What is Sharepoint\System account?

Many people ask this question that what is SharePoint\System account? So here is the answer:

  1. SHAREPOINT\System account is the same account used by application pool of your SharePoint web application in IIS at the time of creation/extension of respective web application.
  2. This is the account which is used when you run your code in under elevated privileges by SPSecurity.RunWithElevatedPrivileges.
  3. When you create/extend a web application in SharePoint and specify an Application Pool then the identity (Network Account) used by that Application pool becomes the SHAREPOINT\System account.
  4. It is highly recommended that end user should not be allowed to use this account to avoid unexpected errors.
  5. If you change the identity of App Pool account after creating/extending the SharePoint web application, the new account will not become the SHAREPOINT\System.
Share

2 thoughts on “What is Sharepoint\System account?”

  1. I created content Type and attached template word.docx to use it when I create New Document in a Document library.
    When i create New Document from mentioned template, the item which is added to document library, is Created By System Account, although i loged in with user other than System Account. Why and how can I solve this issue. put in mind that i work on the server where SharePoint 2010 Server has been installed.
    I appreciate having your response soonest

  2. This definition of SharePoint System Account is not accurate.
    The System Account is a SharePoint user that is internally and automatically mapped to certain identities. That I know of, these identities are the current App Pool identity of the Web Application and the Farm Account identity. This means that the identity used for both the SharePoint Timer Service and the Central Admin App Pool also maps to System Account. Therefore, if you use two identities – one for Farm that runs CA and Timer and a different identity for the Web App, both identities will map to System Account in your Web Application.

    The claim that if you change the identity of the App Pool after creating the Web App, the new account will not be System Account is not accurate. I suppose it’s possible that if you modify the App Pool manually, i.e. through IIS, this could occur…but you should NEVER do this in SharePoint. You should always modify your service accounts through Central Admin in 2010 and through stsadm in 2007 and earlier. Service Account Identities need to be registered with SharePoint so that authorization can be assigned correctly, both internally, in IIS and in MSSQL Server. I cannot think of a case for not managing service accounts for SharePoint outside of SharePoint. Not doing so is akin to severing the connection between what SharePoint thinks is the System Account to what is physically implemented in IIS. This can have serious consequences.

    You can test the System Account behavior by logging in to your Web Site as the Farm account- you will map System Account. If you use a different Identity for the Farm Account and for Web Application (as is recommended) you can change the App Pool Id for the Web App in Central Admin, IIS reset and log in as the new App Pool Identity – you will still map to System Account. If you log in with the previous identity, you will no longer map to System Account and you will in fact see the directory user name of that Identity.

Comments are closed.