Hi Brian,
Thank you for the incredible effort that you have put in to create this tool! It makes deployment such a piece of cake!!
Just realized that when the Distributed Cache service is being setup, the script is using the app pool account for the service; specifically it uses the ManagedAccount with CommonName="spservice".
I am referring to line# 1681 in the "AutoSPInstallerFunctions.ps1", function "UpdateProcessIdentity".
Specifically it is as shown below:
$managedAccountGen = Get-SPManagedAccount | Where-Object {$_.UserName -eq $($spservice.username)}
However the TechNet article (https://technet.microsoft.com/en-us/library/jj219613.aspx#changesvcacct) suggests that the "Farm Account" is used to setup the service.
Should this be changed to the default Farm Account?
Thank you
Ashok
Comments: ** Comment from web user: AshokGopalan **
Thank you for the incredible effort that you have put in to create this tool! It makes deployment such a piece of cake!!
Just realized that when the Distributed Cache service is being setup, the script is using the app pool account for the service; specifically it uses the ManagedAccount with CommonName="spservice".
I am referring to line# 1681 in the "AutoSPInstallerFunctions.ps1", function "UpdateProcessIdentity".
Specifically it is as shown below:
$managedAccountGen = Get-SPManagedAccount | Where-Object {$_.UserName -eq $($spservice.username)}
However the TechNet article (https://technet.microsoft.com/en-us/library/jj219613.aspx#changesvcacct) suggests that the "Farm Account" is used to setup the service.
Should this be changed to the default Farm Account?
Thank you
Ashok
Comments: ** Comment from web user: AshokGopalan **
Hello again!
Thought of something additional as I was working through this in my mind.
Do you think it would be beneficial to have additional ManagedAccount elements defined with specific CommonName attributes like:
CommonName="SecureSote",
CommonName="DistCache"
etc..
and the same could be used in the corresponding service activation scripts? This will even take care of the MS security best practice recommendations of using least-privileged accounts for services.
I am thinking that this would be really useful for organizations that have the business need to implement least-privileged security model in their SharePoint environment.
Thank you
Ashok