You have to be carefull if you use the Sharepoint Central Administration tool to change the account running the Application Pool used by a Web Application to provide Sharepoint Content. 
 
The steps are quite simple, you just open the Sharepoint Central Administration, then go to the Operations, and then select Service Accounts (under Security Configuration), then select your Web Application and then type in the new account.
 
Once the account is changed, Sharepoint will add a new login in SQL granting the new account the required rights to the content database.
 
The problem is that it will also grant the account the Security admins and Database Creator role on the SQL Server, wich is too much rights for the Account running the application pool used by the Web Application providing Sharepoint content.  These permissions are required by the Account running the Application Pool for the Sharepoint Central Administrationm, not for the application pool used by the content Web applications.
 
So now as my security best practice, If I change the application pool account running the Sharepoint content application via the Sharepoint Central administration Tool, I will go and remove the Security admins and database creator roles in SQL, for the new account logins.
 
Also you should remove the rights from the old account because when you are changing the accounts used by the application pools, Sharepoint will not automatically remove the rights from the old account in SQL.
Advertisements