none
SharePoint Service account -- password change

    질문

  • Hi,

    We are trying to change the SharePoint service account password, I wonder what are the steps to perform this change, as the whole farm, search services...use this account. Is this recommended at all? If yes, how could we do this?

    Thanks in advance.

    2010년 12월 6일 월요일 오후 7:59

답변

  • I would recommend NEVER changing these passwords. There is really no need to (most compliance regulations allow for service account passwords to be changed) but if you feel the need to:

    More Info: http://technet.microsoft.com/en-us/library/ff724280.aspx (Configure automatic password change (SharePoint Server 2010))

    SharePoint 2010 has a Managed Accounts section:

    "Now you can reduce your administrative expenses by allowing SharePoint 2010 to take control of your accounts. How? SharePoint 2010 Managed Accounts can automatically reset passwords based on domain policies and notify administrators when passwords are expiring. By storing account information in SharePoint 2010 Managed Accounts, you can keep your information secure and reduce the overhead required to manage it yourself. In brief, a Managed Account is effectively an Active Directory user account whose credentials are managed by and contained within SharePoint. In addition to storing the credentials of the object, Microsoft SharePoint Server 2010 can also leverage Active Directory Domain Policies to automatically reset passwords while meeting the requirements established by policy.

    How Managed Accounts credentials are stored?

    Managed Account credentials are encrypted using a farm encryption key that is specified when you run PSConfig[ui].exe at farm creation based on the passphrase. The passphrase is stored in a secure registry location so that it can only be accessed by the farm account and encrypted so that only the farm account has access. The farm encryption key subsequently, is stored in the Configuration Database. This scenario is what enables farm administrators to join machines to the farm without specifying the credentials

    To conclude, suppose an administrator would like to create a new Web application using Windows PowerShell and/or SharePoint Central Administration – the administrator only needs to specify the Application Pool account (Windows PowerShell) or select the account in the SharePoint Central Administration user interface as opposed to both having to know the domain\username and associated password.  " from this link.

    • 답변으로 표시됨 Rock Wang– MSFT 2010년 12월 16일 목요일 오전 10:03
    2010년 12월 7일 화요일 오후 5:03

모든 응답

  • I would recommend NEVER changing these passwords. There is really no need to (most compliance regulations allow for service account passwords to be changed) but if you feel the need to:

    More Info: http://technet.microsoft.com/en-us/library/ff724280.aspx (Configure automatic password change (SharePoint Server 2010))

    SharePoint 2010 has a Managed Accounts section:

    "Now you can reduce your administrative expenses by allowing SharePoint 2010 to take control of your accounts. How? SharePoint 2010 Managed Accounts can automatically reset passwords based on domain policies and notify administrators when passwords are expiring. By storing account information in SharePoint 2010 Managed Accounts, you can keep your information secure and reduce the overhead required to manage it yourself. In brief, a Managed Account is effectively an Active Directory user account whose credentials are managed by and contained within SharePoint. In addition to storing the credentials of the object, Microsoft SharePoint Server 2010 can also leverage Active Directory Domain Policies to automatically reset passwords while meeting the requirements established by policy.

    How Managed Accounts credentials are stored?

    Managed Account credentials are encrypted using a farm encryption key that is specified when you run PSConfig[ui].exe at farm creation based on the passphrase. The passphrase is stored in a secure registry location so that it can only be accessed by the farm account and encrypted so that only the farm account has access. The farm encryption key subsequently, is stored in the Configuration Database. This scenario is what enables farm administrators to join machines to the farm without specifying the credentials

    To conclude, suppose an administrator would like to create a new Web application using Windows PowerShell and/or SharePoint Central Administration – the administrator only needs to specify the Application Pool account (Windows PowerShell) or select the account in the SharePoint Central Administration user interface as opposed to both having to know the domain\username and associated password.  " from this link.

    • 답변으로 표시됨 Rock Wang– MSFT 2010년 12월 16일 목요일 오전 10:03
    2010년 12월 7일 화요일 오후 5:03
  • Thanks for the post, it is quite helpful.

    Now I have another question, since this is a domain account, should I change it outside of SP point first, then go to Credential managment and do "Change password now" in Mange Account in Security of Central Admin?

    Or I change it in CA first then change it outside of SP?

    Thanks in advance.

    2010년 12월 7일 화요일 오후 8:38
  • Please refer to this article: http://www.toddklindt.com/blog/Lists/Posts/Post.aspx?ID=301

    This Article can be thought as a reference for changing passwords for all accounts engaged with SharePoint Implementation (Installation Accounts, Service Accounts....etc.).


    Hamza AlSughier

    2012년 4월 14일 토요일 오후 1:15