How to Create the SharePoint Service Accounts via PowerShell

Written by Denis Stadler on . Posted in Administration

Every time when an administrator wants to deploy a new SharePoint farm, he has to create a number of service accounts, required for the proper functionality of the new system.

sharepoint-accounts-creation-powershell


The list of required accounts includes the following (all of them have to be defined as domain accounts):

  • Administrator Account (used to install SharePoint binaries and perform administrative tasks, needs to be local administrator on the SharePoint machines and to have the dbcreator and securityadmin SQL roles on the SQL server used for the implementation)
  • Farm Account (used for the Windows Timer Service, Central Admin and the User Profile service. When the UPS is provisioned it needs to have local administrator rights)
  • Web Application (used for the content web application(s) pool)
  • Services Account (used for the services application pool)
  • Search Account (used by the search service)
  • Crawl Account (used by the SharePoint crawling)
  • User Profile Service (used by the user profile services to access Active Directory, it needs to have Replicating Change permissions in Active Directory)
  • Cache Admin (used for caching, it needs to have full permissions on the web application(s). This is defined via web application policies)
  • Cache Reader (used for caching, it needs to have read permissions on the web applications(s))

To automate the process, the following Power Shell script can be used. It has to be run by a person who can create Active Directory accounts.

The following parameters have to be configured when running:

  • The domain where the accounts are created
  • The active directory path where the accounts are created
  • The prefixes for the accounts (service and SharePoint farm’s prefix)
  • The password of the accounts

sharepoint-accounts-creation-powershell

Use this link – Service Accounts Creation.ps1 – to download the script. The source code is:

try
{
 Import-Module ActiveDirectory
}
catch {}

Write-Host "SharePoint Service Accounts Creation" -foregroundcolor yellow
Write-Host "====================================" -foregroundcolor yellow
Write-Host ""

#Parameters
$input = read-host "Type the domain "
$Domain = $(if ($input) {$input} else {"ds.local"})

$input = read-host "Type the AD Path where the accounts will be saved <CN=Managed Service Accounts,DC=ds,DC=local>"
$Path = $(if ($input) {$input} else {"CN=Managed Service Accounts,DC=ds,DC=local"})

$input = read-host "Type the prefix for the services accounts (The accounts will be created as srv-sp-___.) "
$ServiceAccountsPreffix = $(if ($input) {$input} else {"srv-"})

$input = read-host "Type the prefix for the SharePoint farm (The accounts will be created as srv-sp-___.) "
$SharePointFarmPreffix = $(if ($input) {$input} else {"sp-"})

$UserPrefix = $ServiceAccountsPreffix + $SharePointFarmPreffix

$input = read-host "Type the prefix for the names of the accounts "
$NamePreffix = $(if ($input) {$input} else {"SP"})

$input = read-host "Type the password for the accounts <P@ssw0rd>"
$Password = $(if ($input) {$input} else {"P@ssw0rd"})
$SecurePass = ConvertTo-SecureString $Password -AsPlainText -Force

Write-Host ""
Write-Host "====================================" -foregroundcolor yellow
Write-Host ""

#Install Account
$Name = "Install"
$UserName = "install"
$ScriptUserName = $NamePreffix + " " + $Name
$ScriptSAMAccountName = $UserPrefix + $UserName
$ScriptUserPrincipalName = $UserPrefix + $UserName + "@" + $Domain

try
{
$user = New-ADUser -Name $ScriptUserName  -SamAccountName $ScriptSAMAccountName -UserPrincipalName $ScriptUserPrincipalName -Type "User" -Path $Path
Set-ADAccountPassword -Identity $ScriptSAMAccountName -NewPassword $SecurePass -Reset
Set-ADAccountControl -Identity $ScriptSAMAccountName -PasswordNeverExpires $true
Set-ADUser -Identity $ScriptSAMAccountName -ChangePasswordAtLogon $false -Enabled 1
Write-Host "Creating account:" $ScriptUserName "/" $ScriptSAMAccountName -foregroundcolor cyan
}
catch {}

#Farm Account
$Name = "Farm"
$UserName = "f"
$ScriptUserName = $NamePreffix + " " + $Name
$ScriptSAMAccountName = $UserPrefix + $UserName
$ScriptUserPrincipalName = $UserPrefix + $UserName + "@" + $Domain

try
{
$user = New-ADUser -Name $ScriptUserName  -SamAccountName $ScriptSAMAccountName -UserPrincipalName $ScriptUserPrincipalName -Type "User" -Path $Path
Set-ADAccountPassword -Identity $ScriptSAMAccountName -NewPassword $SecurePass -Reset
Set-ADAccountControl -Identity $ScriptSAMAccountName -PasswordNeverExpires $true
Set-ADUser -Identity $ScriptSAMAccountName -ChangePasswordAtLogon $false -Enabled 1
Write-Host "Creating account:" $ScriptUserName "/" $ScriptSAMAccountName -foregroundcolor cyan
}
catch {}

#Web Application Account
$Name = "Web Application"
$UserName = "wa"
$ScriptUserName = $NamePreffix + " " + $Name
$ScriptSAMAccountName = $UserPrefix + $UserName
$ScriptUserPrincipalName = $UserPrefix + $UserName + "@" + $Domain

try
{
$user = New-ADUser -Name $ScriptUserName  -SamAccountName $ScriptSAMAccountName -UserPrincipalName $ScriptUserPrincipalName -Type "User" -Path $Path
Set-ADAccountPassword -Identity $ScriptSAMAccountName -NewPassword $SecurePass -Reset
Set-ADAccountControl -Identity $ScriptSAMAccountName -PasswordNeverExpires $true
Set-ADUser -Identity $ScriptSAMAccountName -ChangePasswordAtLogon $false -Enabled 1
Write-Host "Creating account:" $ScriptUserName "/" $ScriptSAMAccountName -foregroundcolor cyan
}
catch {}

#Services Account
$Name = "Services"
$UserName = "sa"
$ScriptUserName = $NamePreffix + " " + $Name
$ScriptSAMAccountName = $UserPrefix + $UserName
$ScriptUserPrincipalName = $UserPrefix + $UserName + "@" + $Domain

try
{
$user = New-ADUser -Name $ScriptUserName  -SamAccountName $ScriptSAMAccountName -UserPrincipalName $ScriptUserPrincipalName -Type "User" -Path $Path
Set-ADAccountPassword -Identity $ScriptSAMAccountName -NewPassword $SecurePass -Reset
Set-ADAccountControl -Identity $ScriptSAMAccountName -PasswordNeverExpires $true
Set-ADUser -Identity $ScriptSAMAccountName -ChangePasswordAtLogon $false -Enabled 1
Write-Host "Creating account:" $ScriptUserName "/" $ScriptSAMAccountName -foregroundcolor cyan
}
catch {}

#Search Account
$Name = "Search Service"
$UserName = "search"
$ScriptUserName = $NamePreffix + " " + $Name
$ScriptSAMAccountName = $UserPrefix + $UserName
$ScriptUserPrincipalName = $UserPrefix + $UserName + "@" + $Domain

try
{
$user = New-ADUser -Name $ScriptUserName  -SamAccountName $ScriptSAMAccountName -UserPrincipalName $ScriptUserPrincipalName -Type "User" -Path $Path
Set-ADAccountPassword -Identity $ScriptSAMAccountName -NewPassword $SecurePass -Reset
Set-ADAccountControl -Identity $ScriptSAMAccountName -PasswordNeverExpires $true
Set-ADUser -Identity $ScriptSAMAccountName -ChangePasswordAtLogon $false -Enabled 1
Write-Host "Creating account:" $ScriptUserName "/" $ScriptSAMAccountName -foregroundcolor cyan
}
catch {}

#Crawl Account
$Name = "Crawl"
$UserName = "crawl"
$ScriptUserName = $NamePreffix + " " + $Name
$ScriptSAMAccountName = $UserPrefix + $UserName
$ScriptUserPrincipalName = $UserPrefix + $UserName + "@" + $Domain

try
{
$user = New-ADUser -Name $ScriptUserName  -SamAccountName $ScriptSAMAccountName -UserPrincipalName $ScriptUserPrincipalName -Type "User" -Path $Path
Set-ADAccountPassword -Identity $ScriptSAMAccountName -NewPassword $SecurePass -Reset
Set-ADAccountControl -Identity $ScriptSAMAccountName -PasswordNeverExpires $true
Set-ADUser -Identity $ScriptSAMAccountName -ChangePasswordAtLogon $false -Enabled 1
Write-Host "Creating account:" $ScriptUserName "/" $ScriptSAMAccountName -foregroundcolor cyan
}
catch {}

#User Profile Account
$Name = "User Profile"
$UserName = "up"
$ScriptUserName = $NamePreffix + " " + $Name
$ScriptSAMAccountName = $UserPrefix + $UserName
$ScriptUserPrincipalName = $UserPrefix + $UserName + "@" + $Domain

try
{
$user = New-ADUser -Name $ScriptUserName  -SamAccountName $ScriptSAMAccountName -UserPrincipalName $ScriptUserPrincipalName -Type "User" -Path $Path
Set-ADAccountPassword -Identity $ScriptSAMAccountName -NewPassword $SecurePass -Reset
Set-ADAccountControl -Identity $ScriptSAMAccountName -PasswordNeverExpires $true
Set-ADUser -Identity $ScriptSAMAccountName -ChangePasswordAtLogon $false -Enabled 1
Write-Host "Creating account:" $ScriptUserName "/" $ScriptSAMAccountName -foregroundcolor cyan
}
catch {}

#Cache Admin
$Name = "Cache Admin"
$UserName = "cadmin"
$ScriptUserName = $NamePreffix + " " + $Name
$ScriptSAMAccountName = $UserPrefix + $UserName
$ScriptUserPrincipalName = $UserPrefix + $UserName + "@" + $Domain

try
{
$user = New-ADUser -Name $ScriptUserName  -SamAccountName $ScriptSAMAccountName -UserPrincipalName $ScriptUserPrincipalName -Type "User" -Path $Path
Set-ADAccountPassword -Identity $ScriptSAMAccountName -NewPassword $SecurePass -Reset
Set-ADAccountControl -Identity $ScriptSAMAccountName -PasswordNeverExpires $true
Set-ADUser -Identity $ScriptSAMAccountName -ChangePasswordAtLogon $false -Enabled 1
Write-Host "Creating account:" $ScriptUserName "/" $ScriptSAMAccountName -foregroundcolor cyan
}
catch {}

#Cache Reader
$Name = "Cache Reader"
$UserName = "creader"
$ScriptUserName = $NamePreffix + " " + $Name
$ScriptSAMAccountName = $UserPrefix + $UserName
$ScriptUserPrincipalName = $UserPrefix + $UserName + "@" + $Domain

try
{
$user = New-ADUser -Name $ScriptUserName  -SamAccountName $ScriptSAMAccountName -UserPrincipalName $ScriptUserPrincipalName -Type "User" -Path $Path
Set-ADAccountPassword -Identity $ScriptSAMAccountName -NewPassword $SecurePass -Reset
Set-ADAccountControl -Identity $ScriptSAMAccountName -PasswordNeverExpires $true
Set-ADUser -Identity $ScriptSAMAccountName -ChangePasswordAtLogon $false -Enabled 1
Write-Host "Creating account:" $ScriptUserName "/" $ScriptSAMAccountName -foregroundcolor cyan
}
catch {}

Tags: , ,

Trackback from your site.

Denis Stadler

I'm a technology enthusiast, with more than 10 years of experience in SharePoint and Dynamics CRM projects. To find more details about, please visit the about me page.

Leave a comment

*