Thursday, December 4, 2008

Thing that should or should not be done to SharePoint admin account

Here is a short list of most common scenarios that people should be aware of regarding SP admin account on AD:

1. When the account initially is created, set "Password never expires" account property to true. This is not a regular user account hence it should comply with service account settings rules. If the password changes, reset passwords to reflect the new password in the Application pool identity.

2. If you are not happy with you "spappadmin" or "spadmin" (fill in the blanks) farm admin account name, DO NOT DELETE IT AND CREATE NEW ONE with the desired name.  just rename this account in AD, this will make sure that the SID remains the same and the security settings do not have to be recreated for this account EVERYWHERE.

this applies to any other account in AD, but admins do know it.

3. if your farm admin account without password change suddenly looses connection to the DB and in the log you see account "[blank]" could not be authenticated to the SQL.  most likely your account got corrupted in AD.

Another scenario, Farm is still functioning fine, but when you try to connect to the SQL remotely using farm admin account connection fails.

You will still be able to access you farm since the trusted connection had been established before the AD account got corrupted, but you will not be able to establish any new connections with it.

In this case just recreate admin account in AD and go through the pain of recreating security settings or changing SIDs.

Enjoy :-)

1 comment:

Ben said...

Nice article. Quite informational.