Thursday, 22 November 2012

PowerShell to Create User Accounts for SP Install

Problem:  I keep building this script to setup accounts with permissions to put a SharePoint farm using AutoSPInstaller.  I have decided to post so I don't have to go look for this each time.  My list is based on the accounts for AutoSPInstaller recommended install accounts per Tobias Lekman's blog post series.

Use Powershell to create the accounts (This script was originally given to me by Mark Slavik)


Download the PS file here (rename to be a ps1 file)

Note: ThePowerShell file creates tha accounts in the right groups.  The User Profile Service/Synchronisation Account needs "Replicating Directory Changes" permissions, this can be done in various ways and depends on if the NETBIOS name and domain name match. 

Steps to add "Replicating Directory Permissions" to the User Profile synchronisation account:
1.> Open "Active Directory Users and Computers".  Right click on the domain name in the management console and select "Delegate Control..."
2.> On the "Delegation Control Wizard" click "Next" > On the "Users or Groups" screen used to delegate control.  Click "Add" and add your User Profile Sync account.  Click "Next".
3.> On the "Tasks to Delegate" screen select the option "Create a custom task to delegate" > "Next".
4.> On the "Active Directory Object Type" screen accept the default settings and click "Next".
5.> On the "Permissions" screen check the box to allow "Replicate Directory Changes" and Click "Next".  The last screen is for review and select "Finish".

Check your account has permissions using PowerShell.  I needed to amend Tobias Lekman's script
http://lekman.codeplex.com/releases/view/65930  to make it work for me; this is 99% Tobias's work.  I also check if the account is a domain administrator as if they are you won't need to add the special permission (not recommended).  Your other option is to make the User Profile Synchronisation account a local administrator on the VM where the User Profile Service is running.
Alternatively check the permissions thru the AD User and groups UI:

Summary: Add 10 (or as many as you decide to use) accounts.  SP_Install needs administrator domains permissions all the others just need domain user account access.  The SP_Install account needs SQL roles DBCREATOR and SECURITYADMIN. Lastly, ensure the SP_ProfileSync account has "Replicating Directory Changes" permissions.  These permissions are implicit if the SP_ProfileSync account is a local admin or part of the domains administrators group.

Tip: The Execute method of job definition Microsoft.SharePoint.Diagnostics.SPDiagnosticsMetricsProvider (ID ..) threw an exception. More information is included below. An update conflict has occurred, and you must re-try this action. The object SPWebService was updated by demo\sp_farm, in the OWSTIMER (8140) process, on machine... 
 

0 comments:

Post a comment