Just a refresher… Managing and Resetting Service Accounts and Passwords

  • Article

I get this question a lot, and I thought I'd post the stuff you need here. It's also part of the core documentation…

 

 

Managing and Resetting Service Accounts and Passwords

See Also  Send Feedback
 

Team Foundation Server includes several services and service accounts that run on either the server or servers hosting the logical Team Foundation data-tier, or the server hosting the logical Team Foundation application-tier, or both. Your actual services will vary. It depends on which features of Team Foundation you have installed on your data tier and application-tier servers. For example, if you have opted for a single-server setup, you will have both logical data-tier and application-tier services that run on the same physical server.

Although there are several service accounts used in Team Foundation Server, you can choose to use the same physical account for all of the service accounts. For example, you can use the same domain account as the account for both the Team Foundation Server service account (TFSSERVICE) and for the Reporting Services data sources account (TFSREPORTS). For clarity, each of the service accounts is referred to explicitly by its functional service placeholder name.

If you have deployed Team Foundation Server in an Active Directory domain, you should set the Account is sensitive and cannot be delegated option for service accounts. For example, in the following table, you should set that option for the Team Foundation Server service account TFSService. For more information about required service accounts and placeholder names used in Team Foundation Server documentation, see the topic "User Accounts Required for Installation" in the Team Foundation Installation Guide. For more information about the installation guide, see

Installation Overview for Team Foundation Server. For more information about how to restrict account delegation in Active Directory, see the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=61995).

Service name

Service account

Logical Tier

Code Coverage Service

TFSService

application tier

Team Foundation Server Web Services

TFSService

application tier

Report Server (MSSQLSERVER)

Network Service or a domain account

application tier

Report Web Service

Local System,

Network Service, or a domain account

application tier

SharePoint Services

Network Service or a domain account

application tier

Team Build Service (if Team Foundation Build is installed)

TFSService

application tier

TFS Server Scheduler

TFSService

application tier

Analysis Server (MSSQLSERVER)

Local System or a domain account

data tier

SQL Server Agent

Local System or a domain account

data tier

SQL Browser

Local System or a domain account

data tier

SQL Server

Local System or a domain account

data tier

For more information about service accounts for SQL Server, see the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkID=62398).

On the Team Foundation Server application-tier server, you must change the password for the Team Foundation Server Web Services application pool, as well as for the TFS Server Scheduler and Team Build Service services. This depends on your operational needs.

Note:

If you change the service account for Team Build Service, you must make sure that the account is a member of the Build Services group, and that the account has read/write permissions to the temporary folders and the ASP.NET temporary folder. Similarly, if you change the service account for the Team Foundation Server Proxy service, you must make sure that the account is a member of the appropriate groups. For more information, see Setting up a Build Computer and How to: Configure Cache Security for Team Foundation Server Proxy.

See

How to: Change the Password or Account for the Reporting Services Service Account

See Also  Send Feedback
 

Over time, you might need to change the password of the account that you specified as the Team Foundation Server reporting services account when you installed Team Foundation Server. This is referred to as the TFSReports account. To make this change, you must use the TFSAdminUtil utility with the ChangePassword argument. Also, you must manually update the password information in the SQL Server Reporting Services data sources.

You can also choose to replace the TFSReports account with another account. To make this change, you must use the TFSAdminUtil utility with the ChangeAccount argument and the /ra option. This tool updates Team Foundation servers by replacing the old TFSReports account information with the new information. However, it does not update SQL Server Reporting Services. You must update that information manually. In addition, be sure that the new TFSReports account has the Log on as a service permission. Finally, you must also change the msiproperty.ini file to reflect the new account name for the TFSReports account.

Note:

The TFSAdminUtil utility does not physically create an account or change its password. It only updates Team Foundation Server to use the current credentials. The service account can be either a local or a domain account. You can script TFSAdminUtil to allow for automated updates.

For more information about required service accounts, see the topic "User Accounts Required for Team Foundation Server Setup" in the Team Foundation Server Installation Guide. For more information about the installation guide, see Installation Overview for Team Foundation Server.

Required Permissions

To perform these procedures, you must be a member of the Administrators group on the Team Foundation application-tier server, a member of the SQL Server Administrator group on the Team Foundation data-tier server, and a member of the Domain Administrators group in Active Directory (if you are running Team Foundation Server in an Active Directory domain). For more information about permissions, see

Team Foundation Server Permissions.

Changing the Password for the Reporting Services Account

When you change the TFSReports account for Team Foundation Server, you must update the credentials for the Reporting Service data sources after you run TfsAdminUtil ChangeAccount.

To change the password for the Team Foundation Server reporting services service account

  1. On the Team Foundation application tier server, from the command line, find the TFSAdminUtil utility.

    By default, it is located in <drive> :\Program Files\Microsoft Visual Studio 2008 Team Foundation Server\Tools.

  2. At the command line, type TFSAdminUtil ChangePassword Account newPassword, and then press ENTER.

    You must enter the user name for the TFSReports account (Account) in addition to the new password for the account (newPassword).

Changing the Reporting Services Service Account

Changing Team Foundation Server to use another account as the TFSReports account is a more complicated procedure than simply changing the password for an existing account. There are a number of changes that you must make to Team Foundation Server before the new TFSReports account will work correctly. To change the TFSReports account, you must not only use the TFSAdminUtil command-line utility, but you must also edit the msiproperties.ini file. In addition, the new TFSReports account must have the Log on as a service permission granted to it. The account must be a member of a workgroup or domain that is trusted by every computer in an Team Foundation deployment.

Before you assign an account as the new TFSReports account, be sure that the account has the Log on as a service permission. We recommend that you run Team Foundation Server in an Active Directory domain. However, you can also run it in a workgroup. The procedures for both setups are described in the following section.

For more information about how to grant the Log on as a service permission, see the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=62101).

To grant the log on as a service permission to the account you want to use as a new reporting services service account on a Team Foundation Server in an Active Directory domain

  1. On the Windows Taskbar, click Start, and then click Run.

  2. In the Open box, type mmc, and then click OK.

  3. On File menu of the Console window, click Add/Remove Snap-in.

  4. In the Add/Remove Snap-in dialog box, click Add.

  5. In the Add Standalone Snap-in dialog box, double-click Group Policy Object Editor in the Available Standalone Snap-ins pane.

    The Group Policy Wizard starts.

  6. On the Select Group Policy Object page, click Browse.

  7. In the Browse for a Group Policy Object dialog box, find the policy object you want to modify, and then click OK.

  8. Click Finish on the Select Group Policy Object page.

  9. On the Windows taskbar, click Start, point to Administrative Tools, and then click Local Security Policy.

  10. Expand Local Policies in the Explorer pane of the Local Security Settings window.

  11. Click User Rights Assignment.

  12. Double-click Log on as a service.

  13. Click Add User or Group in the Log on as a service Properties dialog box.

  14. Type the name of the new service account in the Enter the object names to select box.

  15. Click OK.

To grant the log on as a service permission to the account you want to use as a new reporting services service account on a Team Foundation Server in a workgroup

  1. On the Windows taskbar, click Start, point to Administrative Tools, and then click Local Security Policy.
  2. Expand Local Policies in the Explorer pane of the Local Security Settings window.
  3. Click User Rights Assignment.
  4. Double-click Log on as a service.
  5. Click Add User or Group in the Log on as a service Properties dialog box.
  6. Type the name of the new service account in the Enter the object names to select box.
  7. Click OK.

To assign a new reporting services service account to all Team Foundation Server services

  1. On the Team Foundation application tier server, from the command line, find the TFSAdminUtil utility.

    By default, it is located in <drive> :\Program Files\Microsoft Visual Studio 2008 Team Foundation Server\Tools.

  2. At the command line, type TFSAdminUtilChangeAccount/raoldAccountnewAccountnewPassword, and then press ENTER.

    You must enter the user name for the old TFSReports account (oldAccount), in addition to the user name and password for the new account (newAccount and newPassword).

Note:

Before you assign the new account by using TFSAdminUtil ChangeAccount command, the account must have the Log on as a service permission on the application-tier server.

The TFSAdminUtil utility iterates through the services and only changes those that run under the old account.

Note:

If you have configured e-mail alerts, you must manually change the web.config file. You must change the value of emailNotificationFromAddress from the old service account's e-mail address to the new service account's e-mail address. For more information, see How to: Configure SMTP Server and E-mail Notification Settings in the Services Web.Config File.

To change the msiproperty.ini file

  1. On the Team Foundation application-tier server, open a text-based editor such as Notepad. Start Notepad, click Start, click Run, type Notepad, and then click OK.

  2. Open the msiproperty.ini file in the text-based editor.

    The default path for the msiproperty.ini file is %programfiles% \Microsoft Visual Studio 2008 Team Foundation Server\Microsoft Visual Studio 2008 Team Foundation Server - ENU.

  3. In the msiproperty.ini file, change the value of the VSTS_RS_USERID property to the new name of the account, where TFSReports is the name of the new TFSReports account:

    VSTF_RS_USERID= TFSReports

  4. Save the file and close the text-based editor.

How to: Change the Password or Account for the Team Foundation Server Service Account

See Also  Send Feedback
 

Over time, you might need to change the password of the account that you specified as the Team Foundation Server service account when you installed Team Foundation Server. This is referred to as the TFSService account. To make this change, you must use the TFSAdminUtil utility with the ChangePassword argument. This tool updates Team Foundation servers by replacing the old service account password information with the new information.

You can also choose to replace the TFSService account with another account. To make this change, you must use the TFSAdminUtil utility with the ChangeAccount argument. This tool updates Team Foundation servers by replacing the old service account information with the new information. Be sure the new service account has the Log on as a service permission. You must also change the msiproperty.ini file to reflect the new service account name for the TFSService account.

Note:

The TFSAdminUtil utility does not physically create an account or change its password. It only updates Team Foundation Server to use the current credentials. The service account can be either a local or a domain account. You can script TFSAdminUtil to allow for automated updates.

For more information about required service accounts, see the topic "User Accounts Required for Team Foundation Server Setup" in the Team Foundation Server Installation Guide. For more information about the installation guide, see Installation Overview for Team Foundation Server.

Required Permissions

To perform these procedures, you must be a member of the Administrators group on the Team Foundation application-tier server, a member of the SQL Server Administrator group on the Team Foundation data-tier server, and a member of the Domain Administrators group in Active Directory (if you are running Team Foundation Server in an Active Directory domain). For more information about permissions, see

Team Foundation Server Permissions.

Changing the Password for the Service Account

To change the password for the TFSService account, you must log on to the Team Foundation application-tier server and use the TFSAdminUtil utility.

To change the password for the Team Foundation Server service account

  1. On the Team Foundation application tier server, from the command line, locate the TFSAdminUtil utility.

    By default, it is located in <drive> :\Program Files\Microsoft Visual Studio 2008 Team Foundation Server\Tools.

  2. At the command line, type TFSAdminUtilChangePasswordAccountnewPassword, and then press ENTER.

    You must enter the user name for the TFSService account (Account) in addition to the new password for the account (newPassword).

Changing the Service Account

Changing Team Foundation Server to use another account as the TFSService account is a more complicated procedure than simply changing the password for an existing account. There are a number of changes that you must make to Team Foundation Server before the new service account will work correctly. To change the TFSService account, you must not only use the TFSAdminUtil command-line utility, but you must also edit the msiproperties.ini file. In addition, the new service account must have the Log on as a service permission granted to it. The account must be a member of a workgroup or domain that is trusted by every computer in an Team Foundation deployment.

Before you assign an account as the new service account, be sure that the account has the Log on as a service permission. We recommend that you run Team Foundation Server in an Active Directory domain. However, you can also run it in a workgroup. The procedures for both setups are described in the following section.

For more information about how to grant the Log on as a service permission, see the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=62101).

To grant the log on as a service permission to the account you want to use as a new service account on a Team Foundation Server in an Active Directory domain

  1. On the Windows Taskbar, click Start, and then click Run.

  2. In the Open box, type mmc, and then click OK.

  3. On File menu of the Console window, click Add/Remove Snap-in.

  4. In the Add/Remove Snap-in dialog box, click Add.

  5. In the Add Standalone Snap-in dialog box, double-click Group Policy Object Editor in the Available Standalone Snap-ins pane.

    The Group Policy Wizard starts.

  6. On the Select Group Policy Object page, click Browse.

  7. In the Browse for a Group Policy Object dialog box, locate the policy object you want to modify, and then click OK.

  8. Click Finish on the Select Group Policy Object page.

  9. On the Windows taskbar, click Start, point to Administrative Tools, and then click Local Security Policy.

  10. Expand Local Policies in the Explorer pane of the Local Security Settings window.

  11. Click User Rights Assignment.

  12. Double-click Log on as a service.

  13. Click Add User or Group in the Log on as a service Properties dialog box.

  14. Type the name of the new service account in the Enter the object names to select box.

  15. Click OK.

To grant the log on as a service permission to the account you want to use as a new service account on a Team Foundation Server in a workgroup

  1. On the Windows taskbar, click Start, point to Administrative Tools, and then click Local Security Policy.
  2. Expand Local Policies in the Explorer pane of the Local Security Settings window.
  3. Click User Rights Assignment.
  4. Double-click Log on as a service.
  5. Click Add User or Group in the Log on as a service Properties dialog box.
  6. Type the name of the new service account in the Enter the object names to select box.
  7. Click OK.

To assign a new service account to all Team Foundation Server services

  1. On the Team Foundation application tier server, from the command line, locate the TFSAdminUtil utility.

    By default, it is located in <drive> :\Program Files\Microsoft Visual Studio 2008 Team Foundation Server\Tools.

  2. At the command line, type TFSAdminUtilChangeAccountoldAccountnewAccountnewPassword, and then press ENTER.

    You must enter the user name for the old TFSService account (oldAccount), in addition to the user name and password for the new account (newAccount and newPassword).

Note:

Before you assign the new account by using TFSAdminUtil Changeaccount command, the account must have the Log on as a service permission on the application-tier server.

The TFSAdminUtil utility iterates through the services and only changes those that run under the old account.

Note:

If you have configured e-mail alerts, you must manually change the web.config file. You must change the value of emailNotificationFromAddress from the old service account's e-mail address to the new service account's e-mail address. For more information, see How to: Configure SMTP Server and E-mail Notification Settings in the Services Web.Config File.

To change the msiproperty.ini file

  1. On the Team Foundation application-tier server, open a text-based editor such as Notepad. Start Notepad, click Start, click Run, type Notepad, and then click OK.

  2. Open the msiproperty.ini file in the text-based editor.

    The default path for the msiproperty.ini file is %programfiles% \Microsoft Visual Studio 2008 Team Foundation Server\Microsoft Visual Studio 2008 Team Foundation Server - ENU.

  3. In the msiproperty.ini file, change the value of the VSTS_USERID property to the new name of the account, where TFSService is the name of the new service account:

    VSTF_USERID= TFSService

  4. Save the file and close the text-based editor.