Monday, December 5, 2016

SharePoint 2013: How to change all service account passwords


Introduction

This posting collates all of the various different procedures associated with changing SharePoint 2013 service account passwords.  Changing passwords is a common task on the departure of a SharePoint admin.  This posting documents this critical task.  This posting assumes that neither the farm service nor any other SharePoint service account (including the UPS profile service account), has been provisioned with AD write access.  The SharePoint service accounts that will be engaged here typically include:
  • SPADMIN - SharePoint Setup User Administrator account.  not really a service account but included anyway as part of the Sharepoint account pantheon.
  • SPFARM - this is the server farm and database access account; also used for example by, User profile Synchronization Service, Security Token Service Application and AppPool
  • SPSEARCH - Search service application identity, for example, Search Host Controller Service, SharePoint Server Search, Search Service AppPool, Search Admin Web Service.
  • SPCONTENT - used by the Search service application as the crawling account.
  • SPAPP - used as the application pool identity for those application pools used by the content web applications and the My Site web application.
  • SPSERVICE - general service application identity account, for example, C2WTS, Distributed Cache, Sandbox Code Service, SharePoint Hosted Services and application pools (eg, App Mgmt, BDC, Excel Calc, MMS, Secure Store, UPSA, Visio, Word Auto, etc).
  • SPSQL - typically used to run the SQL Server service and the SQL Server Agent service.
  • SPSUPERR - used by object caching service to impersonate standard viewer.
  • SPSUPERU - used by object caching service to impersonate standard full control.
  • SPWORKFL - TBD
  • SPPROFILE - used by UPS to interrogate Active Directory and download user profile information from AD.

Procedure

  1. SPADMIN: Change SharePoint Setup User Administrator Account Password
    1. Description
      1. Standard domain account.
      2. This account is specially provisioned and used during initial deployment, and it is the account that should be used for all configuration tasks, such as executing PSCONFIG after installing a cumulative update.  It is also the account that has been configured with special privileges to launch the SharePoint Management Shell and run SharePoint-related PowerShell scripts. This account is not used in any service capacity. Therefore, its password can be changed straightforwardly like one would any other user account.
      3. I use this account also when installing cumulative SharePoint patches.  I have been informed by Stefan Gossner that it isn't necessary to use this account when installing patches and that any domain account having local admin privileges will do.  However, this is my policy and it has served me well over numerous patching sessions over many years.
    2. Type
      1. Unmanaged
    3. Password Change Procedure
      1. The procedure for changing the password for this user account is that same as changing the password for any other AD user account: 1) Launch Active Directory Users and Computers, 2) Right-click on the account and choose Change Password, and 3) follow the prompts.
  2. SPFARM: Change SharePoint Server Farm Account Password
    1. Description
      1. Standard domain account.
      2. This account is used to configure and manage the server farm; it acts as the application pool identity for the SharePoint Central Administration web application and it is this service account under which the SharePoint Foundation Workflow Timer Service runs.  Generally, these services and service applications use this account by default:
        1. Farm Account
        2. Windows Service - User Profile Synchronization Service
        3. Service Application Pool - SecurityTokenServiceApplicationPool
        4. Service Application Pool - SharePoint Web Services Default
        5. Service Application Pool - SharePoint Web Services System
        Additionally, you will see these Windows Server services provisioned to use this account by default:
        1. Forefront Identity Manager Service
        2. Forefront Identity Manager Synchronization Service
        3. SharePoint Timer Service
        You will need to use PowerShell to change this SharePoint Managed Account password in SharePoint rather than through the Central Administration Managed Accounts interface. The reason being that you may not have access to this web interface once you change the farm server account password, which is the identity for the web application that hosts the Central Administration website.  The next section here walks you through this process.
    2. Type
      1. Partially Managed.
      2. Having this account in SharePoint Managed Accounts will simplify some changes that you need to make, but others will still need to be done manually.
    3. Password Change Procedure
      1. Change the password in AD Users and Computers as you would normally.
      2. Restart all farm servers on which SharePoint is installed.
      3. Next, remote into any SharePoint server using the SharePoint Setup User Administrator account (eg, spAdmin).
      4. Launch an elevated SharePoint Management Shell.
      5. Execute the following:

        $username="DOMAIN\spFarm"
        $newpassword=ConvertTo-SecureString -String "password" -AsPlainText -Force
        Set-SPManagedAccount -Identity $username -ExistingPassword $newpassword -UseExistingPassword:$true

         
      6. This can take a minute or two to complete.  There's a lot to update here and these changes are intricate.
      7. Now, open the Windows Server Services control panel on the SharePoint Server machine you are currently logged into, and then sort by the Log On As column.
      8. Scroll down until you see the services having the server farm account (eg, spFarm).
      9. For each of these services: 1) verify that it is running; 2) if its Startup Type has been changed to Disabled, change it back to Auto; 3) if it is not running then start it; 4) if on trying to start it, it prompts you for logon information, enter the appropriate logon info, including the new password, and then start it.
      10. Having done this for this SharePoint Server, repeat steps 7 - 9 on each of the other SharePoint servers in the farm.
      11. Now, connect back to Central Administration (from any SharePoint server), and then navigate to CA > System Settings >  Services on Server.
      12. Start any service here that should be started but that stopped after you changed the password.   In particular, verify that the User Profile Synchronization Service is started (See Note 2, below).
    4. Summary
      1. Changing the SharePoint farm server account is the most operationally sensitive.  If this account is unable to authenticate, it will cause your farm to be nonoperational. 
      2. It's important to restart SharePoint servers after implementing this password change.  This commits the change.  If you don't, some services and service applications may function and others may not causing your farm to function in an indeterminate state.
      3. It can take some time for the password change to be recognized by SharePoint, depending on the refresh frequency of your domain controllers.
  3. SPSEARCH: Change the SharePoint Search Service Account Password
    1. Description
      1. Standard domain account.
      2. This account is used as the Search service application (SSA) identity. 
      3. If you have deployed your search service using this approach, it will be the identity for all of the usual SharePoint 2013 SSA components, except for the Crawl component, which is configured to use the SPCONTENT account.
      4. Changing the password for this service account is easier than for the farm server account.  You still need to change the password first in AD using the usual method.  However, in SharePoint, rather than having to use PowerShell, you can change the SSA service account using the Central Administration Managed Accounts interface.  The next section walks you through this process.
    2. Type
      1. Managed
    3. Procedure
      1. Change the password in AD Users and Computers as you would normally.
      2. Restart all farm servers on which SharePoint is installed.
      3. Next, remote into any SharePoint server using the SharePoint Setup User Administrator account (eg, spAdmin).
      4. Launch Central Administration.
      5. Navigate to: CA > Security > General Security > Configure Managed Accounts.
      6. Look for the Search service account (eg, spSearch), and then click the edit icon next to it.
      7. In the Credential Management section, check Change password now.
      8. Next, also in this section, select Use existing password, and then enter the password.
      9. Scroll down, and then click OK.  The page will be busy for less than a minute.  Once it returns, move on to the next step.
      10. On the Windows Server you are currently logged into, open the Windows Server Services control panel.
      11. Sort on the Log On As column, and scroll down to find these two services: SharePoint Search Host Controller and SharePoint Server Search 15
      12. Verify that these both have status Running. If they are stopped, start them.
      13. Repeat the previous step for each of the other SharePoint servers.
      14. Now, while logged into any SharePoint server, launch Central Administration, and then navigate to Manage services on server.
      15. Scroll down to the bottom and look for these two SharePoint services: Search Host Controller Service and SharePoint Server Search.  
      16. Verify that these SharePoint services are started.  If they are not started, start them.
      17. Repeat the previous step for each of the other SharePoint servers in the farm.
      18. Lastly, in Central Administration, navigate to the Farm Search Administration page and then to the Search Service Administration page. 
      19. Review the Search Application Topology section: do you see all green checks there?  If so, you're done.  If not, wait awhile, and then refresh: it can take a minute or two for the new authentication information to propagate to all the components of the SSA and then for these components to update their health information back to the Search Service Admin page.
    4. Summary
      1. Changing the Search Service Application service account is fairly simple - particularly if you have deployed the SSA to use a single service account for all SSA components except the Crawl component.
      2. If your farm has deployed its SSA using separate service accounts for the different SSA components, then simply repeat the above steps for each of the other SSA service accounts.
  4. SPCONTENT: Change Search Service Application Content Access Account
    1. Description
      1. Standard domain account.
      2. This is the account used by the farm's SSA to actually crawl content.  
      3. You can see it configured by navigating to the Search Administration page.
    2. Type
      1. Unmanaged
    3. Procedure
      1. Change the password in AD Users and Computers as you would normally.
      2. Restart all farm servers on which SharePoint is installed.
      3. Next, remote into any SharePoint server using the SharePoint Setup User Administrator account (eg, spAdmin).
      4. Launch Central Administration.
      5. Navigate to: CA > Farm Search Administration > Search Administration.
      6. In the System Status section of this page (top section usually), look for Default content access account.
      7. Look across to the right, and then click on the account shown there.
      8. Enter the password for this account, and then click OK.
      9. Launch an Incremental Crawl of any content source and wait for it to complete.
      10. Check the Search Crawl Log and verify that there are no entries there that include such descriptions as "Access Denied" or "Update password".
  5. SPAPP - Change the Application Service Account Password
    1. Description
      1. Standard domain account.
      2. This account is generally used as the content web application pool identity.
      3. May also be used as identity for the Work Management Service Application (WMSA).
    2. Type
      1. Managed (if used for content web applications and WMSA)
    3. Procedure
      1. Change the password in AD Users and Computers as you would normally.
      2. Restart all farm servers on which SharePoint is installed. 
      3. Next, remote into any SharePoint server using the SharePoint Setup User Administrator account (eg, spAdmin).
      4. Test content web applications by trying to connect to them.  You should see HTML 503 Service Unavailable messages in the browser.
      5. Remote into a farm application server using the SharePoint Setup User Admin Account (eg, spAdmin).
      6. Launch Central Administration.
      7. Navigate to: CA > Security > General Security > Configure Managed Accounts.
      8. Look for the App service account, and then click the Edit icon next to the title.
      9. In the Credential Management section, check Change password now.
      10. Next, also in this section, select Use existing password, and then enter the password.
      11. Scroll down, and then click OK.  The page will be busy for less than a minute. Once it returns, move on to the next step.
      12. Remote into a WFE.
      13. Launch an elevated command shell.
      14. Execute IISRESET, and then wait for it to complete.
      15. Repeat steps 5-7 for each WFE in the farm.
      16. Try connecting to each of the content web applications of the farm.  You may get the usual "Sorry...".  This is expected and is due to time out behavior: the IISRESET initiates a complete recompile of each of the web applications on the WFEs.  Keep trying.
      17. Once you verify the content web applications are back up, try hitting your My Site and your OneDrive.  Here too you may experience errors presented in the browser. This is expected.  The My Site web application was also recompiled (if they are co-hosted with your content web applications).
    4. Summary
      1. The SharePoint App service account (spApp) is typically used with content web applications and the Work Management Service Application (this is created and configured automatically for you during normal install).
      2. Managing this web application AppPool identity via SharePoint Managed Accounts makes changing this particular password a snap.
      3. An IISRESET is absolutely necessary after restarting SharePoint servers and then changing the password in Managed Accounts.  if you don't do this, you'll experience 503 Service Unavailable errors.
  6. SPSQL - Change the SQL Server Service Password
    1. Description
      1. Standard domain account.
      2. Used as the identity for the SQL Server Service.
      3. It may also be used as the identity for the SQL Server Agent Service.
      4. For this procedure, the SQL Server Browser instance is assumed to be running under the NT AUTHORITY\LOCALSERVICE account.
    2. Type
      1. Unmanaged
    3. Procedure
      1. Shutdown all SharePoint farm servers
      2. Change the password in AD Users and Computers as you would normally.
      3. Restart SQL Server.
      4. Remote into the SQL Server instance using an account that is a member of the local admin group (eg, spAdmin).
      5. Launch SQL Server Configuration Manager (Local).
      6. In the left navigation panel, open SQL Server Configuration Manager (Local) > SQL Server Services.  Typically the second item below SQL Server Configuration Manager (Local).
      7. Right-click on the SQL Server instance (eg, spSQL), and then select Properties.
      8. Enter the new password in the Password and Confirm Password fields, and then click OK.
      9. At the prompt to restart the service, click Yes.
      10. Repeat for the SQL Server Agent service.
      11. Exit SQL Server Configuration Manager.
      12. Launch SQL Server Management Studio (SSMS) and connect to this SQL Server instance.
      13. In the left Object Explorer panel, verify that a green arrow icon is displayed over the SQL Server name.
      14. Exit SSMS.
      15. Start the rest of the farm servers.
    4. Summary
      1. The SharePoint SQL Server service account is unmanaged.  
      2. Changes to the password are transparent to SharePoint and are not stored anywhere in SharePoint.
      3. In my opinion, best practice when changing the SQL Server service account password is to shutdown SharePoint whilst this account is worked on; and then only start up the farm's SharePoint servers once the farm's backend is full operational and all services are running again.  This avoids at the least the appearance of numerous critical system and application events appearing in server logs.
  7. SPSUPERR - Change the Farm Super Reader Account Password
    1. Description
      1. Standard domain account.
      2. It is not a service account.
      3. Supports object caching when Publishing feature is enabled for the web application.
    2. Type
      1. Unmanaged.
      2. Though this is an unmanaged account, it's still helpful to use Central Administration Managed Accounts capability so as to test password changes. 
    3. Procedure
      1. Change the password in AD Users and Computers as you would normally.
      2. Next, remote into any SharePoint server using the SharePoint Setup User Administrator account (eg, spAdmin).
      3. Launch Central Administration.
      4. Navigate to: CA > Security > General Security > Configure Managed Accounts.
      5. Look for the super reader account, and then click the Edit icon next to the title.
      6. In the Credential Management section, check Change password now.
      7. Next, also in this section, select Use existing password, and then enter the password.
      8. Scroll down, and then click OK.  The page will be busy for less than a minute.
        It may take a few seconds for the password change in AD to propagate. This means that you may likely still be able to enter the old password one or more times here before you get an error message indicating that the password is the wrong one.
      9. That's it.  Nothing more to do.  These are not service accounts.
    4. Summary
      1. Entering the super reader account into Managed Accounts has absolutely no impact: no SharePoint services and applications will obtain the super reader account from Managed Accounts.
      2. SharePoint does not need to authenticate these accounts, since they are impersonated.  See References 4.1 and 4.5 for additional detail on this account.
  8. SPSUPERU - Change the Farm Super User Account Password
    1. Description
      1. Standard domain account.
      2. It is not a service account.
      3. Supports object caching when Publishing feature is enabled for the web application.
    2. Type
      1. Unmanaged
      2. Though this is an unmanaged account, it's still helpful to use Central Administration Managed Accounts capability so as to test and verify password changes. 
      3. Entering the super user account into Managed Accounts has absolutely no impact and no SharePoint services and applications will obtain the super user account from Managed Accounts.
    3. Procedure
      1. Change the password in AD Users and Computers as you would normally.
      2. Next, remote into any SharePoint server using the SharePoint Setup User Administrator account (eg, spAdmin).
      3. Launch Central Administration.
      4. Navigate to: CA > Security > General Security > Configure Managed Accounts.
      5. Look for the super user account, and then click the Edit icon next to the title.
      6. In the Credential Management section, check Change password now.
      7. Next, also in this section, select Use existing password, and then enter the password.
      8. Scroll down, and then click OK.  The page will be busy for less than a minute.
        It may take a few seconds for the password change in AD to propagate. This means that you may likely still be able to enter the old password one or more times here before you get an error message indicating that the password is the wrong one.
      9. That's it.  Nothing more to do.  These are not service accounts.
    4. Summary
      1. Entering the super reader account into Managed Accounts has absolutely no impact: no SharePoint services and applications will obtain the super reader account from Managed Accounts.
      2. SharePoint does not need to authenticate these accounts, since they are impersonated.  See References 4.1 and 4.5 for additional detail on this account.
  9. SPWORKFL - Change the Farm Workflow 2013 Service Account Password
    1. Description
      1. Standard domain account.
      2. TBD
    2. Type
      1. Managed.
    3. Procedure
      1. TBD
    4. Summary
      1. TBD
  10. SPSERVICE - Change the Farm Service Application Service Account Password
    1. Description
      1. Standard domain account.
      2. Used as identity for C2WTS, Distributed Cache, Sandbox Code Service, SharePoint Hosted Services and application pools (eg, App Mgmt, BDC, Excel Calc, MMS, Secure Store, UPSA, Visio, Word Auto, etc).
      3. May also be used as identity for Distributed Cache.
    2. Type
      1. Managed
    3. Procedure
      1. Change the password in AD Users and Computers as you would normally.
      2. Restart all farm servers on which SharePoint is installed.
      3. Next, remote into any SharePoint server using the SharePoint Setup User Administrator account (eg, spAdmin).
      4. Launch Central Administration.
      5. Navigate to: CA > Security > General Security > Configure Managed Accounts.
      6. Look for the Service service account (eg, spService), and then click the edit icon next to it.
      7. In the Credential Management section, check Change password now.
      8. Next, also in this section, select Use existing password, and then enter the password.
      9. Scroll down, and then click OK.  The page will be busy for less than a minute. Once it returns, move on to the next step.
      10. Check Windows Server services on each machine hosting SharePoint.  Start any SharePoint and SharePoint-related services that are not running and that should be running.  In particular, check those services that might be running under the Service service account, such as Distributed Cache (AKA AppFabric Caching Service), Claims to Windows Token Service and so on.
        From experience, the AppFabric Caching Service will restart automatically after updating the Service service password in Managed Accounts. However, the Claims to Windows Token Service will not, and you must restart it manually.
      11. That's it.  You're done.
    4. Summary
      1. The key thing to keep in mind here is that, even though this is a managed service account, it is still useful to check all services using this service account to verify that they did indeed restart successfully.
  11. SPPROFILE - Change the User Profile Synchronization Account
    1. Description
      1. Standard domain account.
      2. Typically used to read AD user profiles and copy that information to SharePoint user profiles.
      3. At a minimum, in order to read AD objects and replicate them to SharePoint, this account requires the Active Directory permission Replicate Directory Changes. This permission enables this service account to read Active Directory objects and to discover whether any of these objects have been changed in the domain.
    2. Type
      1. Unmanaged
    3. Procedure
      1. Change the password in AD Users and Computers as you would normally.
      2. Restart all farm servers on which SharePoint is installed.
      3. Next, remote into any SharePoint server using the SharePoint Setup User Administrator account (eg, spAdmin).
      4. Launch Central Administration.
      5. Navigate to: CA > Application Management > Manage service applications, and then click on the name of your User Profile Service Application (this may be the name).
      6. Then navigate to: Synchronization > Configure Synchronization Connections.
      7. Open the dropdown menu for the appropriate connection listed, and then select Edit.
      8. In the Connection Settings section, enter the new password into the Password and Confirm Password fields.
      9. Test the new password by clicking the Populate Containers button.  
      10. Click OK.
      11. Navigate back to the Manage Profile Service: User Profile Service Application page.
      12. Click the Start Profile Synchronization button.
      13. Select Start Full Synchronization, and then click OK.
    4. Summary
      1. The key things to keep in mind here are that: 1) spProfile is not managed and 2) after changing the password in AD, you will need to return to the user profile service application and update the password used in the synchronization connection.  Once you do that, you're done.

References

  1. General
    1. Initial deployment administrative and service accounts in SharePoint 2013
    2. Account permissions and security settings in SharePoint 2013
    3. Updating passwords on SharePoint 2010
    4. SharePoint 2013 Service Accounts Best Practices! Is there a golden solution for all farms?
    5. Changing SharePoint farm passwords
    6. Managing Passwords for Service Accounts in SharePoint & SQL Server: excellent, thorough discussion. NOTE: his discussion presumes that the server farm account has been granted the necessary AD write privileges for writing password changes entered into SharePoint Managed Accounts back to AD.  
    7. SharePoint 2013: Service Accounts
    8. SharePoint 2013: Service Account Configurations and Permissions

  2. SharePoint Setup User Administrator Account Password Changes
    1. Step by Step: Changing the SharePoint 2013 Farm Account Password
  3. Changing the farm service account
    1. Unable to change SharePoint account password in SharePoint 2010
  4. SharePoint SQL Server Service Account Password Changes
    1. Change passwords for SQL Server services in SharePoint Server 2013
  5. SuperUser Accounts
    1. Configure object cache user accounts in SharePoint Server 2013
    2. SharePoint–Setting the Super User and Super Reader Accounts for All WebApplications in the Farm
    3. Part 5: Object caching
    4. How does SharePoint 2010 uses the SuperReader/SuperUser accounts?: excellent discussion that finally helped me to understand why a password is never requested when entering these accounts into SharePoint.
  6. Service Application Service Account
    1. Change Distributed Cache Service Account in SharePoint 2013 with PowerShell
    2. SharePoint 2013: AppFabric and Distributed Cache Service
    3. SharePoint 2013: Distributed Cache (AppFabrikCache) part 2/2
    4. Manage the Distributed Cache service in SharePoint Server 2013
  7. User Profile Synchronization Account
    1. Configure profile synchronization by using SharePoint Active Directory Import in SharePoint Server 2013
  8. Commandlets
    1. Set-SPManagedAccount
    2. Repair-SPManagedAccountDeployment
  9. Miscellaneous
    1. SharePoint 2013: How to deploy a search service application using PowerShell

Notes

  1. Synchronization Service Manager: useful tool for troubleshooting the SharePoint User Profile Service Application.  You'll find it at this folder location:
    \Program Files\Microsoft Office Servers\15.0\Synchronization Service\UIShell
    Look for miisclient.exe.  It enables you to view the real-time status of UPA processes, among many other things.  I don't use it to manage FIM; just to view status information.  For example, I have used to troubleshoot a UPA that failed to start.  As I tried different troubleshooting steps, I monitored Synchronization Service Manager, watching in real-time to see how far UPA started, before stopping.  It also provides helpful other information, such as confirmation of the Domain Controller that it is connecting to.  If you configured UPA using Auto Detect for DC, you can now determine exactly which DC it is connecting to.  You can also get confirmation of the service account that is running UPA (eg, the farm service account).  This tool is also useful for monitoring startup functionality, after changing the password under which the Synchronization service runs (which is usually the farm server account, eg, spFarm).
  2. The User Profile Synchronization Service (this one is listed just below the User Profile Service) will likely be stopped if it is configured to run under the server farm account, which is usually the case.  You will need to manually start it again and you will likely be prompted to enter the new server farm account password.  Once you do this, it will be in the Starting... state for awhile. Keep refreshing the page for a while to verify that it finally reaches the Started state.
  3. If you first launch a browser as you would normally, and then connect to Central Administration, you may not see the Manage services on server link in the System Settings group.   This is because the browser instance must specifically be running in elevated mode, meaning Run as administrator.  This is the case when you launch CA using the menu option in the Windows Server Start menu.  If you click on this, you are presented with the usual User Account Control prompt.  This is an indication that the application is being run in elevated mode. This icon really just launches IE, and points it to CA, but it does so as an elevated instance of IE.  If you launch a browser normally, and then try connecting to CA, if your current account is a member of the Farm Administrators group in CA, your browser will connect to CA and you will see most of the usual web pages and links in CA.  Except for Manage services on server.
  4. Problem changing the farm service account? Try it this way instead:
    1. Verify that the password is changed in AD - doe this by changing a server service account password.
    2. In elevated SharePoint Management Shell (SMS), execute: Set-SPManagedAccount -UseExistingPassword -Identity DOMAIN\spFarm.  You'll be prompted to enter a new password.  This will take five minutes or more to complete.
    3. In the same SMS, execute: Repair-SPManagedAccountDeployment.  If the passwords are in sync, this will complete silently and return the prompt.  Keep this shell open.
    4. In elevated DOS command shell, execute: IISRESET.
    5. In the SMS, execute: Repair-SPManagedAccountDeployment.  As a last check.

No comments: