Enable starting the user profile sync service without making the farm account local admin
This has been an issue since SP2010. Having the farm account permanently in the local admin group on the server running UPS generates security warnings (and rightly so!). Removing the account breaks UPS when it needs to be reprovisioned during a reboot or when using the OOTB farm backup.
Gaurav (Microsoft) commented
As Spencer mentions below - This will not be an issue from SharePoint 2016.
Spencer Harbar commented
couple points: you also need to do the re-provision after the installation of any CU. but seeing as the process is akin to installing FIM the requirement for the account to be an admin is not a bad thing. it's simply the only way it can work. The issue here is that the account has to be the Farm Account, because provisioning is initiated by a timer job - and that is the root of this problem.
However, as detailed at Microsoft Ignite, UPS (bundled FIM) will not be part of SharePoint 2016 so it's somewhat of a moot topic.
Jan Steenbeek commented
Hi Brian, thanks for your feedback. Any 'decent PowerShell' solution will focus on putting the farm account in the local admin group. Even if it's temporary you significantly increase your attack surface on a daily schedule.
Brian Lalancette commented
This can and has all been scripted to effectively make this a non-issue. And if you need to re-provision UPS after a reboot then something else has gone wrong. Agree with the pains of having to re-provision UPS (and hence, re-add farm acct to admins temporarily) after an OOTB farm backup though. But again, some decent PowerShell can work around this.