Managing Passwords for Service Accounts in SharePoint & SQL Server

Managing service accounts on Windows servers have been a challenge for most organizations for quite some time. In recent years, Microsoft has made several enhancements to minimize the pain. In Windows Servers 2008 R2 Microsoft introduced the Managed Service Accounts, which are by default created in the Managed Service Accounts organizational unit (OU) in the Directory Services but you can create them in any OU you want.

Managed Accounts in Windows Server 2008/2012

The Managed Account in Windows Server gives you, among other things, the ability to automatically update Microsoft Exchange, Microsoft SQL Server, and Internet Information Services (IIS) passwords. However, you do not want to use them with SharePoint Servers. I am only mentioning this here so you have a better understanding of what they are and what they do. You can use them for non-SharePoint services. The Service Accounts Step-by-Step Guide describes how to setup these Managed Service Accounts in Windows Server 2008 R2 and Windows 7. You just need to make sure that you apply the hot fix KB 2494158 “Managed service account authentication fails after its password is changed in Windows 7 or in Windows Server 2008 R2″ to the computer where the managed service account exists.

As I stated earlier, you do not want to use the Windows Server managed accounts with SharePoint Server because they are not compatible. In fact, Microsoft has a warning in this article.

WARNING!

“Windows Server 2008 R2 and Windows Server 2012 include managed accounts at the operating system level. Do not use Windows Server 2008 R2 and Windows Server 2012 managed accounts. They are incompatible with SharePoint 2013 managed accounts.”

Managed Account in SharePoint Server 2010/2013

Now that you know about the Managed Accounts in Windows Server, let’s focus on the Managed Accounts in SharePoint Server. I gathered the information in this article from several Microsoft documents. Some of my tests failed when I used the steps described in Microsoft’s documentation but that may be due to the configuration of my SharePoint test/training environment, which runs everything on one server (SharePoint, SQL, Active Directory, etc.). After making some adjustments, I finally got the passwords changed successfully and that’s exactly what I am documenting in this article.

I have listed the resources I used at the end of this article. I want to give special credit to a couple of authors because I used the information in their posts as the basis of this article. One of them is an author on the TechNet Blogs that goes by the alias smearp and writes The Sean Blog. Another great resource for this article was the blog post on MSDN by Charlie Chirapuntu.

NOTE: You must be logged in with an account that has the Administrator privileges (either SharePoint Farm or SQL Server Administrator) to perform the steps described in this article.

Conflicting Information

There is some conflicting information in Microsoft’s documentation. According to the Managed Service Account FAQs on TechNet, SQL Server cannot use Managed Service Accounts. Only Exchange, IIS, and Active Directory Lightweight Directory Services (AD LDS) can use Managed Service Accounts. However, the article Introducing Managed Service Accounts clearly states that SQL Server can take advantage of the Managed Service Accounts.

Managed Accounts

In SharePoint Server 2010 Microsoft introduced Managed Accounts that allow you to map service accounts. For example, you can create and delete service accounts and you can manage account passwords. You may be wondering, what happens if you delete a service account in SharePoint’s Managed Accounts section. Is it automatically removed from Active Directory? The answer is no. Deleting a service account in SharePoint’s Managed Accounts doesn’t delete it from Active Directory, it simply removes it from the Managed Accounts area so you cannot manage it in SharePoint. As a best practice you always want to use Active Directory domain accounts as your service accounts and enter them in SharePoint in the format domain\service_account. You can manage any of the following service accounts in SharePoint Managed Accounts:

1. Farm Account
2. Service Application Pools
3. Web Applications
4. Windows Services used by SharePoint

These can be configured under Central Administration -> Security -> General Security -> Configure service accounts. The Credential Management screen on my test server looks like this.

Here is a more detailed list in alphabetic order of all the Managed Accounts in SharePoint Server 2010. The Farm account is intentionally left out of this list, even though technically it is a Managed Account, because it is best to handle its password in a different way, as explained in the section Changing Password for SharePoint Farm Service Account.

• BDC service account
• Excel PowerPivot service account
• Excel services account (but not the Excel unattended execution account)
• Managed metadata service account
• PerformancePoint service account (but not the PerformancePoint unattended execution account)
• PowerPoint service account
• Secure store service account
• SharePoint foundation search service account (but not the content access account)
• SharePoint search service account(s) (but not the content access account(s))
• User profile service account (but not the user profile synchronization connection or the user profile synchronization service accounts)
• Visio service account (but not the Visio unattended execution account)
• Web analytic service account
• Web application pool service account(s)
• Word viewing service account

WARNING! SharePoint automatically configures and maps these accounts and in most cases if you have to manually map the account then you may not have followed the best practices when you installed SharePoint. Also, be very cautious when you change the mapping manually. If you don’t know exactly what you are doing then you may end up crashing your entire farm. Don’t make the change just because a Microsoft’s article recommends that you make a certain change. Make sure you completely understand the consequences and know how to reverse the procedure before making the change.

Configuring Automatic Password Change for Managed Accounts

You can configure these accounts under Managed Accounts so their passwords are changed automatically at certain interval. You won’t know what the password is going to be and frankly you don’t care because you don’t log in with a service account as a user to your servers. Here are the steps for configuring automatic password change for SharePoint service accounts.

1. Go to Central Administration -> Security -> General Security -> Configure managed accounts.
2. Edit the account that needs to be configured for automatic password change.
3. Check the box Enable automatic password change. You can also enable the email notification and the time schedule for the password change. Otherwise, just accept the default values.NOTE: When you use this option, the password for the service account is managed by SharePoint, not Active Directory, even though the account is a domain account in Active Directory. Also, keep in mind that the system randomly generates a strong password and will change it on the schedule that you have specified.

Manually Changing the Password for Managed Accounts

1. Go to Central Administration -> Security -> General Security -> Configure managed accounts.
2. Edit the account that needs to be configured for manual password change (e.g. SP_Service).
3. Read the section Dealing with Password Policy Error section later in this article before deciding which option to use. If you have changed the password in Active Directory and are now changing it manually in SharePoint then check the box Change password now and then select the option Use existing password.
4. Enter the password that you used in Active Directory for the account.
5. Click OK.

Changing Password for SharePoint Farm Service Account

The Farm account is a domain account that is used to run the SharePoint Farm. It is one of the most important accounts in SharePoint with the highest level of privileges. Although you can configure this account to automatically change password because it is a Managed Account, Microsoft recommends that you use the stsadm command in PowerShell to change the password for the Farm account. Here are the instructions.

1. Change the password for the Farm account in Active Directory.
2. Login to the SharePoint Server 2010 running the Central Administration site.
3. Start the SharePoint Management Shell as administrator.
4. Execute the following PowerShell command. Replace the DomainName and UserName with your actual domain and the user name with a user that has administrative credentials. Replace the NewPassword with the password that you used in Active Directory in step 1 above.
   stsadm -o updatefarmcredentials -userlogin DomainName\UserName -password NewPassword
   e.g. stsadm -o updatefarmcredentials -userlogin SeattlePro1\sp_farm -password P@ssw0rd
5. You must repeat the steps 2 to 4 on all the SharePoint servers in your environment.
6. By default the Farm account is used as the UPS account. Although the Farm account is a Managed Account and the UPS account is an Unmanaged account, you still need to change the password for the UPS service account as described later in this article in the section titled User Profile Synchronization Service Account.Best Practice: As mentioned earlier, it is possible to change the Farm account’s password automatically because it is a Managed Account. However, Microsoft recommends that you use PowerShell to change its password because it seems to work better.

Unmanaged Accounts

There are some accounts whose passwords should not be managed through SharePoint Managed Accounts. Therefore, passwords for these accounts must be changed manually. Because these accounts require manual password change you should first change the password for these accounts in Active Directory and then manually change it in SharePoint as described below.

Step 1- Change Password in Active Directory

1. Go to Active Directory Users and Computers on your Windows Server.
2. Go to the Organizational Unit (OU) where the service accounts are located. They are usually created in the Managed Service Accounts OU.
   
   
   
3. Right click the service account and select Reset Password.
4. Enter and confirm the new password and then click OK.
5. Make a note of the password because you will need it in Step 2.

Step 2 – Change Password in SharePoint

1. Go to Central Administration -> Security -> General Security -> Configure managed accounts.
2. Edit the account that needs to be configured for manual password change.
3. In the Credential Management section, check the box Change password now and select the option Set account password to new value.
4. Enter and confirm the new password. Make sure you use the same password that you entered in Active Directory.
5. Click OK at the bottom of the page to change the password. The change will take place immediately.

Dealing With Password Policy Error

This is where the things get a bit tricky. If you don’t have a password policy configured in Active Directory that requires a minimum password age then you are fine. However, for security reasons a lot of organizations configure a Minimum password age setting that works with the Enforce password history setting. This ensures that the user cannot change the password too frequently. For example, if a company has not configured a value for Minimum password age (i.e. it is set to zero) but still require users to change their password after a certain period (e.g. 90 days) then a user whose password is supernova can change the password in quick succession to supernova1, then supernova2, supernova3, supernova4, supernova5 and then back to supernova again and therefore bypass the security settings. As I said, a lot of organizations configure the Minimum password age (e.g. 7) so users can’t change their password frequently and must wait for certain number of days. The problem that you may run into is that when you have configured Minimum password age setting in Active Directory (which is quite common) and you change the password for the service account in SharePoint using the option Change password now as described in step 3 above, you may receive the following error:
Error: The password does not meet the password policy requirements.  Check the minimum password length, password complexity and password history requirements.

The easiest way to deal with this issue is to use the Change password now option but instead of using the Set account password to new value, select the option to Use existing password, as shown below, so there is no conflict with Active Directory group policy enforcement.

How to Manually Change Passwords for Unmanaged Accounts

Here are the guidelines for Unmanaged Accounts (i.e. accounts that cannot be mapped in Managed Accounts and require that their passwords be changed manually).

1. SQL Server service

The account you use in SharePoint for SQL Server service (e.g. SQL_Service) is the account that is specified during SQL Server installation and is the service account used for MSSQLSERVER and SQLSERVERAGENT. If you do not use the default SQL Server instance then these services will be shown in the Windows Services console as the following:

MSSQL$InstanceName
SQLAgent$InstanceName

Password for the SQL Server service account must be changed manually. This account should be changed in SQL Server Configuration Manager as described in the article SQL Server Configuration Manager. Here’s Microsoft warning regarding SQL Server service account.

“Always use SQL Server tools such as SQL Server Configuration Manager to change the account used by the SQL Server or SQL Server Agent services, or to change the password for the account. In addition to changing the account name, SQL Server Configuration Manager performs additional configuration such as setting permissions in the Windows Registry so that the new account can read the SQL Server settings. Other tools such as the Windows Services Control Manager can change the account name but do not change associated settings. If the service cannot access the SQL Server portion of the registry the service may not start properly.”

As the above warning points out, you should not use the Services Console (services.msc) to change the SQL Server or SQL Server Agent Services account name or account password. Instead, use the SQL Server Configuration Manager as described below.

WARNING! Do not follow Microsoft’s instructions in the TechNet article Change passwords for SQL Server services (SharePoint Server 2010). Use the instructions documented below.

Follow the instructions below and use the SQL Server Configuration Manager to change the password. For the purpose of this documentation, I will assume that you are running SQL Server 2008 R2.

1. Change the password for the SQL Server service account in Active Directory Users and Computers.
2. Click Start, All Programs, Microsoft SQL Server 2008 R2, Configuration Tools and then click SQL Server Configuration Manager.
3. In SQL Server Configuration Manager, click SQL Server Services.
4. Stop the SQL Server (MSSQLSERVER).
5. In the details pane, right-click SQL Server (MSSQLSERVER), or whatever the name of your SQL instance is, and then click Properties. The default name of the instance is MSSQLSERVER.
6. In the SQL Server (MSSQLSERVER) Properties dialog box, on the Log On tab, for the account listed in the Account Name box, type the new password and then confirm it. The following screenshot is from a test environment where the account is using the Administrator account. In a production environment you are unlikely to have the Administrator account running as the SQL Server service account.
7. Click OK.
   
8. Restart the SQL Server service.
9. The password change takes effect immediately. There is no need to reboot the SQL Server.

SQL Server Agent Service

If you need to change the password for the SQL Server Agent service account, follow the above instructions except that in step 3 use the SQL Server Agent (MSSQLSERVER) account.

SQL Server Reporting Services

To change the password for SQL Server Reporting Services account, use the Reporting Services Configuration Manager utility. In the left hand pane, click Service Account and change the password.

2. SharePoint Server (or SharePoint Foundation) Search Default Content Access Account and Content Access Accounts Defined in the Crawl Rules

Any content access account used with SharePoint Search crawl rules should have its password managed manually. In other words, do not use SharePoint’s Managed Account to manage the password for these accounts.

NOTE: In some environments, the Search service account may be the same as the Default Content Access Account. In that case use the following instructions and treat the account as an Unmanaged Account even though it exists in the Managed Accounts in SharePoint.

Follow these instructions to manually change the password for SharePoint Search Default Content Access Account.

1. Make sure you have changed the service account used for Search in Active Directory. If you haven’t, changed it now.
2. Login to the SharePoint Server 2010 with an account that has administrator privileges for the Search service application for which you want to change the default content access account.
3. Go to Central Administration -> Application Management -> Manage service applications.
4. On the Manage Service Applications page click the Search service application for which you want to change the default content access account.
5. On the Search Service Application: Search Administration page, in the System Status section, locate the default content access account, as shown below.
6. Click the default content access account name. The Default Content Access Account dialog box appears.
7. Type the new password and confirm it, then click OK.

NOTE: This above procedure only changes the password for the Default Content Access Account. If you are using a different account in a crawl rule and you want to change the password for that account, you need to change the crawl rule.

3. Account Used for External Data Source

Password for account used for external data source must be changed manually. Any credentials that are used to access external data sources and are stored in the Secure Store service application should not be managed in Managed Account in SharePoint. For information on how to deal with these accounts check out this Microsoft article Configure the Secure Store Service (SharePoint Server 2010).

4. User Profile Synchronization Service Account

Follow these instructions to manually change the password for User Profile Synchronization Service account.

1. According to Microsoft’s blog on MSDN, because you changed the password the User Profile Synchronization Service should have stopped and you need to restart the service. In my tests, the UPS service never stopped and I was able to change the password in Active Directory and then successfully use the new password in the UPS Connection Account to populate the containers, as described in the next section.
2. If your User Profile Synchronization Service has stopped then you need to start the service by going to Central Administration -> System Settings -> Manage services on server.
3. After you click Start, enter the new password for the UPS service account and then confirm it.
4. Click OK.
5. It may take a while for the service to be started so be patient. You have to keep refreshing the screen manually because it won’t refresh automatically.

5. User Profile Synchronization Connection Account

Follow these instructions to manually change the password for User Profile Synchronization Connection account.

1. Go to Central Administration -> System Settings -> Manage services on server.
2. Go to your User Profile Service Application.
3. In the Synchronization section, click Configure Synchronization Connections. If the UPS service has stopped, you won’t see anything in the list of connections and you will have to start the UPS service before you can perform this step.
4. Use the drop-down button next to your connection and select Edit. If the UPS service is currently synchronizing you won’t be able to edit the list and you should let the synchronization finish before you edit the connection.
5. In the Connections Settings, enter the new password and confirm it, then click Populate.
6. If the password change didn’t work then you will get the following error.
   The supplied credential is invalid.
7. If your password change worked then the accounts will be populated and you will see the Active Directory containers. The accounts that you had selected in the past should already be selected so all you have to do is click OK to start the synchronization process.
8. Your changes will be processed and you will be back at the Synchronization Connections screen. Go back to the User Profile Service Application screen (step 1 & 2 above).
9. To test your profile synchronization, create a new test account and run the synchronization process so that you can verify that the password change has been successful.
10. Make a note of the number of profiles on the right hand side. After your test the number should change.
11. Create the test account in Active Directory and then click Start Profile Synchronization in the Synchronization section. You can use the option Start Incremental Synchronization.
12. The synchronization will take some time so be patient and keep refreshing your screen manually (use F5).
13. Delete the test account after the synchronization has completed successfully.

6. Unattended Execution Accounts (Excel, Visio)

If you have configured these unattended execution accounts then you need to go to the Secure Store service application because that’s where these accounts are stored.

Follow these instructions to manually change the password for unattended execution accounts.

1. Go to Central Administration -> System Settings -> Manage services on server.
2. Go to the Secure Store Service Application.
3. Use the drop-down next to the service application (e.g. Excel Services) and click Set Credentials.
4. Provide the service account name and password.
5. You will need to repeat these steps for unattended execution account for Visio if necessary.

7. PerformancePoint Unattended Service Account

1. Go to Central Administration -> System Settings -> Manage services on server.
2. Go to the PerformancePoint Services Service Application.
3. Click PerformancePoint Service Settings on the Manage PerformancePoint Services page.
4. Enter the new password for the account in the Unattended Service Account section and then click OK.

8. Object Cache Super User and Object Cache Reader Accounts

There is no need to do anything in SharePoint for these accounts. All you have to do is change the passwords for these accounts in Active Directory. That’s it.

References:

• Introducing Managed Service Accounts
• Managed Service Account FAQs
• Service Accounts Step-by-Step Guide
• SharePoint 2010 – Service Accounts Passwords Change Guide
• Updating Passwords on SharePoint 2010
• SQL Server Configuration Manager
• How to: Change the Password of the Accounts Used by SQL Server (SQL Server Configuration Manager)
• Change the password for the default content access account (SharePoint Server 2010)
• Configure the Secure Store Service (SharePoint Server 2010)

Copyright ©2014 Zubair Alexander. All rights reserved.