Impacts of Windows Policies on SharePoint Farm

Problem:

SharePoint farm is a set of one or more servers working together to provide SharePoint Foundation functionality to clients. For simple scenarios, SharePoint Farm will be set up by installing and configuring everything you need on a single server computer. And if, any company policy eventually has any impact on farm will result in application down.

While working with various clients, I observe that with time they want their applications to be access by a limited set of users and limits access to SharePoint farm administration rights. Also, as a to do list, they have their farm access rights keep on changing to be on safer side from malicious users. So, to handle such situations, we perform some steps to update the SharePoint Farm credentials, whenever password for that farm got changed.

Solution 1:

To do this, we will run stsadm commands which we will be running from particular path. For instance,

Go to CMD

Go to default path

c:\> cd c:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\Bin

cd:\c:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\Bin> stsadm –o updatefarmcredentials –userlogin DOMAIN\username –password $password$

Now, all the services running from service account needs to be restarted with new credentials. Similarly, now we restart all the application pools running from service account and thus, update with new credentials.

Even though, it was an easiest way to perform operations on SharePoint Farm, but, it is an deprecate way to do so. In versions onwards SP2013, we now take the solution 2 and follow steps via Central Administration.

Solution 2:

Recommended steps will be:

1. Firstly, Navigate to SharePoint 2013 Central Administration interface, Security > Configure Managed Accounts.  Select the farm administrators account and change the password.
2. Furthermore, Manually change the User Profile Service password.  As required by SharePoint, this service uses the farm administrator account, however SharePoint 2013 does not treat this account as a managed account so it must be changed manually. The farm administrator account must be made a local administrator on the server and take the step to host the user profile service with the password change. 

Once that step is complete, launch SharePoint Central Admin, navigate to System Settings and click ‘Manage Services on Server’.  From here we can start and stop services on each machine in the farm.  Select the machine hosting the user profile service and find that service.  It should say started. 

  1. Stop the service.
  2. Start the service again – it will ask you to enter new password. Ensure that you monitor the user profile service and ensure that the service starts correctly.

Once started, you may remove the farm administrator account as a local administrator.  However, we often recommend leaving it as a local admin on the server for simplicity of making such changes in the future.

3. Check if any applications in the Secure Store service use the farm administrator account, and if they do change the password there. Launch SharePoint Central Admin, Application Management > Manage Service Applications > Secure Store Application > Manage Target Applications.

  1. Select a single Target Application from the list.
  2. In the Credentials group on the ribbon, click Set. This opens the Set Credentials for Secure Store Target Application dialog box.  If any target application uses the farm administrators account, change the password here.
  3. Repeat this process for all secure store applications.

4. Finally, Reboot all the servers in the SharePoint farm, except for SQL server.  SQL Server does not need to be restarted.

Note:

Be cautious when entering the password. If you enter incorrect password, it will not show you any error message. Instead, you’ll be able to continue with configuration. However, errors can occur later, when you attempt to access data through the BCS.  If the password for the external data source is updated, we now return to this page and manually update the password credentials.

First and foremost point to know is that its a manual process. So, its always recommended to follow certain steps on development servers before moving to production servers.

Conclusion:

Finally, we can say that both solutions need manual intervention. And if, central administrator is not working on server, we now follow the solution 1 and use stsadm command.

Also, When creating these service accounts, for various reasons, we typically create a domain account in Active Directory and configure it such that the passwords do not expire. Keeping such scenarios in mind, we now set passwords for these service accounts typically not to change often. However, there are circumstances in which the password for the SharePoint 2013 farm account must be changed. So, we will take certain steps to handle such kiosks.

About the Author:

I am a SharePoint Professional and have worked with more than 100 clients over SharePoint Architecture and their changing requirements.

Share this on...

Rate this Post:

Share: