Changing from Network Service to a Domain Farm Acct

sharepoint.stackexchange https://sharepoint.stackexchange.com/questions/14528

Question

I am attempting to avoid re-installing a farm that was built very quickly using the network service acct for the set up of a single stand alone 2010 environment.

The issue I am running into is the current configuration of the User Profile Synch service amongst other things.

I have just requested an account that I can now use as the Farm Acct. Is there away I now can use this accrt correctly without reinstallling the farm?

In other words, if I have a domain acct called SPFarm in this case, can I now configure the farm to use this named acct after the fact?

I want to start configuring the Service applications accordingly. Perhaps the best approach would be a reinstall at this point.

Was it helpful?

Solution

I would definately start from scratch!

The account used for install has special permissions, and if these have been intertwined with farm account it is a mess. You will spend far longer time trying to undo the security related problems in the previous install than starting over.

I usually define a managed account for each service application, one for each application pool that needs a security boundary (eg Intranet, Extranet), one for web service application pool, cache accounts (reader and full control) etc.

I also always create an SPAdmin account that is not the same as Install account. This account is farm admin, Shell Admin and local admin (to be able to add solutions, see services on server and manage security). This is the account you give to your administrator to use for high-permission jobs like adding solutions and managing using Central Administration.

Also remember that farm account is a service account and like all service accounts should never be used to log in anywhere. Farm account also needs to be local admin while starting the UPA service instance. User Profile Synchronization account needs some special ACL permissions on your AD. More info on Spence Harbars guide here.

OTHER TIPS

the UPS (User Profile Synch) is a tricky one. You may be able to change the service account but run into problems since the FIM service has already been started (propably with wrong permissions).

Technet has a good resouce in case you are going to reinstall the farm: http://technet.microsoft.com/en-us/library/ee721049.aspx

Licensed under: CC-BY-SA with attribution
Not affiliated with sharepoint.stackexchange
scroll top