Partager via


SharePoint 2010 - Service Accounts Passwords Change Guide

Service accounts password change in SharePoint 2010 is a pain.  Especially, if you follow the recommended best practices to have dedicated accounts for different services.  I have gone through several rounds of the service account password change and have found the steps that work for me.  First, you have to understand that not all service account password can be managed from the SharePoint 2010 "Configure managed accounts" page.   There are some accounts that you have to perform extra steps after you change the password in AD. 

Managed Accounts

These are the accounts that you can just use the "Configure managed accounts" page in SharePoint 2010 Central Administration to change the password and be done.  I normally don't even need to know the passwords of these accounts.  I also set automatic password change for these accounts.  Please note that I am purposely excluding the Farm Account from this group.

The accounts in this group are:

Web application pool service account(s)

SharePoint search service account(s) (but not the content access account(s))

SharePoint foundation search service account (but not the content access account)

User profile service account (but not the user profile synchronization connection or the user profile synchronization service accounts)

Managed metadata service account

Web analytic service account

Secure store service account

BDC service account

Excel services account (but not the Excel unattended execution account)

PerformancePoint service account (but not the PerformancePoint unattended execution account)

Visio service account (but not the Visio unattended execution account)

PowerPoint service account

Word viewing service account

Excel PowerPivot service account

These accounts will be in the list of your managed accounts in Central Admin.  Again, you can just set the passwords of these accounts directly from Central Admin and be done.

 

Unmanaged Accounts

These are the accounts that you must perform extra steps after you have changed their password in Active Directory.   The service accounts in this list are:

User Profile Synchronization Service account

User Profile Synchronization Connection account

SharePoint Server Search default content access account and Content Access accounts defined in the crawl rules.

SharePoint Foundation Search default content access account

Unattended execution accounts (Excel, Visio, PerformancePoint)

Object cache super user and object cache reader accounts

Perform the steps below to change the passwords of these accounts.

1. Change the passwords of these accounts in AD.  You will need to note down the passwords of these account because you will need to enter them into various places in SharePoint.

2. User Profile Synchronization Service account

2.1. Please skip to the Farm Account section (below) if you are using the Farm Account as the User Profile Synchronization Service credentials.

2.2. Bring up Central Admin.

2.3. Click "Manage services on server" under "System Settings."

2.4. Find the server that you have previously configured to run UPS.  Switch to that server via the dropdown at the top of the page.

2.5. The User Profile Synchronization Service (and FIM) will be stopped as the password of the service account was changed.

2.6. Click "Start" to start the UPSS. 

2.7. Enter in the new password for the service account.  Click "OK."

2.8. Wait to see whether the service is started.  Keep your fingers crossed. :)

3. User Profile Synchronization Connection account

3.1. Bring up the User Profile Service in Central Admin.

3.2. Click "Configure Synchronization Connections."   Please note that the connection list will be empty if the User Profile Synchronization Service is currently stopped.

3.3. Click the dropdown next to the sync connection name.  Click "Edit."

3.4. Enter the new password in the "Connection Settings" section.

3.5. Click "Populate" to check whether the new password works.   It should bring up the AD tree if it works.

3.6. Click "OK."

4. SharePoint Server Search Content Access Account(s)

4.1. Bring up the Search Service application in Central Admin.

4.2. Click the Default Content Access Account in the "System Status" section.

4.3. Change the password of the account in the popup.

4.4. Please note that you need to do these steps even if your content access account is the same as your search service account.

4.5. Change the passwords of content access accounts that you may have defined in the Crawl Rules.

5. SharePoint Foundation Search Content Access Account

5.1. Bring up Central Admin.  Click "System Settings"

5.2. Click "Manage Services on Servers."

5.3. Find the server(s) where the SharePoint Foundation Search Service is running.

5.4. Click "SharePoint Foundation Search Service"

5.5. Change the password of the service account in the "Content Access Account" section.  Click "OK."

5.6. Repeat these steps if you have Foundation Search service running on more than one server. 

6. Unattended Execution Accounts (Excel Unattended and Visio Unattended)

6.1. These accounts are stored in the Secure Store (and/or should have been previously configured there).

6.2. Bring up the Secure Store Service application in Central Admin.

6.3. Click the dropdown next to the secure store application name.  Click "Set Credentials."

6.4. Enter in the service account name and password.

6.5. Repeat the steps for the other unattended execution account.

7. PerformancePoint Unattended Service Account

7.1. On the SharePoint Central Administration Web site, in the Application Management section, click Manage Service Applications, and then click the PerformancePoint Services service application.

7.2. On the Manage PerformancePoint Services page, click PerformancePoint Service Settings.

7.3. In the Unattended Service Account section, enter the new password for the account.

7.4. Click OK.

8. Object Cache Super User and Object Cache Reader accounts

8.1. You don't need to do anything in SharePoint after the passwords of these accounts are changed in AD. 

 

Farm Account

I listed the Farm Account in a separate section although it is a SharePoint managed account.   I found that using stsadm command in PowerShell works a whole lot better for the Farm Account.   Also, most people use the Farm Account as the User Profile Synchronization Service credential.  And the UPSS account is an unmanaged account.  To change the Farm Account password;

1. Change the Farm Account password in AD.  Note down the new password.

2. Logon to the SharePoint server that hosts the Central Administration site.

3. Launch SharePoint Management Shell as admin.  Note that you also have to be a farm administrator.

4. Run the following command

 

stsadm -o updatefarmcredentials -userlogin DomainName\UserName -password NewPassword

 

5.  Repeat steps 2 to 4 on all other SharePoint servers.

6.  Update the User Profile Synchronization service account if you use the Farm Account as UPS account.

6.1. Bring up Central Admin.

6.2. Click "Manage services on server" under "System Settings."

6.3.  Find the server that you have previously configured to run UPS.  Switch to that server via the dropdown at the top of the page.

6.4.  The User Profile Synchronization Service (and FIM) will be stopped as the password of the service account was changed.

6.5.  Click "Start" to start the UPSS. 

6.6. Enter in the new password for the service account. 

6.7 Click "OK" and monitor that the service start successfully.

 

SQL Server Reporting Services account

1. Change the SSRS service account via the Reporting Services Configuration Manager utility. 

2. Logon to the server(s) that run SSRS for your SharePoint farm.

3. Launch Reporting Services Configuration Manager utility.

4. Connect to the SSRS instance.

5. Click "Service Account" on the left pane.

6. Change the service account password in the popup.

7. Click "Apply."

Comments

  • Anonymous
    January 17, 2013
    Good post!!!
  • Anonymous
    May 23, 2013
    Hello Charlie.Very useful blog! Thank you. One question.....What are your experiences with the "SharePoint Tracing Service"? When I change this service to use a managed account. It seems not to work after a password change. Can you confirm that?
  • Anonymous
    October 07, 2013
    Nice......
  • Anonymous
    October 07, 2013
    What about iis app pool......need to change credential there also?
  • Anonymous
    January 23, 2014
    This is the best article I have ever seen on this topic. I have been looking for years but couldn't find any article from Microsoft that clearly states that passwords first need to be change in AD and then in SharePoint. Thank you for the wonderful article.