Microsoft Office Online
Sign in to My Office Online (What's this?) | Sign in

 
 
SharePoint Portal Server 2003 IT Documentation
Search
Search
 
Check for updates: (c) Microsoft
Office downloads
 
 
 
Versions
Table of Contents
 
Warning: You are viewing this page with an unsupported Web browser. This Web site works best with Microsoft Internet Explorer 6.0 or later, Firefox 1.5, or Netscape Navigator 8.0 or later. Learn more about supported browsers.
Email this linkEmail this link Printer-Friendly VersionPrinter-Friendly Version Bookmark and ShareShare
Changing Access Accounts and Passwords
 

Microsoft Office SharePoint Portal Server 2003 uses the following accounts:

  • Configuration database administration account
  • CentralAdminAppPool application pool account
  • Portal site application pool identity
  • Default content access account
  • Override account for crawling
  • User profile import account
  • Single sign-on service account

SharePoint Portal Server grants access to an existing account in Microsoft SQL Server. You can remove any old accounts manually.

Important  Accounts must be changed on each server in the server farm that has SharePoint Portal Server installed.

Configuration Database Administration Account

This account is requested during setup when you select the Install without database engine option.

This account will be used by SharePoint Central Administration functions to access and modify settings in the configuration database and in all databases for the portal site (people profile, content, and component settings databases).

The account must be a member of the Power Users group on the server on which you installed SharePoint Portal Server. The account must have the Database Creators and Security Administrators server roles on the SQL Server instance. In addition, the account must be a domain account if you have more than one server in your configuration.

Important  The following user rights are granted automatically to this account (the configuration database administration account) on the local server: Replace a process level token, Adjust memory quotas for a process, and Log on as a service. If you change this account by using the Configure Server Farm Account Settings page, the rights are not revoked automatically for the previous account. See step 5 (Revoke rights from the old configuration database administration account) in the following procedure to remove these rights.

Note  Changing the configuration database administration account requires you to reenter the password for the default content access account and for all rules that include or exclude content. Failure to do so causes crawls to fail.

Note   If you change this account on a server farm that uses shared services, you must grant the new account access to search and index resources on the parent server farm. For information about how to do this, see Providing Shared Services.

Note  If the password for this account expires and must be changed, or is reset, perform the procedure in the "CentralAdminAppPool Application Pool Account" section later in this document on the CentralAdminAppPool application pool before performing the following procedure.

Note  If you change the user name of the configuration database administration account, add the new account as a member of the local Administrators group on the document library server.

Change the configuration database administration account

  1. ShowIf you are using SQL Server, change the account and password for the MSSQLSERVER service and the SQLSERVERAGENT service.

    1. On the task bar, click Start, point to Administrative Tools, and then click Services.
    2. On the Services management console, double-click MSSQLSERVER.
    3. Click the Log On tab.
    4. Click This account.
    5. In the This account box, type the user name in the format DOMAIN\user_name.
    6. In the Password and Confirm password boxes, type the new password.
    7. Click OK.
    8. Click OK on the message box that appears.
    9. Right-click MSSQLSERVER, and then click Stop.
    10. If prompted, click Yes to stop the other services.
    11. Right-click MSSQLSERVER, and then click Start.
    12. Double-click SQLSERVERAGENT.
    13. Click the Log On tab.
    14. Click This account.
    15. In the This account box, type the user name in the format DOMAIN\user_name.
    16. In the Password and Confirm password boxes, type the new password.
    17. Click OK.

  2. ShowIf you are changing the user name, give the user the security permissions in SQL Server.

    1. On the computer running SQL Server, open SQL Server Enterprise Manager.
    2. Expand the Microsoft SQL Servers node.
    3. Expand the SQL Server Group node.
    4. Expand the (local) (Windows NT) node.
    5. Expand the Security node.
    6. Click Logins, and then do one of the following:
      • If the logon name does not exist, right-click Logins, click New Login, and then in the Name box, type the account for the user in the format DOMAIN\user_name.
      • If the logon name already exists, right-click the logon name, and then click Properties.
    7. Click the Server Roles tab.
    8. In the Server Role section, select the Database Creators and Security Administrators check boxes.
    9. Click OK.
    10. Close SQL Server Enterprise Manager.

  3. ShowIf you are moving the portal site to a different domain, do the following before you perform step 4:

    1. Give the user the security permissions in SQL Server. To do this, see step 2 above.
    2. Add the user to IIS_WPG group. To do this:
      1. On the taskbar, click Start, point to Administrative Tools, and then click Computer Management.
      2. In the console tree, under the System Tools node, expand the Local Users and Groups node.
      3. Click Groups.
      4. Double-click IIS_WPG.
      5. In the IIS_WPG Properties dialog box, click Add.
      6. Add the user.
    3. Change the CentralAdminAppPool application pool identity to the new configuration database administration account. For more information, see "CentralAdminAppPool Application Pool Account" later in this document.
    4. Open a command prompt, type iisreset, and then press ENTER.

  4. ShowChange the configuration database administration account.

    1. On the SharePoint Portal Server Central Administration for server_name page, in the Server Configuration section, click Configure Server Farm Account Settings.
    2. On the Configure Server Farm Account Settings page, in the Configuration Database Administration Account section, do the following:
      1. Select the Specify account check box.
      2. If you are changing the user name, in the User name (DOMAIN\user name) box, type the new user name.
      3. In the Password box, type the password for the account.
      4. In the Confirm password box, type the password again.
    3. Click OK.

  5. ShowOptionally, revoke rights from the old configuration database administration account.

    1. Revoke the Replace a process level token, Adjust memory quotas for a process, and Log on as a service rights from the old account. To do this:
      1. On the taskbar, click Start, point to Administrative Tools, and then click Local Security Policy.
      2. In Local Security Settings, under Security Settings, expand the Local Policies node.
      3. Click User Rights Assignment.
      4. In the details pane, do the following for the policies Replace a process level token, Adjust memory quotas for a process, and Log on as a service:
        1. Double-click the policy.
        2. On the properties page for the policy, click the old account.
        3. Click Remove.
        4. Click OK to close the properties page.
    2. Remove the old account from the IIS_WPG, SPS_WPG, and STS_WPG local groups. To do this, repeat the following procedure for each of the three groups:
      1. On the taskbar, click Start, point to Administrative Tools, and then click Computer Management.
      2. In the console tree, under the System Tools node, expand the Local Users and Groups node.
      3. Click Groups.
      4. Double-click IIS_WPG, SPS_WPG, or STS_WPG.
      5. In the properties dialog box for the group, click the old account to remove.
      6. Click Remove.
      7. Click OK to close the dialog box.
    3. Revoke rights to the search service from the old account. Do the following on each search server:
      1. Copy srchperm.vbs from the SPS\Files\PFiles\SPS\Bin directory on the SharePoint Portal Server CD to the search server.
      2. Open command prompt.
      3. Navigate to the location of srchperm.vbs on the search server.
      4. Type cscript //h:cscript and then press ENTER.
      5. Type srchperm.vbs REMOVE DOMAIN\user_name and then press ENTER, where DOMAIN\user_name is the old account.
    4. Remove the security permissions for the old account from SQL Server. To do this:
      1. On the computer running SQL Server, open SQL Server Enterprise Manager.
      2. Expand the Microsoft SQL Servers node.
      3. Expand the SQL Server Group node.
      4. Expand the (local) (Windows NT) node.
      5. Expand the Security node.
      6. Click Logins.
      7. In the details pane, right-click the name of the old account, and then click Properties.
      8. Click the Server Roles tab.
      9. In the Server Role section, clear the Database Creators and Security Administrators check boxes.
      10. Click the Database Access tab.
      11. Remove the db_owner database role from the configuration database and from the profile (_PROF), component settings (_SERV), and content (_SITE) databases for each portal site. You must also remove the database role from the single sign-on database, if that database exists. Do the following for each database:
        1. In the Specify which databases can be accessed by this login section, select the database.
        2. In the Database roles for database_name section, clear the db_owner check box.
      12. Click OK.
      13. Close SQL Server Enterprise Manager.

CentralAdminAppPool Application Pool Account

By default, this account is the same as the configuration database administration account specified by the user at the end of setup.

You need to change this account only if the password for the CentralAdminAppPool application pool expires or is reset.

Change the CentralAdminAppPool application pool account

  1. On the task bar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
  2. On the Internet Information Services management console, expand the tree view.
  3. Expand Application Pools.
  4. Right-click CentralAdminAppPool, and then click Properties.
  5. Click the Identity tab.
  6. Click Configurable.
  7. In the User name box, type the user name in the format DOMAIN\user_name.
  8. In the Password box, type the new password, and then click OK.
  9. In the Confirm Password dialog box, type the password, and then click OK.
  10. Close the Internet Information Services management console.

Portal Site Application Pool Identity

This account is used by the default application pool (MSSharePointPortalAppPool) created by SharePoint Portal Server to contain all portal sites.

This account must be a domain account. However, if you are installing the single server with SQL Server configuration, this account can be a local account. This account must also be a member of the db_owner database role in SQL Server on the configuration database.

Note   If you change this account on a server farm that uses shared services, you must grant the new account access to search and index resources on the parent server farm. For information about how to do this, see Providing Shared Services.

Note  If you change this account on a server farm that has a document library server, add the new account as a member of the local Administrators group on the document library server.

Change the portal site application pool identity

  1. On the SharePoint Portal Server Central Administration for server_name page, in the Server Configuration section, click Configure Server Farm Account Settings.
  2. On the Configure Server Farm Account Settings page, in the Portal Site Application Pool Identity section, do the following:
    1. Select the Change account settings check box.
    2. If you are changing the user name, in the User name (DOMAIN\user name) box, type the new user name.
    3. In the Password box, type the password for the account.
    4. In the Confirm password box, type the password again.
  3. Click OK.

Default Content Access Account

This account is the default account used when creating a content index of content sources. The account must have read access to the content being crawled.

Change the default content access account

  1. On the SharePoint Portal Server Central Administration for server_name page, in the Server Configuration section, click Configure Server Farm Account Settings.
  2. On the Configure Server Farm Account Settings page, in the Default Content Access Account section, do the following:
    • Select the Specify account check box.
    • In the User name (DOMAIN\user name) box, type the user name in the format DOMAIN\user_name.
    • In the Password box, type the password for the account.
    • In the Confirm Password box, type the password again.
  3. Click OK.

Override Account for Crawling

This is an optional account that you can specify for rules that include and exclude content to override the default content access account.

This account must have access to crawl whatever site or path the rule describes.

Change the override account for crawling

  1. On the Site Settings page, in the Search Settings and Indexed Content section, click Configure search and indexing.
  2. On the Configure Search and Indexing page, do one of the following:
    • If you have not enabled advanced search administration, in the General Content Settings and Indexing Status section, click Exclude and Include Content.
    • If you have enabled advanced search administration, do the following:
      1. In the Content Indexes section, click Manage content indexes.
      2. On the Manage Content Indexes page, click the name of the index.
      3. On the Manage Index Properties page, click Manage rules to exclude and include content.
  3. On the Exclude and Include Content page, rest the pointer on the rule or group of rules, and then click the arrow that appears.
  4. On the menu that appears, click Edit.
  5. On the Edit Rule page, in the Specify Authentication section, click Specify crawling account.
  6. In the Account box, type the account in the format DOMAIN\user_name.
  7. In the Password box, type the password for this user name.

    Your password is protected and can be used only to access the resources for the purpose of crawling content.

  8. In the Confirm password box, type the password for this user name again.
  9. To prevent Basic authentication from being used, select the Do not allow Basic authentication check box.
  10. Click OK.

User Profile Import Account

This is an optional account that is used for crawling Microsoft Active Directory directory service to import people profiles. The following procedure applies to a server farm configuration or a single server with SQL Server configuration. The procedure does not apply to the stand-alone configuration.

The account must have read access to Microsoft Active Directory directory service. In addition, the portal site application pool identity account must have read access to Active Directory.

Change the user profile import account

  1. On the Site Settings page, in the User Profile, Audiences, and Personal Sites section, click Manage profile database.
  2. On the Manage Profile Database page, click Configure profile import.
  3. On the Configure Profile Import page, in the Access Account section, do the following:
    • In the Account name box, type the user name in the format DOMAIN\user_name.
    • In the Password box, type the new password.
    • In the Confirm password box, type the new password again.
  4. Click OK.

Single Sign-On Service Account

This account is required only if you are configuring single sign-on. This account is the account that you specify when you enable the single sign-on service. You must change the password on each front-end Web server and on the job server.

For information about the access requirements for this account and how to specify them, see Specifying Settings for Single Sign-On and Application Definitions.

Change the single sign-on service account

  1. Back up the encryption key. For more information, see Backing Up the Encryption Key.
  2. Choose an account that meets access requirements. For more information, see Specifying Settings for Single Sign-On and Application Definitions.
  3. Change the service account. Do the following:
    1. On the task bar, click Start, point to Administrative Tools, and then click Services.
    2. On the Services management console, double-click Microsoft Single Sign-on Service.
    3. Click the Log On tab.
    4. Click This account.
    5. In the This account box, type the user name in the format DOMAIN\user_name.
    6. Type the new password in the Password and Confirm password boxes.
    7. Click OK.
    8. On the message box that appears, click OK.
    9. Right-click Microsoft Single Sign-on Service, and then click Stop.
    10. Right-click Microsoft Single Sign-on Service, and then click Start.
  4. Configure single sign-on, specifying the existing single sign-on database. For more information, see Specifying Settings for Single Sign-On and Application Definitions.
  5. Restore the encryption key. For more information, see Restoring the Encryption Key.

Note  If you need to change only the password of the service account, you need to follow only the third step, specifying the new password and restarting the service on the job server and on all front-end Web servers.

advertisement
Printer-Friendly VersionPrinter-Friendly Version