Reminder: Don’t use an administrator account for your default content access account
Posted
Tuesday, March 16, 2010 3:51 PM
by
CoreyRoth
This,my friends, is bad.
I see issues caused by this all the times in the forums, so I thought I would write something up on it. You do not want your default content access account (aka crawl account) to have administrator privileges. Besides obvious security reasons, there are others. The main reason is that if the account is an administrator, it can crawl things that you simply don’t want included in your index. The last thing you want is sensitive information from some list or document library showing up in your search index. Yes, SharePoint does security trimming, but when you use an admin account, things just get weird. This also applies to file shares as well.
There are other reasons you don’t want to do this as well. If you use an administrator account, things that are not checked in may be indexed. Also, you may run into issues where regular users cannot get any search results at all. It effectively seems to mess up security trimming. I’m sure there are many other reasons I’m not thinking of, but the bottom line is if you are using an administrator account, go change it now. Of course, test before you make any changes. You may need to assign permissions to your new account. This could apply to permissions in SharePoint, on a file share, or in a database (if you’re using the BCS/BDC).
Once you change accounts, you need to perform a full crawl on all of your content sources so that inappropriate items get removed. You might even go as far as resetting all crawled content first. You should especially consider this if sensitive information is in your search index and you need to get it out fast.