It sounds like a boring topic, but talking about which accounts to use when setting up SharePoint Server or Foundation is truly essential for security and also for the manageability of your SharePoint environment.

Here are the accounts you should have set up before deploying SharePoint:

1. SQL Server services account: This account should run the MSSQLSERVER and SQLSERVERAGENT services. You can use the Network Service, the Local System account or a domain user account.

2. Setup user account: The setup user should be a domain user account with administrative privileges on all SharePoint servers. The account also needs to be able to log in to the SQL Server and have “securityadmin” and “dbcreator” privileges. This account should be exclusively used to run the SharePoint Setup and SharePoint Products Configuration Wizard.

3. Farm administration account: This account is used to configure and manage the farm, act as the Application Pool identity for the Central Administration website and run the SharePoint Foundation Workflow Timer Service.

4. SharePoint Application Pool account: This account will serve as the Application Pool account for your web application. You should create a new SharePoint Application Pool account for each web application.

5. Default content access account: This is the account the crawler uses to access content. Make sure that this account does not have farm administrator privileges, so that search results will not include unpublished data.

6. Search service application account: It is good practice to dedicate an account to the search service application.

7. Additional service application accounts: In some cases, certain service applications will need dedicated accounts. Examples are Business Data Connectivity services, sandboxed code and subscription settings service.

New in SharePoint 2010: Managed Accounts
Version 2010 of SharePoint includes the option to configure passwords to be changed automatically on a predefined schedule. SharePoint will also detect password policies and change passwords a set number of days before expiry (see screenshot below).

Beware
Please make sure that your AD administrator does not change the managed account password through his own AD tool, as otherwise SharePoint will not be aware of this change and services will fail to log on.

The above description of recommended SharePoint accounts can serve as a starting point for your SharePoint deployment planning. You can contact the authors of this post with questions at: tvolk@prinomic.com (Torsten Volk) or ssmith@prinomic.com (Sharon Smith).