Changing Service Accounts in SharePoint 2010


Changing service accounts is simple in SharePoint 2010. This blog briefly discusses how to set this up and what permissions are automatically provisioned behind the scenes.


In the following example, I’m going to change the search service account on an existing Search Service Application to a newly created user account named Dan.


It’s fairly simple to change search service accounts. In the following walkthrough, I’m going to replace my existing search service account with a new one named Jon.


 


Add a managed account


1.) Access Central Administrator and select Security\Configure Managed Account.


2.) Select Register Managed Account link


3.) Input desired account in “domain\username” format.


Note: Inputting the domain as FQDN does not work and produces the following error:


clip_image002


This is a known issue and you must use the netbios name of the domain.


4.) Finally hit OK


 


Add account as Search Service Account


1.) Access Central Administrator and select Security\Configure Service Accounts


2.) Select Windows Service – SharePoint Server Search and select managed account and hit OK.


clip_image004


That’s it!! So what permissions were granted to Jon after running through these steps? The Jon account was automatically granted the following permissions directly after hitting OK on step 2 above.


 


On SharePoint 2010 Server hosting Search Service Application


· Added to WSS_WPG local group. This gives the account the appropriate permissions to access registry keys and files required to run search service instance.


· Added as logon account for SharePoint Sever Search 14 service within the services applet.


clip_image006


 


On SQL Server hosting Search databases and Configuration database


Added to SQL with Server Role as public.


On SQL server, Granted db_owner and public roles on the following:



  1. Search CrawlStore Database 

  2. Search Service Application Database

  3. Search PropertyStore Database

On SQL Server, granted public and WSS_Content_Application_Pools roles on the following:



  1. SharePoint_AdminContent Database  

  2. SharePoint_Config Database



Note: This is specific with a search service application. Other non-search shared service applications might permission differently for a service account. Each type of shared service application is unique. As far as what AD permissions are required depends on the type of Shared Service Application. For Example: On a pure Windows 2008 domain, the search service account requires membership to domain users group at a minimum.


Stay tuned.. I’ll be adding more to this blog as I uncover more behind the scenes stuff…


Russ Maxwell, MSFT


Comments (6)

  1. Emily says:

    How does one change a service account, though? For example, I already associated one account with Secure Store Service, but I would like to use a different one now. How do I change it?

  2. Shehan S says:

    Explained very simply and thank you heaps 🙂

  3. Vivek says:

    Hey,

    This helped me!!

    Thank you!

  4. Failure! NOT EXPLAINED - FAKE TITLE! says:

    Title says **** CHANGE **** service account, but it is about CREATING service accounts – does NOT cover the steps to **** CHANGE **** service accounts, and clearly the author DOES NOT CARE – has not responded since this was first posted.

  5. Account is disabled in Ad says:

    service account which my service was using has been disabled. So how can I change that now.

    Please suggest.

    Thanks in advance

  6. Will says:

    To change service accounts, go to Central Admin -> Security -> Under "General Security," click "Configure service accounts"