{"id":149,"date":"2017-01-24T23:09:20","date_gmt":"2017-01-24T23:09:20","guid":{"rendered":"http:\/\/zewwy.ca\/?p=149"},"modified":"2018-01-13T20:17:09","modified_gmt":"2018-01-13T20:17:09","slug":"sharepoint-2010-managed-service-accounts","status":"publish","type":"post","link":"https:\/\/zewwy.ca\/index.php\/2017\/01\/24\/sharepoint-2010-managed-service-accounts\/","title":{"rendered":"SharePoint 2010 Managed Service Accounts"},"content":{"rendered":"

The reason for this blog post was due to a domain migration which involved a SharePoint 2010 server. These were the symptoms, and all the steps I took to resolve them.<\/p>\n

To start ensure you have set a new farm admin account<\/a>.<\/p>\n

E.G. stsadm -o updatefarmcredentials -userlogin domain\\farmadmin -password PASSWORD\r\nThis is of course under the sharepoint bin directory and wont be part of the servers default path.\r\nAll Tasks moving forward will be done with this account (in my case the account has local admin rights as well as being the sharepoint farm admin permissions)\r\n<\/pre>\n
You might have come across an error such as this when working with SharePoint. Might have been from an admin removing a service account in AD, or in my case a whole domain change.<\/p>\n
\"Image<\/p>\n
If you’re new to SharePoint you might simply panic before thinking and simply google and you might come across this<\/a>.
\nWhich sadly leads to a dead end. The reason his leads to a dead end while others have answers I’ll get to soon.
\nNext the simple thing you’d figure is to do as it says, reconfigure the service to run under a different account. To your dismay you discover the Central Admin page to make this change gives you this!<\/p>\n
<\/p>\n
You might be thinking you’re in a catch 22 here. But fret not, when in doubt PowerShell. I love PowerShell and it only keeps getting better, in this case it’s our savour.
\nRemember when I stated that SharePoint link was a dead end. It was a dead cause there are different component types, 4 to be exact and I’m gonna tell you how to fix them all! With Sources!
\nFirst up the 4 different types!<\/p>\n
1) Service Instance:\r\n\r\n\tCmdlet:\t\tGet-SPServiceInstance\r\n\r\n\tUse the comdlet to list all SharePoint Service instances, mark the ID. Place the service instance into a variable.\r\n\r\n\tE.G.\t\t$WindowsTokenService=Get-SPServiceInstance -Identity ServiceGUID\r\n\r\n\tOnce you have the variable, it should have a bunch of subclasses. In this case .service.ProcessIdentity. You can see it attributes by typing.\r\n\r\n\tE.G.\t\t$WindowsTokenService.service.ProcessIdentity\r\n\r\n\tIt should display the service account used to run the service. Simply change it via\r\n\r\n\tE.G\t\t$WindowsTokenService.service.ProcessIdentity.Username=\"Domain\\NewServiceAccount\"\r\n\r\n\t*NOTE* This accuont needs to already be registered as a serivce account in SharePoint, either via the Central Admin page or Powershell.\r\n\tThen call the object'ssubclass update and deploy methods.\r\n\r\n\tE.G.\t\t$WindowsTokenService.service.ProcessIdentity.Update()\r\n\tE.G.\t\t$WindowsTokenService.service.ProcessIdentity.Deploy()\r\n\r\n\tThat's it for basic SharePoint Service Instances.\r\n\r\n2) Service Applications:\r\n\t\r\n\tCmdlet:\t\tSet-SPServiceApplicationPool\r\n\r\n\tThe funny part about SharePoint Service instances is theres no Set type powershell comdlete for it. Thus the cmdlet used was a Get cmdlet.\r\n\tThe funnt part about Service Applications is not to use the ServiceApplication cmdlet, but rather the ServiceApplicationPool cmdlets.\r\n\r\n\tE.G\t\tGet-SPServiceApplicationPool -Identity SercurityTokenServiceApplicationPool | Set-ServiceApplicationPool -Account \"Domain\\NewServiceAccount\"\r\n\r\n\tDon't forget to do an IIS reset. Then running the Get-SPServiceApplicationPool cmdlet the service application should have a set PrcoessAccountName.\r\n\r\n3) Content Applications:\r\n\r\n\tCmdlet:\t\t[Microsoft.SharePoint.Administration.SPWebService]::ContentService.ApplicationPools | ft Name\r\n\r\n\tYeah you read that right, there's no direct PowerShell cmdlet for this one. You got to go deep... real deep. Anyway run the cmdlet to list all Content Applications.\r\n\tOnce you have determined the one you need to change the service account for place it in a variable.\r\n\r\n\tE.G. \t\t$SPAppPool=[Microsoft.SharePoint.Administration.SPWebService]::ContentService.ApplicationPools | where {$_.Name -like \"My Content App Pool Name\"}\r\n\r\n\tCalling this variable will result in an output very similar to a Service Instance's Service.ProcessIdentity subclass. So you guessed it.\r\n\r\n\tE.G.\t\t$SPAppPool.Username=\"Domain\\NewServiceAccount\"\r\n\tE.G.\t\t$SPAppPool.Update()\r\n\tE.G.\t\t$SPAppPool.Deploy()\r\n\r\n4) Search Service:\r\n\r\n\tCmdlet:\t\tGet-SPEnterpriseSearchService\r\n\r\n\tYup believe it another Get cmdlet to make a change, where are these Set counterparts you may ask, well that's a good fucking question. We should ask Microsoft.\r\n\tAnyway, if this hasn't annoyed you enough already chances are you haven't been a SharePoint admin for long, cause it's a rabbit hole. So to finish up here.\r\n\r\n\tE.G.\t\t$SSS=(Get-SPEnterpriseSearchService).get_ProcessIdentity()\r\n\tE.G.\t\t$SSS.Username=\"Domain\\NewServiceAccount\"\r\n\tE.G.\t\t$SSS.Update()\r\n\tE.G.\t\t$SSS.Deploy()\r\n\r\n<\/pre>\n
Sources:
\nGeneral SharePoint 2010 Managed Service Accounts<\/a>
\nService Instances Source<\/a>
\nService Application Source<\/a>
\nContent Application Source<\/a>
\nSearch Service Source<\/a><\/p>\n
Once the Get-SPServiceAccounts shows all good on password expiry and no bad accounts exist, there should be no issues opening the Configure Managed Service Accounts section in Central Administration page of SharePoint 2010.
\nHappy Configuring. \ud83d\ude42<\/p>\n
To Paraphrase:<\/p>\n
0) There is no way to paraphrase this.
\n1) Don’t break SharePoint.
\n2) Don’t break SharePoint.<\/p>\n","protected":false},"excerpt":{"rendered":"
The reason for this blog post was due to a domain migration which involved a SharePoint 2010 server. These were the symptoms, and all the steps I took to resolve them. To start ensure you have set a new farm admin account. E.G. stsadm -o updatefarmcredentials -userlogin domain\\farmadmin -password PASSWORD This is of course under … <\/p>\n
Continue reading “SharePoint 2010 Managed Service Accounts”<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"sfsi_plus_gutenberg_text_before_share":"","sfsi_plus_gutenberg_show_text_before_share":"","sfsi_plus_gutenberg_icon_type":"","sfsi_plus_gutenberg_icon_alignemt":"","sfsi_plus_gutenburg_max_per_row":"","footnotes":""},"categories":[8,9],"tags":[],"class_list":["post-149","post","type-post","status-publish","format-standard","hentry","category-server-administration","category-sharepoint"],"_links":{"self":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts\/149","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/comments?post=149"}],"version-history":[{"count":4,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts\/149\/revisions"}],"predecessor-version":[{"id":154,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts\/149\/revisions\/154"}],"wp:attachment":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/media?parent=149"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/categories?post=149"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/tags?post=149"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}