Friday, April 24, 2015

SharePoint 2013: how to change a web application pool identity

This posting explores how to change a web application pool identity using PowerShell methods.  It assumes that both the current and target identities are configured as managed accounts (this makes things much simpler).  You'll start out by first just reviewing the current identity of the web application.  Next, you'll execute a few very simple scripts that change change the application pool configuration to the target managed account. All references used in this posting are listed below.

  1. Review existing web application pool identity
    1. Log into a SharePoint 2013 server using the SharePoint Setup User Administrator account (eg, spAdmin). This is the same account that you (should have) used to perform the initial farm installation and configuration.
      This is important in that the changes you will be making will be to the farm configuration database; and, by default, only this account has the privileges necessary to make such changes.
    2. Launch an elevated SharePoint Management shell.
    3. Execute the following command, making appropriate revisions:
      $wa=Get-SPWebApplication "[YourSiteURL]" $wa.ApplicationPool
      This lists out all the pertinent information concerning the web application pool's identity. A useful command to remember for future reference.
  2. Implement the change
    1. Now, using the same management shell, execute the next few commands to make the change to the identity:
      $ma=Get-SPManagedAccount -Identity "[target managed account]" $wa.ApplicationPool.ManagedAccount=$ma $wa.ApplicationPool.Update() $wa.ApplicationPool.Deploy()
      The change will be implemented immediately.
  3. Verify the change
    1. Log into one of the farm WFEs hosting the web application - use any administrator account.
    2. Launch IIS Manager.
    3. In the Connections tree, expand Application Pools.
      If you still see the original identity, press F5 to refresh - no need to recycle the application pool or perform an IIS reset.
  • Executing the first three lines in step 2.1), above, updates the farm configuration database, but does not update the identity among the application pools on the web front ends.  You can verify this by stopping after executing the Update() method, and then going to IIS on one of the WFEs and looking at the application pool identities listed there.  So, to get the update pushed out to the WFEs, you must execute the Deploy() method of the ApplicationPool property.


Roby said...

Hi I get the error constantly.

The property 'ManagedAccount' cannot be found on this object. Verify that the property exists and can be set.
At C:\Users\testUser\Desktop\Web App Managed Account.ps1:10 char:1
+ $WebAppPool.ManagedAccount = $ma
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : PropertyNotFound

Any Help would be appreciated

Al said...

Go to: Central Administration > Security > General Security > Configure Managed Accounts. Is the account generating this error listed?

Roby said...

Yes. The account is very much in there. I did create the managed accounts before hitting the powershell.
Had the same issue while trying to change search service application's service account too. Niether "ManagedAccount" nor "Username" property is being identified in powershell. Then I had to change the script to something else to make search service applicaiton's identity to be changed.
Now I am running into the same problem while trying to change the service account for web application.

Al said...

Run these:
$User=Get-SPUser -Identity "[serviceaccount in claims format]" -Web "[your web URL]"
$User | Get-Member
Is the ManagedAccount property listed?

Al said...

Also run this without any arguments:
Do you see your target account listed?

Roby said...

Hey Al,

That was great, I couldn't get a help to see all properties. Get-Member function just saved me. Small silly thing just wastes a lot of time. Yes, "ManagedAccount" was not showing up as the property when initially tried on the variable. And target account wasa present too.
So it helped me figure out something is not setting the value on the variable and it was a typo on the variable name. Appreciate the help. I got it fixed.


Anonymous said...

Thank you so much. It really helped me out.