AutoSPInstaller: Configuration

SharePoint, CodePlex
This entry is part [part not set] of 4 in the series AutoSPInstaller

This is a continuation of my previous post titled “AutoSPInstaller: Getting Prepared”

In my previous post, I showed you how to stage all the software. Do this once, you’re set for life! OK, maybe not for life, but at least for any SharePoint server installs you’ll need to do now or later. Next, we need to configure several files.

Configuration Files

Here’s the list of files we need to configure:

  • answerfile-ForeFront.xml – Optional. This is the configuration file if you’re installing ForeFront Protection 2010 for SharePoint.
  • config.xml – Required. This is the settings for the SharePoint installer.
  • config-OWA.xml – Optional. This file is used to configure Office Web Apps.
  • AutoSPInstallerInput.xml – Required. This is the file where we’ll configure all the options for AutoSPInstaller, the actual configuration of SharePoint.

The main file we need to configure (AutoSPInstallerInput.xml) is also the most complex, so let’s save it for later. Use your favorite XML editor, avoid Notepad or WordPad, they make things harder. Personally, I like Notepad++ which can be downloaded here.


AutoSPInstaller will call “answerfile-ForeFront.xml,” which replaces the “answerfile.xml” that you’ll find in the ForeFront folder. Most of the options are self-explanatory so I just want to point out one section:


Specify a user account and password for database access. This account should be entered using the Domain\Account format when the server is part of a domain. This account needs a lot of privileges, it must:

  • Be a member of the Local Administrators group on the SharePoint server(s).
  • have SharePoint Farm Administrators privileges.
  • Be a member of the SQL sysadmin role on the database server.

These fields must be populated with valid credentials or unattended installations will fail. I’m using the Farm account. Why? Because it requires similar permissions. The Farm account needs to be a local administrator at least for provisioning User Profile Service. Even after initially installing UPS, it needs that right to be able to restart (re-provision) after backups. It needs to be a Farm Administrator (of course) and although it doesn’t require sysadmin role on the database server, it does require dbcreator, securityadmin and dbo on all the databases. Sysadmin role is not a far stretch from that.

In the end, I’d rather give my Farm account a bit more permissions to run ForeFront than to have another account with very high privileges. Now, I just need to secure/audit this one account.

For detailed information on all the options in this configuration file, check out the TechNet article here.

SharePoint Installer

The “config.xml” is the same as the one found on the SharePoint DVD or ISO file. It’s where we configure SharePoint installer options. Let’s look at some of the options.


The INSTALLLOCATION tells SharePoint where to install the binaries (bits). For example, if you wanted to install to a non-system drive (e.g., E:\), this is where you’d change it. I recommend leaving the default.

The PIDKEY Value is your key for SharePoint, so you’ll enter 25-character license key here. This is required!

Don’t worry about the terminology in this file, such as “spswfe” or SERVERROLE Application. These will not determine your server roles and don’t need to be changed. To find out more about what can be configured here, check out the TechNet article here.

For my install, I’ve kept all the defaults and just added my 25-character license key for “PIDKEY Value”.

Office Web Apps

The “config-OWA.xml” contains the configuration options for Office Web Apps. It replaces the “config.xml” files in the OfficeWebApps folder (under the Setup sub-folder). This is similar to the file above. You must edit this with your license key, just like config.xml. So, I’ve updated this file with my 25-character license key for PIDKEY Value and kept all the other defaults.

AutoSPInstaller Configuration

Recently, the configuration file for AutoSPInstaller has matured and is now heavily commented. So, I won’t go through all of the options but I’ll highlight a few of them here.

Before we get to that though, let me explain how this works. When you’re ready, you’ll launch AutoSPInstaller using the “AutoSPInstallerLaunch.bat” batch file. The batch file will check for an XML file with the following names, in order:

  • AutoSPInstallerInput-COMPUTERNAME.xml
  • AutoSPInstallerInput-DOMAIN.xml
  • AutoSPInstallerInput.xml

My preference is to use one configuration file for each server in my farm. You can also just use one file but I’ve seen people have problems with this method. So, I’ll make a copy of the file and name it AutoSPInstallerInput-SHARECLOUD.xml

Note: You will not be passing the xml file as a parameter to AutoSPInstaller so you must name it according to one of the options listed above.

So, lets start.

Change this to your environment. I often have Dev, Test, and Prod environments so I like to specify one of those. It’s just here for your personal reference. I’ll change mine to Prod and leave the version alone. The Version is for the version of AutoSPInstaller you’re using. You must use the XML configuration file for the version of AutoSPInstaller being used, don’t mix and match.


In my first post, I downloaded the prerequisite files, so I’m going to set this to true.


I’m going to set all of these to true. Although disabling LoopbackCheck isn’t exactly the proper way, adding BackConnectionHostNames is too much work for what I’m doing here, trying to automate. See this article for more information.

The same reasoning applies to CRL Checking and IE Enhanced Security. For me, these do more harm than good but set the options according to your preference.

The principle of least privilege prescribes that accounts should not be given more privileges than necessary. So, why am I setting LeaveInLocalAdmins to true? Two reasons. For me, its too much of a pain to add the Farm account back in every time I do a backup or troubleshoot UPS. Second, and more importantly in this case, I’m using the Farm account for ForeFront which requires local administrator rights.


OK, so I do want to create a SQL alias because I always do. I’ve written about this before, here and here. Basically, there are times when you NEED an alias and other times when you don’t. Instead of trying to remember when, I just create one and use a naming convention that tells me its an alias. That way, the next guy won’t be looking for a server name “SPSQL” somewhere on the network.

For DBInstance, you’ll either put the SQL Server name (as I have) when you’re using the default instance, or put the SERVERNAME\INSTANCE when you’re using a named instance or a cluster. I left DBPort blank so that the default port of 1433 will be assigned.


Just a note on DBPrefix; by default the XML file has “localhost” which will be changed to the computer name. You’ll probably want to change this. Set it to blank for no prefix. You don’t need to put a separator value here, it will append an underscore ( _ ) automatically. If you want to change that separator value, see this posting for a tip.

The Claims To Windows Token Service (C2WTS) must be started locally on any server where you have a service (such as Excel Services) that will use it. AutoSPInstaller won’t check this for you, so keep that in mind. In my case, I’ll be starting Excel Services on my Web Server (and perhaps Application Server) so I’m setting it to true.


The “CommonName” cannot be changed. AutoSPInstaller uses the names to reference these accounts. I recommend filling in the passwords, you could leave them blank and be prompted for them later but that defeats the automation aspect. I’d rather find another way to secure the configuration file, such as zipping them up with a password or use encryption software.

I want my URLs added to my servers hosts file. In most of my configurations, I’m using a load balancer and I want to avoid directing SharePoint services through it, plus I need to be sure when I’m on the server that it’s using itself. This is especially useful for the crawler (my crawl server is always a web server as well).


By default, this parameter is blank which means unlimited. I’m wary of setting anything to unlimited. Since I’m not changing my log location (to something other than the system drive), I certainly need a limit here. Without one, I risk running out of disk space, potentially causing my machine not to boot.

AutoSPInstallerInput.xml is very well commented for this section so I’ll just reiterate some points. First, don’t change the type. In this case, consider the type to mean “first web app.” It doesn’t have to be a portal, in my case it’s just going to be a team site. However, since it is the “first web app,” AutoSPInstaller will take some “nice to have” actions for you. For example, it will add this web app to the Excel Services trusted file location and as a “Portal Site Collection.” If you don’t need it, either comment it out (this section) or just remember to go back in later and delete the web app; that’s the easiest way.

In my case, I do want this as sort of a “root” site and I want it to be SSL-enabled. So I’ve updated the URL and port. The script will try to find the correct certificate and assign it in IIS. It can also create self-signed certificates if no match is found! However, you should check it afterwards and correct it if needed. I believe a limitation in IIS/Certificate PowerShell cmdlets make it impossible to specify a certificate name to assign.

I’m not using Claims. Here’s a tip, if you don’t NEED Claims, don’t use it. If you don’t know if you need it, you don’t. You can always convert to Claims later, but you can’t convert back (not supported).

I will use the same settings for URL, name, etc. in the next section for Site Collection (not shown). That section is also where you specify the template and I’ll change it from the default of SPSPORTAL#0 (Collaboration Portal) to STS#0 (Team Site). For a nice post on templates, including a list of what’s what, check out this blog post.

The same advice applies to the MySite section. Don’t change the type and in this case, also don’t change the Template for the Site Collection.


I’m going to provision the User Profile Service (UPS). If you do want to provision this, make sure you’ve created your My Site Host earlier. If you don’t, the script will error out. I’ve left the defaults of starting UPS Sync and not creating default sync connections. I recommend not automating the sync connections because its far from perfect and unsupported:

Please note that these cmdlets are only intended for use within SharePoint Online environments by SharePoint Online engineers. Their use in on premises deployments is NOT supported.

That’s taken from Spence Harbar’s (@harbars) post on the topic.


I’m going to make this server a Crawl and Query server as well. I can always change the topology later. Remember, anywhere you have “localhost,” it will be changed automatically to the local server name.

In the OfficeWebApps section, I’m setting Install to true and will also provision all of the Office Web Apps to true as well, EXCEPT Excel. I’ve already created an Excel Service app, you don’t need two unless you just really want two. For this and any other service, follow the capacity planning guidance available on TechNet.

I’ve skipped over a lot of settings because I believe they need no further explanation. Here’s a copy of the AutoSPInstallerInput configuration file I’ve configured, with the comments removed for easier readability. Click the arrow to expand.


Almost done. It’s common for typos and syntax errors to pop up because the XML file is so long and has so much information. We need to run it through a validator. So, head over to and paste your entire XML in the validator.

No errors? Now, we’re ready to go! In the next post in this series, I’ll show you how to run this and how it looks as it progresses.

Service Accounts

As a reference, here are the service accounts I’ll be using and what they get assigned using the default options in the XML configuration file.

CommonName or

XML Node



spservice svc.spApps

(Managed Account)
Runs following services:

  • SharePoint 2010 Tracing
  • SharePoint 2010 User Code Host
  • Web Analytics Service

Runs IIS App Pools:

  • PowerPoint
  • Access Data Server
  • Word Server
  • Conversion Service
  • Excel Calculation Server
  • Managed Metadata
  • PPS Monitoring Server
  • Visio Graphics Server
  • Web Analytics
  • Secure Store
  • BDC
portalapppool svc.spAppPool

(Managed Account)
Runs IIS App Pool for Portal Web Application.

Site Collection owner for Portal site (by default).
mysiteapppool svc.spMySitePool

(Managed Account)
Runs IIS App Pool for MySite Web Application.

Site Collection owner for MySite host (by default).




(Managed Account)

Runs following services:

  • SharePoint Server Search 14
<SuperUser> svc.spCacheUser Full Control User Policy on Portal Web Application (and other Web Apps you create).
<SuperReader> svc.spCacheRead Full Read User Policy on Portal Web Application (and other Web Apps you create).
<Farm> svc.spFarm Runs the following services:

  • SharePoint 2010 Timer
  • Forefront Identity Manager Service
  • Forefront Identity Manager Synchronization
  • Microsoft Forefront Server Protection Controller for SharePoint

Runs IIS App Pool for:

  • Central Admin Web App
  • Topology Service
  • STS for each Web App (CA, Portal, Mysite)
  • STS Service
<EnterpriseSearchServiceApplication> svc.spCrawl Default Content Access account will be used under Search Service Application.
<EnterpriseSearchServiceApplication> svc.spSearchPool Runs IIS App Pool for Search Service.
<EnterpriseServiceApps> svc.spUnattend config’d in Secure Store?
<EnterpriseServiceApps> svc.spPerfPoint
Not Configured in Script LocalSystem Run the following services:

  • SharePoint 2010 Administration
  • SharePoint 2010 VSS Writer
  • SharePoint Foundation Search V14 (Disabled)
  • Office Document Conversions Launcher (Disabled)
  • Office Document Conversions Load Balancer (Disabled)

And as a reminder, although I don’t mind answering questions or responding to comments on my blog, if you have specific questions related to AutoSPInstaller, its best to use the discussion boards there:

Series Navigation
12 comments… add one
  • Steve Reid Apr 1, 2012 Link Reply

    great articles…  Should the Account Names in your reference list match the account names in the account names in the <ManagedAccounts> section?

    • wahidsaleemi Apr 3, 2012 Link

       @Steve Reid Yes, they should, for the most part. You can have additional accounts, besides those that are in the <ManagedAccounts> section. But, the 4 accounts in the section should be used for their intended purpose. I should fix up my article to make that clear. Thanks!

  • leonzandman Apr 24, 2012 Link Reply

    First you recommend people to fill in all passwords in the config file. Then you recommend people test the validity of their XML config file by running it through the XML validator. That doesn’t sound very safe to me :-) For all we know is spying on the XML that they receive, so now they 0wn your passwords… :-)

  • leonzandman Apr 24, 2012 Link Reply

    First you recommend people to fill in all passwords in the config file. Then you recommend people test the validity of their XML config file by running it through the XML validator. That doesn’t sound very safe to me :-) For all we know is spying on the XML that they receive, so now they 0wn your passwords… :-)

    • wahidsaleemi Apr 24, 2012 Link

       @leonzandman If it doesn’t sound safe, you shouldn’t do it, as with anything you find on the web. I hope my readers have the common sense to apply that advice.
      For everyone else, a quick look at the page source for the XML validator reveals they’re simply using the browsers object model to validate the XML, so nothing is ever stored.

  • zerodamage Apr 25, 2012 Link Reply

    Let me ask you this because I am having a difficult time deciding how to address it. I am using the 2.5 version of the autospinstaller script.  In the input config file, there is a part just for the user profile sync. As an example, I use the service account sp_profilesync. There is also the spservice account called sp_service that I created. Despite inputting the sp_profilesync into the input.xml file for the profile sync service, sharepoint is using the sp_service account when I go to the “Manage Service Applications” page on Central Admin. I see no reference to the Userprofile service in your table above with all of your service accounts. Can you tell me if it is okay to keep this or should I manually make the change? I am guessing I will need to set the sp_profilesync account with logon-as-service permissions in group policy as well.

    • wahidsaleemi Apr 25, 2012 Link

       @zerodamage I have to guess here that you mean the “SyncConnectionAccount” under the “UserProfileServiceApp” node in the XML. If that’s the case, it should be set to false and you can leave the account and password blank. Automatically creating the Profile Sync Connection is not supported. You can do this manually later by going into Manage User Profile Service and setting up a new Sync Connection. When doing so, it will ask for your account, and you can use the sp_profilesync account you created. That account does need special permissions in your directory (see:
      As far as the service itself, it does use the sp_service account when configured with AutoSPInstaller and you can leave it as-is. If you have more questions, you can always post on the project’s discussion page here:

  • IvanJosipovic Oct 13, 2012 Link Reply

    Check out my GUI for AutoSPInstaller

  • Daniel Dec 18, 2014 Link Reply

    good post However, I wonder the advice on not to use claims is outdated . From apps to office web apps authentication it seems to be needed more and more.

  • John Jan 13, 2015 Link Reply

    What is the proper formatting for the PID key? I have it entered with “-” between the 5 letters and I keep getting prompted for an install key when the script runs.
    Always nice work from you.

Leave a Reply