I was recently tasked with the responsibility of cleaning up the health analyzer issues found on our SharePoint 2010 sites. One of the errors we are receiving is Accounts used by application pools or service identities are in the local machine Administrators group This is affecting our Central Admin site, one content site and the SPTimerV4 service. I did some looking around and sure enough, the accounts are sitting in the local admin account. So I removed them.
I reran the analyzer and the errors still show up. So created a new account in the domain, added it to the WSS_WPG account, the IIS_IUSRS account and the databases as necessary. However, on the first attempt to go to the site we receive the following errors:HTTP Error 503. The service is unavailable. The Event log states the following: Application pool XXXXXX has been disabled. Windows Process Activation Service (WAS) encountered a failure when it started a worker process to serve the application pool.
If I add the accounts to the local admin group, everything works fine, but if I remove them, and have to reboot the server for any reason then they have to be readded to the local admin group in order to work. Even if I remove them from the local admin group that SharePoint Health Analyzer error keeps coming up.
Does anyone have any thoughts. Is the need to add the domain account to the local admin group an IIS issue, is this a SharePoint 2010 issue. Has anyone seen this before or know what I am missing in my configuration.
Thanks in advance.
