Sunday, December 1, 2013

Health Analyzer: Accounts used by application pools or service identities are in the local machine Administrators group

Problem

You see the following warning appear in the Review problems and solutions list in SharePoint 2010 Central Administration:
Accounts used by application pools or service identities are in the local machine Administrators group
Solution
  1. Click on the warning title.  The warning description dialog appears:
  2. The error description dialog identifies the cause of the problem: the farm administration and timer service accounts are members of the local machine Administrators group. 
    During initial deployment, the farm account is provisioned as a domain user account with local machine administrator privileges.  The farm account only needs local administrator privileges during SharePoint farm provisioning.  Once farm provisioning is completed, this account can be removed from the local administrators group.  You will need to add this back to the local Administrators group during subsequent provisioning tasks, such as User Profile Provisioning.
  3. In Central Administration, go: Security > General Security > Configure service accounts.
  4. From the service dropdown (upper one), select Farm Account.  This refers to the Central Administration service.  The page is updated to show the service components and the account running the service.
  5. Verify that the farm account (in this case, Contoso\sp_farm) is running the Central Administration service:
  6. Login to the machine hosting your SharePoint 2010 farm Central Administration.
  7. Go: Start > Administrative Tools > Services.
  8. Scroll down to the SharePoint 2010 Timer service.
  9. Double-click this service, and then select the Log On tab.
  10. Verify that the farm account is entered:
  11. On the local machine, go: Start > Administrative Tools > Computer Management
  12. In the tree console at left, expand Local Users and Groups, and then select Groups.  The results panel in the middle updates to list local machine groups.
  13. Double-click the Administrators group.  This is the local machine administrators group.
  14. Verify that the farm account appears:
  15. In the Members pane, select the farm account, and then click Remove.  The account no longer appears.
  16. Click OK, and then logout of the local machine hosting Central Administration.
  17. In Central Administration, in the message bar, click View these issues.
  18. On the Review problems and solutions page, click the warning message link, Accounts used by application pools or service identities are in the local machine Administrators group.  The warning description dialog appears:
  19. Click the Reanalyze Now button, and then click Close.
  20. Wait a minute of two, and then refresh the page.  The warning message no longer appears:
  21. This concludes this procedure.
Troubleshooting

If, after performing the steps above, the warning message remains, try the following:
  1. Re-run Rule Definition:
    1. In Central Administration, go: Monitoring > Health Analyzer > Review rule definitions.
    2. On the Health Analyzer Rule Definitions page, in the Category: Security group, click the rule definition link, Accounts used by application pools or service identities are in the local machine Administrators group.
    3. Click the Run Now button, then click Close.
    4. Wait a minute or two, and then return to Review problems and solutions page.
    5. Verify that the warning no longer appears.
  2. Reset Farm Service
    1. Login to the local machine hosting the farm Central Administration application.
    2. Go: Start > Administrative Tools > Services.
    3. Scroll down to the SharePoint 2010 Administration service.
    4. Double-click this service.  The services properties dialog appears.
    5. Select the Log On tab.
    6. If not selected, select  the This account option.
    7. Enter or re-enter the farm account.  For this posting, the farm account is Contoso\sp_farm
    8. At the warning prompt, "The new login name will not take effect until you stop and restart the service," click OK.
    9. Stop and restart the service, and then click OK.
    10. Wait a minute or two, and then return to Review problems and solutions page.
    11. Verify that the warning no longer appears.
  3. Reset the Farm Timer Service
    1. Login to the local machine hosting the farm Central Administration application.
    2. Go: Start > Administrative Tools > Services.
    3. Scroll down to the SharePoint 2010 Timer service.
    4. Double-click this service.  The services properties dialog appears.
    5. Select the Log On tab.
    6. If not selected, select  the This account option.
    7. Enter or re-enter the farm account. For this posting, the farm account is Contoso\sp_farm:
    8. At the warning prompt, "The new login name will not take effect until you stop and restart the service," click OK.
    9. Stop and restart the service, and then click OK.
    10. Wait a minute or two, and then return to Review problems and solutions page.
    11. Verify that the warning no longer appears.
Summary

This posting presented steps for resolving the Health Analyzer warning, Accounts used by application pools or service identities are in the local machine Administrators group.  It has also presented troubleshooting steps for resolving this warning, if the usual approach appears to fail.  For additional detail on this topic, see the references below.

References
Notes
  • If you have not previously modified the services directly, through the Windows Services control applet, you will likely see the account entered as "[domain]\[account name]."  This is how it looks after a fresh install.  Once you edit the account, it will change to "[account name]@[domain]."  This is one way to tell if you need to restart the service.

3 comments:

Unknown said...

In case of a farm with multiple Web Front Ends and Application Servers, do you need to do this on each server?

Al said...

Yes: the health analyzer message will indicate what servers are triggering this warning. The rule is executed against each server in the farm hosting SharePoint.

Anonymous said...

Thank you for your post. It helped me!! Cheers