Updating the Application Pool Account on a SharePoint 2010 Site

I was working on changing the security on a 2010 site to use domain accounts instead of local and built-in accounts. The problem I was having was that a non-administrative user couldn’t log into the SharePoint site, even though the user was a site collection administrator.

I created an app pool account to use (spDemoAppPool) and used SCA (SharePoint Central Administration) to register the account and assign the account to the application pool to replace the Network Service account.

After making this change, I ran the configuration wizard to have it fix the security on the app pool account. However, I found that it didn’t fix all the security. When looking at this Technet article, I found that the SQL security in the last two bullets was not correctly assigned.

http://technet.microsoft.com/en-us/library/cc678863.aspx#Section3

Other application pool accounts

The other application pool account must be a domain user account. This account must not be a member of the administrators group on any computer in the server farm.

The following machine-level permission is configured automatically: This account is a member of WSS_WPG.

The following SQL Server and database permissions are configured automatically:

This account is assigned to the db_owner role for the content databases.
This account is assigned to the db_owner role for search databases associated with the Web application.
This account must have read and write access to the associated service application database.
This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the farm configuration database.
This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the SharePoint_Admin content database.

If you use SQL Server Management Studio, you can find the SharePoint Config and Admin_content databases and look at the properties on the WSS_Content_Application_Pools database role.