本文不會說明在 SharePoint Server 中使用 Secure Store service 的帳戶需求。如需詳細資訊,請參閱 < Plan Secure Store Service in SharePoint ServerThis article does not describe the account requirements for using Secure Store service in SharePoint Server. For more information, see Plan the Secure Store Service in SharePoint Server.

本文不會說明安全性角色和管理 SharePoint Server 中所需的權限。This article does not describe security roles and permissions required to administer in SharePoint Server.

關於管理及服務帳戶About administrative and service accounts

本節列出並說明您必須規劃管理執行 SQL Server 或 SharePoint Server 伺服器的帳戶。根據範圍分組成的帳戶。This section lists and describes the accounts that you must plan for to manage servers running SQL Server or SharePoint Server. The accounts are grouped according to scope.

完成帳戶的安裝及設定後,請確認您不是使用「本機系統」帳戶來執行管理工作或瀏覽網站。After you complete installation and configuration of accounts, ensure that you do not use the Local System account to perform administration tasks or to browse sites.

伺服器陣列層級帳戶Server farm-level accounts

下表說明可用來設定 SQL Server 資料庫軟體及安裝 SharePoint Server 的帳戶。The following table describes the accounts that are used to configure SQL Server database software and to install SharePoint Server.

帳戶Account 用途Purpose
SQL Server 服務帳戶SQL Server service account
SQL Server 會在 SQL Server 安裝程式進行過程中提示您設定此帳戶。這個帳戶是下列 SQL Server 服務的服務帳戶:SQL Server prompts for this account during SQL Server Setup. This account is used as the service account for the following SQL Server services:
MSSQLSERVERMSSQLSERVER
SQLSERVERAGENTSQLSERVERAGENT
若您不是使用預設執行個體,則這些服務會如下所示:If you are not using the default instance, these services will be shown as:
MSSQL <InstanceName>MSSQL <InstanceName>
SQLAgent <InstanceName>SQLAgent <InstanceName>
安裝程式使用者帳戶Setup user account
用來執行的使用者帳戶:The user account that is used to run:
如果要執行會影響資料庫的 Microsoft PowerShell cmdlet,此帳戶必須是db_owner固定資料庫角色的成員。If you run Microsoft PowerShell cmdlets that affect a database, this account must be a member of the db_owner fixed database role for the database.
在每一部伺服器電腦上設定Setup on each server computer
SharePoint 產品設定精靈SharePoint Products Configuration Wizard
Psconfig 命令列工具The Psconfig command-line tool
Stsadm 命令列工具The Stsadm command-line tool
伺服器陣列帳戶Server farm account
此帳戶也稱為資料庫存取帳戶。This account is also referred to as the database access account.
此帳戶具有下列屬性:This account has the following properties:
是 SharePoint 管理中心網站應用程式集區身分識別。It's the application pool identity for the SharePoint Central Administration website.
它是 Windows SharePoint Services 計時器服務的處理序帳戶。It's the process account for the Windows SharePoint Services Timer service.

服務應用程式帳戶Service application accounts

下表說明用來設定服務應用程式的帳戶。請針對您規劃要實作的每一個服務應用程式來規劃一組應用程式集區和 Proxy 群組。The following table describes the accounts that are used to set up and configure a service application. Plan one set of an application pool and proxy group for each service application that you plan to implement.

如需服務應用程式端點的詳細資訊,請參閱 <使用服務端點For more information about service application endpoints, see Using Service Endpoints.

注意

Excel Services 及使用者設定檔同步處理服務僅適用於 SharePoint 2013。Excel Services and User Profile Synchronization service only apply to SharePoint 2013.

帳戶Account ServiceService 用途Purpose 需求Requirements
服務應用程式端點Service Application Endpoint
服務名稱Service name 在 SharePoint ServerIn SharePoint Server 在 SharePoint FoundationIn SharePoint Foundation
Access ServicesAccess Services
XX
Business Data Connectivity ServiceBusiness Data Connectivity service
XX
XX
Secure Store ServiceSecure Store Service
XX
Usage and Health Data Collection ServiceUsage and Health Data Collection Service
XX
User Profile ServiceUser Profile Service
XX
Visio Graphics ServiceVisio Graphics Service
XX
Word Automation servicesWord Automation services
XX
Excel ServicesExcel Services
XX
Managed Metadata ServiceManaged Metadata Service
XX
PerformancePoint ServicePerformancePoint Service
XX
Search ServiceSearch Service
XX

請注意: 此帳戶會用於做為識別服務應用程式端點的應用程式集區。除非有特定隔離需求、 應用程式集區可以用於裝載多個服務應用程式端點。Excel Services、 Managed Metadata service、 PerformancePoint service 與搜尋服務的您必須是網域使用者帳戶。也 Excel Services 只有在 SharePoint Server 2010 和 2013年。Note: This account is used as the identity for the service application endpoint application pool. Unless there are specific isolation requirements, the application pool can be used to host multiple service application endpoints. For Excel Services, Managed Metadata service, PerformancePoint service, and Search service you must be a domain user account. Also Excel Services is only availalbe in SharePoint Server 2010 and 2013.

服務名稱Service name 在 SharePoint ServerIn SharePoint Server 在 SharePoint FoundationIn SharePoint Foundation
Security Token ServiceSecurity Token Service
XX
應用程式探索與負載平衡Application Discovery and Load Balancer Service
XX
XX

請注意: 此帳戶會用於做為識別服務應用程式端點的應用程式集區。此帳戶必須是伺服器陣列服務帳戶及 SharePoint 產品設定精靈會自動建立的應用程式集區。Note: This account is used as the identity for the service application endpoint application pool. This account must be the Farm Service Account and the SharePoint Products Configuration Wizard automatically creates the application pool.

帳戶Account ServiceService 用途Purpose 需求Requirements
自動服務Unattended Service
服務名稱Service name 在 SharePoint ServerIn SharePoint Server 在 SharePoint FoundationIn SharePoint Foundation
Excel ServicesExcel Services
XX
PerformancePoint ServicePerformancePoint Service
XX
Visio Graphics ServiceVisio Graphics Service
XX

請注意: Excel Services 活頁簿用來重新整理資料。當活頁簿連線指定"None"進行驗證,或任何是 notWindows 認證的認證用來重新整理資料並在必要的。PerformancePoint 服務所使用的驗證與資料來源。使用文件用來重新整理資料的 Visio service。它時需要連線至外部的 SharePoint 伺服器,例如 SQL Server 的資料來源。Note: Excel Services used with workbooks to refresh data. It is required when workbook connections specify "None" for authentication, or when any credentials that are notWindows credentials are used to refresh data. PerformancePoint serivce used for authenticating with data sources. Visio service used with documents to refresh data. It is required when connecting to data sources that are external to SharePoint Server, such as SQL Server.

帳戶Account ServiceService 用途Purpose 需求Requirements
預設內容存取Default Content Access
服務名稱Service name 在 SharePoint ServerIn SharePoint Server 在 SharePoint FoundationIn SharePoint Foundation
SharePoint Server 搜尋SharePoint Server Search
XX

請注意: 編目內容的預設帳戶。Search service 應用程式管理員可以建立以指定其他帳戶來編目特定內容的編目規則。 必須能夠存取要編目的內容。 完整讀取 」 權限必須要明確授與本機伺服器陣列外的內容。 完整讀取 」 權限會自動設定本機伺服器陣列中的內容資料庫。Note: The default account for crawling content. A Search service application administrator can create crawl rules to specify other accounts to crawl specific content. Must have Read Access to the content being crawled. Full Read permissions must be granted explicitly to content that is outside the local farm. Full Read permissions are automatically configured for content databases in the local farm.

帳戶Account ServiceService 用途Purpose 需求Requirements

|搜尋服務|Search Service
|

服務名稱Service name 在 SharePoint ServerIn SharePoint Server 在 SharePoint FoundationIn SharePoint Foundation
SharePoint Server 搜尋SharePoint Server Search
XX

請注意: Windows 服務的 SharePoint Server 搜尋服務帳戶。此設定會影響伺服器陣列中的所有 Search service 應用程式。必須是網域使用者帳戶。Note: The Windows service account for the SharePoint Server Search service. This setting affects all Search service applications in the farm. Must be a domain user account.

帳戶Account ServiceService 用途Purpose 需求Requirements
User Profile Synchronization ServiceUser Profile Synchronization Service
服務名稱Service name 在 SharePoint ServerIn SharePoint Server 在 SharePoint FoundationIn SharePoint Foundation
User Profile Synchronization ServiceUser Profile Synchronization Service
XX

請注意: 此為使用者設定檔同步處理服務的 Windows 服務帳戶。需要登入在本機上執行 User Profile Synchronization Service 執行個體的電腦上的權限。Note: This is the Windows service account for the User Profile Synchronization Service. Requires Log on Locally permission on the computer running the instance of the User Profile Synchronization Service.

帳戶Account ServiceService 用途Purpose 需求Requirements
同步處理連線Synchronization Connection
服務名稱Service name 在 SharePoint ServerIn SharePoint Server 在 SharePoint FoundationIn SharePoint Foundation
User Profile ServiceUser Profile Service
XX

附註: 這是用來執行與遠端目錄服務同步處理的帳戶。可以同步處理連線每一個帳戶。 「 複寫目錄變更權限同步的網域。 「 複寫目錄變更權限組態磁碟分割 NetBIOS 與完整的網域名稱 (FQDN) 時,同步的網域不符。Note: This is the account used to perform synchronization with the remote directory service. There can be one account per synchronization connection. Replicating Directory Changes permissions on the domains being synchronized. Replicating Directory Changes permissions on the configuration partition of the domains being synchronized if the NetBIOS and fully qualified domain name (FQDN) names do not match.

帳戶Account ServiceService 用途Purpose 需求Requirements
App Management ServiceApp Management Service
服務名稱Service name 在 SharePoint ServerIn SharePoint Server 在 SharePoint FoundationIn SharePoint Foundation
應用程式管理App management
XX
XX

請注意: 此帳戶可讓您從 SharePoint 市集或應用程式目錄安裝 SharePoint 應用程式。Note: This account permits you to install SharePoint apps from the SharePoint Store or the App Catalog. |

帳戶Account ServiceService 用途Purpose 需求Requirements
PowerPoint 轉換服務PowerPoint Conversion Service
服務名稱Service name 在 SharePoint ServerIn SharePoint Server 在 SharePoint FoundationIn SharePoint Foundation
PowerPoint 轉換服務PowerPoint conversion service
XX

請注意: 此帳戶會將 Microsoft PowerPoint 簡報轉換為各種格式。Note: This account converts Microsoft PowerPoint presentations into various formats.

帳戶Account ServiceService 用途Purpose 需求Requirements
Machine Translation ServiceMachine Translation service
服務名稱Service name 在 SharePoint ServerIn SharePoint Server 在 SharePoint FoundationIn SharePoint Foundation
機器翻譯服務Machine Translation service
XX

請注意: 此帳戶會執行自動的機器翻譯服務。Note: This account performs automated machine translation.

帳戶Account ServiceService 用途Purpose 需求Requirements
Access Services 2013Access Services 2013
服務名稱Service name 在 SharePoint ServerIn SharePoint Server 在 SharePoint FoundationIn SharePoint Foundation
SharePoint Server 2013 中的 Access ServiceAccess Services in SharePoint Server 2013
XX

附註此帳戶檢視、 編輯,並與其互動 Access 2013 資料庫在瀏覽器中。Note This account views, edits, and interacts with Access 2013 databases in a browser.

帳戶Account ServiceService 用途Purpose 需求Requirements
Work ManagementWork Management
服務名稱Service name 在 SharePoint ServerIn SharePoint Server 在 SharePoint FoundationIn SharePoint Foundation
工作管理Work management
XX

請注意: 此帳戶提供跨不同工作管理系統,包括 SharePoint 產品、 Microsoft Exchange Server 及 Microsoft Project Server 工作彙總。Note: This account provides task aggregation across work management systems, including SharePoint products, Microsoft Exchange Server, and Microsoft Project Server.

帳戶Account ServiceService 用途Purpose 需求Requirements
分散式快取Distributed Cache
服務名稱Service name 在 SharePoint ServerIn SharePoint Server 在 SharePoint FoundationIn SharePoint Foundation
分散式快取Distributed Cache
XX
XX

請注意: 此帳戶提供 SharePoint Server 中的數項功能的記憶體中快取服務。一些使用分散式快取服務的功能包括:Note: This account provides in-memory caching services to several features in SharePoint Server. Some of the features that use the Distributed Cache service include:
新聞摘要Newsfeeds
驗證Authentication
OneNote 用戶端存取OneNote client access
安全性調整Security Trimming
頁面載入效能Page load performance

額外的應用程式集區身分識別帳戶Additional application pool identity accounts

若您建立其他應用程式集區來主控網站,請規劃其他應用程式集區身分識別帳戶。下表說明應用程式集區身分識別帳戶。請針對每一個您規劃要實作的應用程式集區,來規劃應用程式集區帳戶。If you create additional application pools to host sites, plan for additional application pool identity accounts. The following table describes the application pool identity account. Plan one application pool account for each application pool that you plan to implement.

帳戶Account 用途Purpose
應用程式集區識別Application pool identity
工作者用來處理該服務且應用程式集區用來作為其程序身分識別的使用者帳戶。此帳戶用來存取與 Web 應用程式 (位於應用程式集區之外) 相關聯的內容資料庫。The user account that the worker processes that service the application pool use as their process identity. This account is used to access content databases that are associated with the web applications that reside in the application pool.

單一伺服器標準需求Single server standard requirements

若您部署至單一伺服器電腦,則帳戶需求會大量減少。在評估環境中,您可以依所有帳戶目的來使用單一帳戶。在實際執行環境中,請確認您建立的帳戶具有其目的的適當權限。If you are deploying to a single server computer, account requirements are greatly reduced. In an evaluation environment, you can use a single account for all of the account purposes. In a production environment, ensure that the accounts that you create have the appropriate permissions for their purposes.

如需單一伺服器環境的帳戶權限清單,請參閱初始部署管理帳戶與 SharePoint Server 中的服務帳戶For a list of account permissions for single server environments, see Initial deployment administrative and service accounts in SharePoint Server.

伺服器陣列需求Server farm requirements

如果您要部署一部以上的伺服器電腦,請使用伺服器陣列標準需求來確保帳戶具有執行其跨多部電腦程序的適當權限。伺服器陣列標準需求詳細說明在伺服器陣列環境中操作的必要設定下限。If you are deploying to more than one server computer, use the server farm standard requirements to ensure that accounts have the appropriate permissions to perform their processes across multiple computers. The server farm standard requirements detail the minimum configuration that is necessary to operate in a server farm environment.

如需伺服器陣列環境的標準需求清單,請參閱所列需求技術參考: 依案例的不同帳戶需求] 區段中的本文。For a list of standard requirements for server farm environments, see the requirements listed in the Technical reference: Account requirements by scenario section of this article.

針對某些帳戶的其他權限或資料庫的存取權設定當您執行安裝程式。這些所述的規劃工具的帳戶。資料庫系統管理員需要注意的重要設定是WSS_Content_Application_Pools資料庫角色的功能。安裝程式會將此角色新增至下列資料庫:For some accounts, additional permissions or access to databases are configured when you run Setup. These are noted in the accounts planning tool. An important configuration for database administrators to be aware of is the addition of the WSS_Content_Application_Pools database role. Setup adds this role to the following databases:

  • SharePoint_Config 資料庫 (設定資料庫)SharePoint_Config database (configuration database)

  • SharePoint_AdminContent 資料庫SharePoint_AdminContent database

WSS_Content_Application_Pools資料庫角色的成員會授與執行 」 權限子集資料庫的預存程序。此外,此角色的成員會選取 [權限授與的 Versions 資料表 (dbo。版本) SharePoint_AdminContent 資料庫中。Members of the WSS_Content_Application_Pools database role are granted the Execute permission to a subset of the stored procedures for the database. Additionally, members of this role are granted the Select permission to the Versions table (dbo.Versions) in the SharePoint_AdminContent database.

若為其他資料庫,帳戶規劃工具會指出將自動設定這些資料庫的讀取存取權。在某些情況下,也會自動設定資料庫的限制寫入存取權限。為提供此存取權,將設定儲存程序的權限。For other databases, the accounts planning tool indicates that access to read from these databases is automatically configured. In some cases, limited access to write to a database is also automatically configured. To provide this access, permissions to stored procedures are configured.

技術參考:依案例的帳戶需求Technical reference: Account requirements by scenario

此區段會依案例來列出帳戶需求:This section lists account requirements by scenario:

單一伺服器標準需求Single server standard requirements

伺服器陣列層級帳戶Server farm-level accounts

帳戶Account 需求Requirements
SQL Server 服務SQL Server service
本機系統帳戶 (預設)Local System account (default)
設定使用者Setup user
本機電腦上系統管理員群組的成員Member of the Administrators group on the local computer
伺服器陣列Server farm
網路服務 (預設)Network Service (default)
不需要手動設定。No manual configuration is necessary.

服務應用程式帳戶Service application accounts

重要

此表格中的帳戶僅適用於 SharePoint Server。Accounts in this table apply only to SharePoint Server.

帳戶Account 需求Requirements
SharePoint Server Search ServiceSharePoint Server Search Service
依預設,此帳戶會以「本機系統」帳戶來執行。By default, this account runs as the Local System account.
若您想要藉由變更預設內容存取帳戶或使用編目規則來編目遠端內容,請將此變更為網域使用者帳戶。若您不將此帳戶變更為網域使用者帳戶,則無法將預設內容存取帳戶變更為網域使用者帳戶,或新增編目規則以編目此內容。此限制的設計旨在避免以「本機系統」帳戶來執行的任何其他程序發生權限提高的情形。If you want to crawl remote content by changing the default content access account or by using crawl rules, change this to a domain user account. If you do not change this account to a domain user account, you cannot change the default content access account to a domain user account or add crawl rules to crawl this content. This restriction is designed to prevent elevation of privilege for any other process running as the Local System account.
預設內容存取Default Content Access
若此帳戶僅編目本機伺服器陣列內容,則不需要進行手動設定。若您想要使用編目規則來編目遠端內容,請將此變更為網域使用者帳戶,並針對伺服器陣列套用列出的需求。No manual configuration is necessary if this account is only crawling local farm content. If you want to crawl remote content by using crawl rules, change this to a domain user account, and apply the requirements listed for a server farm.
內容存取Content Access
與預設內容存取帳戶相同的需求。Same requirement as the default content access account.
設定檔匯入預設存取Profile import Default Access
與伺服器陣列相同的需求。Same requirements as server farm.
Excel Services 自動的服務Excel Services Unattended Service
必須為網域使用者帳戶。Must be a domain user account.

額外的應用程式集區身分識別帳戶Additional application pool identity accounts

帳戶Account 需求Requirements
應用程式集區識別Application pool identity
不需要手動設定。No manual configuration is necessary.
「網路服務」帳戶用於設定期間建立的預設網站。The Network Service account is used for the default web site that is created during Setup and configuration.

伺服器陣列標準需求Server farm standard requirements

伺服器陣列層級帳戶Server farm-level accounts

重要

此表格中的帳戶僅適用於 SharePoint ServerThe accounts in this table apply only to SharePoint Server

帳戶Account 需求Requirements
SQL Server 服務帳戶SQL Server service account
使用本機系統帳戶或網域使用者帳戶。 Use either a Local System account or a domain user account.
如果使用網域使用者帳戶,則此帳戶會依預設,需要進行其他設定網路環境中的使用 Kerberos 驗證。如果 SQL Server 使用的服務主要名稱 (SPN) 不是有效的 (也就是,不存在於 Active Directory 網域服務 (AD DS) 服務環境)、 Kerberos 驗證會失敗,並接著使用 NTLM。如果 SQL Server 使用時才有效但未指派給適當的容器 AD DS 中的 SPN,驗證會失敗。驗證一律會嘗試使用它找到的第一個 SPN,所以請確定有任何指派給不適當的容器 AD DS 中的 Spn。If a domain user account is used, this account uses Kerberos authentication by default, which requires additional configuration in your network environment. If SQL Server uses a service principal name (SPN) that is not valid (that is, that does not exist in the Active Directory Domain Services (AD DS)service environment), Kerberos authentication fails, and then NTLM is used. If SQL Server uses an SPN that is valid but is not assigned to the appropriate container in AD DS, authentication fails. Authentication will always try to use the first SPN that it finds, so ensure that there are no SPNs assigned to inappropriate containers in AD DS.
若要備份至或來自外部資源還原至外部資源的權限必須授與適當的帳戶。如果您使用網域使用者帳戶的 SQL Server 服務帳戶,授與該網域使用者帳戶的權限。不過,如果您使用 [網路服務] 或 [本機系統帳戶,授與的電腦帳戶 ( (<domain_name>\< SQL_hostname>) 的外部資源的權限。If you plan to back up to or restore from an external resource, permissions to the external resource must be granted to the appropriate account. If you use a domain user account for the SQL Server service account, grant permissions to that domain user account. However, if you use the Network Service or the Local System account, grant the machine account ( (<domain_name>\<SQL_hostname>) permissions to the external resource.
安裝程式使用者帳戶Setup user account
網域使用者帳戶。Domain user account.
每部執行安裝程式之伺服器上的管理員群組成員。Member of the Administrators group on each server on which Setup is run.
執行 SQL Server 之電腦上的 SQL Server 登入。SQL Server login on the computer running SQL Server.
伺服器管理 SQL Server 安全性角色的成員。Member of the Server admin SQL Server security role.
如果要執行會影響資料庫的 Stsadm 命令,此帳戶必須是db_owner固定資料庫角色的成員。If you run Stsadm commands that affect a database, this account must be a member of the db_owner fixed database role for the database.
伺服器陣列帳戶Server farm account
網域使用者帳戶。Domain user account.
在加入伺服器陣列之網頁伺服器與應用程式伺服器上,會自動將額外權限授與此帳戶。Additional permissions are automatically granted for this account on web servers and application servers that are joined to a server farm.
此帳戶會自動新增為執行 SQL Server 之電腦上的 SQL Server 登入,並新增至下列 SQL Server 安全性角色:This account is automatically added as a SQL Server login on the computer running SQL Server and added to the following SQL Server security roles:
dbcreator 固定伺服器角色dbcreator fixed server role
securityadmin 固定伺服器角色securityadmin fixed server role
伺服器陣列中的db_owner固定資料庫角色的所有資料庫db_owner fixed database role for all databases in the server farm
> [!NOTE]> 如果您設定 Secure Store Service 時,伺服器陣列帳戶將不會自動獲得db_owner存取權的安全認證儲存服務資料庫。> [!NOTE]> If you configure the Secure Store Service, the server farm account will not automatically be given db_owner access to the Secure Store Service database.

服務應用程式服務帳戶Service application service accounts

重要

此表格中的帳戶僅適用於 SharePoint ServerThe accounts in this table apply only to SharePoint Server

帳戶Account 需求Requirements
SharePoint Server Search Service 帳戶SharePoint Server Search service account
必須為網域使用者帳戶。Must be a domain user account.
必須「不是」伺服器陣列管理員群組的成員。Must not be a member of the Farm Administrators group.
將會自動設定下列項目:The following are automatically configured:
設定資料庫、管理內容資料庫、搜尋管理資料庫及編目資料庫的讀取存取權。Access to read from the configuration database, administration content database, the search administration database, crawl databases.
查詢伺服器上索引分割區的「完整控制」存取權。Full Control access to the index partitions on the query servers.
預設的內容存取帳戶Default content access account
必須為網域使用者帳戶。Must be a domain user account.
必須「不是」伺服器陣列管理員群組的成員。Must not be a member of the Farm Administrators group.
您要使用此帳戶編目的外部或安全內容來源之讀取存取權。Read access to external or secure content sources that you want to crawl by using this account.
若為不屬於伺服器陣列的網站,即必須明確授與此帳戶架設網站之 Web 應用程式的完整讀取權限。For sites that are not a part of the server farm, this account must explicitly be granted Full Read permissions on the web applications that host the sites.
將會自動設定下列項目:The following are automatically configured:
「完整讀取」權限將會自動授與至伺服器陣列主控的內容資料庫。Full Read permissions are automatically granted to content databases hosted by the server farm.
內容存取帳戶Content access account
設定此帳戶存取的外部或安全內容來源之讀取存取權。Read access to external or secure content sources that this account is configured to access.
若為不屬於伺服器陣列的網站,即必須明確授與此帳戶架設網站之 Web 應用程式的「完整讀取」權限。For web sites that are not a part of the server farm, this account must explicitly be granted Full Read permissions on the web applications that host the sites.
設定檔匯入預設存取帳戶Profile import default access account
目錄服務的讀取存取權。Read access to the directory service.
帳戶必須具有 AD DS 中的 「 複製變更 」 權限。The account must have the Replicate Changes permission in AD DS.
「管理使用者設定檔」個人化服務權限。Manage User Profiles personalization services permission.
檢視用於「商務資料目錄」匯入連線中的實體權限。View permissions on entities used in Business Data Catalog import connections.
Excel Services 自動服務帳戶Excel Services unattended service account
必須為網域使用者帳戶。Must be a domain user account.

額外的應用程式集區身分識別帳戶Additional application pool identity accounts

帳戶Account 需求Requirements
應用程式集區識別Application pool identity
不需要手動設定。No manual configuration is necessary.
將會自動設定下列項目:The following are automatically configured:
內容資料庫與 web 應用程式相關聯的搜尋資料庫的SP_DATA_ACCESS角色的成員資格。Membership in the SP_DATA_ACCESS role for content databases and search databases associated with the web application.
針對設定及 SharePoint_AdminContent 資料庫,指定應用程式集區角色的成員資格。Membership in specific application pool roles for the configuration and the SharePoint_AdminContent databases.
這個帳戶在前端網頁伺服器和應用程式伺服器上的其他權限則會自動授與。Additional permissions for this account to front-end web servers and application servers are automatically granted.

另請參閱See also

其他資源Other Resources

規劃 SharePoint Server 2016Plan for SharePoint Server