{"id":4445,"date":"2014-02-09T01:57:42","date_gmt":"2014-02-09T09:57:42","guid":{"rendered":"https:\/\/www.zubairalexander.com\/stage\/?p=4445"},"modified":"2018-11-28T14:08:54","modified_gmt":"2018-11-28T21:08:54","slug":"managing-passwords-for-service-accounts-in-sharepoint-sql-server","status":"publish","type":"post","link":"https:\/\/www.zubairalexander.com\/blog\/managing-passwords-for-service-accounts-in-sharepoint-sql-server\/","title":{"rendered":"Managing Passwords for Service Accounts in SharePoint & SQL Server"},"content":{"rendered":"

Managing service accounts on Windows servers have been a challenge for most organizations for quite some time. In recent years, Microsoft has made several enhancements to minimize the pain. In Windows Servers 2008 R2 Microsoft introduced the<\/span> Managed Service Accounts<\/a>, which are by default created in the Managed Service Accounts organizational unit (OU) in the Directory Services but you can create them in any OU you want.<\/span><\/p>\n

Managed Accounts in Windows Server 2008\/2012<\/span><\/strong><\/p>\n

The Managed Account in Windows Server gives you, among other things, the ability to automatically update Microsoft Exchange, Microsoft SQL Server, and Internet Information Services (IIS) passwords. However, you do not want to use them with SharePoint Servers. I am only mentioning this here so you have a better understanding of what they are and what they do. You can use them for non-SharePoint services. The<\/span> Service Accounts Step-by-Step Guide<\/a> describes how to setup these Managed Service Accounts in Windows Server 2008 R2 and Windows 7. You just need to make sure that you apply the hot fix KB 2494158<\/span> \u201cManaged service account authentication fails after its password is changed in Windows 7 or in Windows Server 2008 R2″<\/a> to the computer where the managed service account exists.<\/span><\/p>\n

As I stated earlier, you do not want to use the Windows Server managed accounts with SharePoint Server because they are not compatible. In fact, Microsoft has a warning in this article<\/a>.
\n<\/span><\/p>\n

WARNING!<\/span><\/strong>
\n<\/span><\/p>\n

“Windows Server 2008 R2 and Windows Server 2012 include managed accounts at the operating system level. Do not use Windows Server 2008 R2 and Windows Server 2012 managed accounts. They are incompatible with SharePoint 2013 managed accounts.”<\/span><\/p><\/blockquote>\n

Managed Account in SharePoint Server 2010\/2013<\/strong><\/span><\/p>\n

Now that you know about the Managed Accounts in Windows Server, let’s focus on the Managed Accounts in SharePoint Server. I gathered the information in this article from several Microsoft documents. Some of my tests failed when I used the steps described in Microsoft’s documentation but that may be due to the configuration of my SharePoint test\/training environment, which runs everything on one server (SharePoint, SQL, Active Directory, etc.). After making some adjustments, I finally got the passwords changed successfully and that’s exactly what I am documenting in this article.<\/span><\/p>\n

I have listed the resources I used at the end of this article. I want to give special credit to a couple of authors because I used the information in their posts as the basis of this article. One of them is an author on the TechNet Blogs that goes by the alias smearp and writes\u00a0The Sean Blog<\/a>. Another great resource for this article was the blog post on MSDN by Charlie Chirapuntu.
\n<\/span><\/p>\n

NOTE<\/span>: You must be logged in with an account that has the Administrator privileges (either SharePoint Farm or SQL Server Administrator) to perform the steps described in this article.<\/span><\/p>\n

Conflicting Information<\/strong><\/span><\/p>\n

There is some conflicting information in Microsoft’s documentation. According to the<\/span> Managed Service Account FAQs<\/a> on TechNet, SQL Server cannot use Managed Service Accounts. Only Exchange, IIS, and Active Directory Lightweight Directory Services (AD\u00a0LDS) can use Managed Service Accounts. However, the article<\/span> Introducing Managed Service Accounts<\/a> clearly states that SQL Server can take advantage of the Managed Service Accounts.<\/span><\/p>\n

Managed Accounts<\/span><\/strong><\/p>\n

In SharePoint Server 2010 Microsoft introduced Managed Accounts that allow you to map service accounts. For example, you can create and delete service accounts and you can manage account passwords. You may be wondering, what happens if you delete a service account in SharePoint’s Managed Accounts section. Is it automatically removed from Active Directory? The answer is no. Deleting a service account in SharePoint’s Managed Accounts doesn’t delete it from Active Directory, it simply removes it from the Managed Accounts area so you cannot manage it in SharePoint. As a best practice you always want to use Active Directory domain accounts as your service accounts and enter them in SharePoint in the format domain\\service_account<\/em>. You can manage any of the following service accounts in SharePoint Managed Accounts:<\/span><\/p>\n

1. Farm Account<\/span>
\n 2. Service Application Pools<\/span>
\n 3. Web Applications<\/span>
\n 4. Windows Services used by SharePoint<\/span><\/p>\n

These can be configured under Central Administration -> Security -> General Security -> Configure service accounts. The Credential Management screen on my test server looks like this.<\/span><\/p>\n

\"\"<\/a><\/p>\n

Here is a more detailed list in alphabetic order of all the Managed Accounts in SharePoint Server 2010. The Farm account is intentionally left out of this list, even though technically it is a Managed Account, because it is best to handle its password in a different way, as explained in the section Changing Password for SharePoint Farm Service Account<\/em>.<\/span><\/p>\n