harbar.net component based software & platform hygiene

SharePoint Farm Least Privilege and hotfix packages

Print | posted on Friday, June 29, 2007 6:23 PM

As previously discussed, it is possible to configure your SharePoint Farm to abide by the principle of least privilege. However there are some additional steps required if you have deployed any of the SharePoint Server 2007 hotfix packages dated later than April 12th 2007.

For the most part, the SharePoint Configuration Wizard (SCW) and Central Administration take care of assigning the necessary rights and group memberships. There are two exceptions with the RTM bits:

Unfortunately, the hotfix packages add another manual configuration task. Whilst it is a requirement to run the SCW after deployment of the fix it's manifest isn't updated to include the new requirements. This is issue is similar to the IWAMRegService Activation problem, but this time effects the SharePoint Search Gathering Manager, which is one of the many bits updated in the hotfix packages.

[UPDATE: 26th December 2008] This manual configuration is not required with builds 6318 (Infrastructure Updates) and later.

This time however, in addition to the annoying DCOM errors in the System Log, things will actually break and your Application Log will be filled up with 7888's from MOSS and 6482s from Shared Services. As any good admin is well aware 8007005 (the root error code returned) means access denied and the DCOM events tell us where and what we need to set to get things working again.

Unfortunately, the DCOM Configuration doesn't list the friendly name of the component, but by matching GUIDs we find the culprit is OSearch. We just need to set Local Activation on this for the Farm Account (no other accounts needed this time):

osearch Click image to view full size.

So, that solves the problem. But which machines within your farm do you need to perform this "tweak" on? Well, because of the flexibility of SharePoint 2007 Farm Topologies, this is not a trivial question to answer. Basically any machine in your farm which is running the Gathering Manager requires this. That means any server onto which you've installed the Index role. And that hopefully, should just be one! To be on the safe side you can also configure this on the boxes running the Search Query role to prevent callers bubbling this up. Note that this issue also affects User Profile import so the box(es) running your SSP also need the tweak.

Three manual tweaks to keep a SharePoint Farm running under least privilege is now justification for a script to auto configure these settings for a given farm. Especially assuming there'll be more in the future.