SharePoint
Feedback by UserVoice

I suggest you ....

Enable starting the user profile sync service without making the farm account local admin

This has been an issue since SP2010. Having the farm account permanently in the local admin group on the server running UPS generates security warnings (and rightly so!). Removing the account breaks UPS when it needs to be reprovisioned during a reboot or when using the OOTB farm backup.

6 votes
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Jan Steenbeek shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    4 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • Spencer Harbar commented  ·   ·  Flag as inappropriate

        couple points: you also need to do the re-provision after the installation of any CU. but seeing as the process is akin to installing FIM the requirement for the account to be an admin is not a bad thing. it's simply the only way it can work. The issue here is that the account has to be the Farm Account, because provisioning is initiated by a timer job - and that is the root of this problem.

        However, as detailed at Microsoft Ignite, UPS (bundled FIM) will not be part of SharePoint 2016 so it's somewhat of a moot topic.

      • Jan Steenbeek commented  ·   ·  Flag as inappropriate

        Hi Brian, thanks for your feedback. Any 'decent PowerShell' solution will focus on putting the farm account in the local admin group. Even if it's temporary you significantly increase your attack surface on a daily schedule.

      • Brian Lalancette commented  ·   ·  Flag as inappropriate

        This can and has all been scripted to effectively make this a non-issue. And if you need to re-provision UPS after a reboot then something else has gone wrong. Agree with the pains of having to re-provision UPS (and hence, re-add farm acct to admins temporarily) after an OOTB farm backup though. But again, some decent PowerShell can work around this.

      Feedback and Knowledge Base