Configure automatic password change (SharePoint Server 2010)
Applies to: SharePoint Server 2010, SharePoint Foundation 2010
Automatic password change enables Microsoft SharePoint Server 2010 to automatically generate long, cryptographically-strong passwords on a schedule that you can determine.
In this article:
Configure managed accounts
Configure automatic password change settings
Troubleshooting automatic password change
Configure managed accounts
You need to register managed accounts with the farm to make the accounts available to multiple services. You can register a managed account by using the Register Managed Account page in Central Administration. There are no options on the Register Managed Account page to create an account in Active Directory Domain Services, or on the local computer. The options can be used to register an existing account on the SharePoint Server 2010 farm. Perform the steps in the following procedure to use Central Administration to configure managed account settings.
To configure managed account settings by using Central Administration
Verify that the user account that is performing this procedure is a farm administrator.
On the Central Administration Web site, select Security.
Under General Security, click Configure managed accounts.
On the Managed Accounts page, click Register Managed Account.
In the Account Registration section of the Register Managed Account page, enter the service account credentials.
In the Automatic Password Change section, select the Enable automatic password change check box to allow SharePoint Server 2010 to manage the password for the selected account. Next, enter a numeric value that indicates the number of days prior to password expiration that the automatic password change process will be initiated.
In the Automatic Password Change section, select the Start notifying by e-mail check box, and then enter a numeric value that indicates the number of days prior to the initiation of the automatic password change process that an e-mail notification will be sent. You can then configure a weekly or monthly e-mail notification schedule.
Click OK.
Configure automatic password change settings
Use the Password Management Settings page of Central Administration to configure farm-level settings for automatic password changes. Farm administrators can configure the notification e-mail address that will be used to send all password change notification e-mails, as well as monitoring and scheduling options. Perform the steps in the following procedure to use Central Administration to configure automatic password change settings.
To configure automatic password change settings by using Central Administration
Verify that the user account that is performing this procedure is a farm administrator.
On the Central Administration Web site, click Security.
Under General Security, click Configure password change settings.
In the Notification E-Mail Address section of the Password Management Settings page, enter the e-mail address of an individual or group to be notified of any imminent password change or expiration events.
If automatic password change is not configured for a managed account, enter a numeric value in the Account Monitoring Process Settings section that indicates the number of days prior to password expiration that a notification will be sent to the e-mail address configured in the Notification E-Mail Address section.
In the Automatic Password Change Settings section, enter a numeric value that indicates the number of seconds that automatic password change will wait (after notifying services of a pending password change) before initiating the change. Enter a numeric value that indicates the number of times a password change will be attempted before the process stops.
Click OK.
Troubleshooting automatic password change
Use the following guidance to avoid the most common issues that can occur when you configure automatic password change.
Password mismatch
If the automatic password change process fails because there is a password mismatch between Active Directory Domain Services (AD DS) and SharePoint Server 2010, the password change process can result in access denial at login, an account lockout, or AD DS read errors. If any of these issues occur, make sure your AD DS passwords are configured correctly and that the AD DS account has read access for setup. Use Windows PowerShell to fix any password mismatch issues that might occur, and then resume the password change process.
To correct for a password mismatch
Verify that you meet the following minimum requirements: See Add-SPShellAdmin.
On the Start menu, click All Programs. Click Microsoft SharePoint 2010 Products.
Click SharePoint 2010 Management Shell.
From the Windows PowerShell command prompt, type the following ENTER:
Set-SPManagedAccount [-Identity] <SPManagedAccountPipeBind> -ExistingPassword <SecureString> -UseExistingPassword $true
For more information, see Set-SPManagedAccount.
Service account provisioning failure
If service account provisioning or re-provisioning fails on one or more servers in the farm, check the status of the Timer Service. If the Timer Service has stopped, restart it. Consider using the following Stsadm command to immediately start Timer Service administration jobs: stsadm -o execadmsvcjobs
If restarting the Timer Service does not resolve the issue, use Windows PowerShell to repair the managed account on each server in the farm that has experienced a provisioning failure.
To resolve a service account provisioning failure
Verify that you meet the following minimum requirements: See Add-SPShellAdmin.
On the Start menu, click All Programs. Click Microsoft SharePoint 2010 Products.
Click SharePoint 2010 Management Shell.
From the Windows PowerShell command prompt, type the following:
Repair-SPManagedAccountDeployment
For more information, see Repair-SPManagedAccountDeployment.
If the preceding procedure does not resolve a service account provisioning failure, it is likely because the farm encryption key cannot be decrypted. If this is the issue, use Windows PowerShell to update the local server pass phrase to match the pass phrase for the farm.
To update the local server pass phrase
Verify that you meet the following minimum requirements: See Add-SPShellAdmin.
On the Start menu, click All Programs. Click Microsoft SharePoint 2010 Products.
Click SharePoint 2010 Management Shell.
From the Windows PowerShell command prompt, type the following:
Set-SPPassPhrase -PassPhrase <SecureString> -ConfirmPassPhrase <SecureString> -LocalServerOnly $true
For more information, see Set-SPPassPhrase.
Imminent password expiration
If the password is about to expire, but automatic password change has not been configured for this account, use Windows PowerShell to update the account password to a new value that can be chosen by the administrator or automatically generated. After you have updated the account password, make sure the Timer Service is started and the Administrator Service is enabled on all servers in the farm. Then, the password change can be propagated to all of the servers in the farm.
To update the account password
Verify that you meet the following minimum requirements: See Add-SPShellAdmin.
On the Start menu, click All Programs. Click Microsoft SharePoint 2010 Products.
Click SharePoint 2010 Management Shell.
To update the account password to a new value chosen by the administrator, from the Windows PowerShell command prompt, type the following:
Set-SPManagedAccount [-Identity] <SPManagedAccountPipeBind> -Password <SecureString>
To update the account password to a new automatically generated value, from the Windows PowerShell command prompt, type the following:
Set-SPManagedAccount [-Identity] <SPManagedAccountPipeBind> -AutoGeneratePassword $true
For more information, see Set-SPManagedAccount.
Requirement to change the farm account to a different account
If you need to change the farm account to a different account, use the following Stsadm command: stsadm.exe -o updatefarmcredentials -userlogin DOMAIN\username -password password