Changing service accounts is simple in SharePoint 2010. This blog briefly discusses how to set this up and what permissions are automatically provisioned behind the scenes.
In the following example, I'm going to change the search service account on an existing Search Service Application to a newly created user account named Dan.
It's fairly simple to change search service accounts. In the following walkthrough, I’m going to replace my existing search service account with a new one named Jon.
Add a managed account
1.) Access Central Administrator and select Security\Configure Managed Account.
2.) Select Register Managed Account link
3.) Input desired account in “domain\username” format.
Note: Inputting the domain as FQDN does not work and produces the following error:
This is a known issue and you must use the netbios name of the domain.
4.) Finally hit OK
Add account as Search Service Account
1.) Access Central Administrator and select Security\Configure Service Accounts
2.) Select Windows Service - SharePoint Server Search and select managed account and hit OK.
That’s it!! So what permissions were granted to Jon after running through these steps? The Jon account was automatically granted the following permissions directly after hitting OK on step 2 above.
On SharePoint 2010 Server hosting Search Service Application
· Added to WSS_WPG local group. This gives the account the appropriate permissions to access registry keys and files required to run search service instance.
· Added as logon account for SharePoint Sever Search 14 service within the services applet.
On SQL Server hosting Search databases and Configuration database
Added to SQL with Server Role as public.
On SQL server, Granted db_owner and public roles on the following:
- Search CrawlStore Database
- Search Service Application Database
- Search PropertyStore Database
On SQL Server, granted public and WSS_Content_Application_Pools roles on the following:
- SharePoint_AdminContent Database
- SharePoint_Config Database
Note: This is specific with a search service application. Other non-search shared service applications might permission differently for a service account. Each type of shared service application is unique. As far as what AD permissions are required depends on the type of Shared Service Application. For Example: On a pure Windows 2008 domain, the search service account requires membership to domain users group at a minimum.
Stay tuned.. I’ll be adding more to this blog as I uncover more behind the scenes stuff…
Russ Maxwell, MSFT