Managing and Resetting Service Accounts and Passwords
Team Foundation Server includes several services and service accounts that run on either the data-tier server, or the application-tier server, or both. Your actual services will vary, based on which features of Team Foundation you have installed on your data tier and application-tier servers. For example, if you have opted for a single-server setup, you will have both data-tier and application-tier services that run on the same server.
If you must reset the service account password for the Team Foundation Server, you must change the password for several services on the Team Foundation Server application-tier servers by using the TFSAdminUtil command-line utility. You can also use the TFSAdminUtil command-line utility to determine which services are running under a named account. The following table lists the service names, what service account they use, and what tier these services run on.
Note
If you change the service account or password for the reporting services service account, you must manually update the service account information for report data sources by going to the SQL Server Reporting Services Web site. For more information, follow the procedure for changing the reporting services service account in How to: Assign a New Account to a Team Foundation Server Service.
If you have deployed Team Foundation Server in an Active Directory domain, you should set the Account is sensitive and cannot be delegated option for service accounts. For example, in the following table, you should set that option for the placeholder service account TFSService. For more information about required service accounts and placeholder names used in Team Foundation Server documentation, see the topic "User Accounts Required for Team Foundation Server Setup" in the Team Foundation Server Installation Guide. For more information about the installation guide, see Installation Overview for Team Foundation Server. For more information about how to restrict account delegation in Active Directory, see the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=61995).
| Service name | Service account | Tier |
|---|---|---|
Code Coverage Service |
TFSService |
application tier |
Team Foundation Server Web Services |
TFSService |
application tier |
Report Server (MSSQLSERVER) |
Network Service |
application tier |
Report Web Service |
Local System (single-server); Network Service (dual-server) |
application tier |
SharePoint Services |
Network Service |
application tier |
Team Build Service (if Team Foundation Build is installed) |
TFSService |
application tier |
TFS Server Scheduler |
TFSService |
application tier |
Analysis Server (MSSQLSERVER) |
Local System |
data tier |
SQL Server Agent |
Local System |
data tier |
SQL Browser |
Local System |
data tier |
SQL Server |
Local System |
data tier |
On the Team Foundation Server data-tier server, all SQL related service accounts run as Local System. You should not change the password for any one of these accounts.
On the Team Foundation Server application-tier server, you must change the password for the Team Foundation Server Web Services application pool, as well as for the TFS Server Scheduler and Team Build Service services. This depends on your operational needs.
Note
If you change the service account for Team Build Service, you must make sure that the account is a member of the Build Services group, and that the account has read/write permissions to the temporary folders and the ASP.NET temporary folder.