Having issues changing service accounts in SP2016

sharepoint.stackexchange https://sharepoint.stackexchange.com/questions/173023

  •  08-10-2020
  •  | 
  •  

Question

So I did an install of SP2016 as my farmadmin account, and now it's my understanding that it's best practice to change the services to run under a variety of service accounts. For this go, I'm trying to have the following, based on a number of sites/guides I've read:

SPServicesSvc (General service acct to run services) SPWebAppSvc (Sometimes seen this called SP_Pool - to run Web Apps in IIS) SPSearchSvc (To run search services) SPTimerSvc (To run timer service) SPUserProfileSvc (To run User Profile service)

This is all in addition to the Farm Admin account.

In Central Admin, under Security -> Manage Service Accounts I was able to:

  • change the default to SPServicesSvc, and any other general services that were originally FarmAdmin from the install.
  • change the search services to SearchSvc.
  • change the Sharepoint - 80 Web App Pool to SPWebAppSvc.

However, this is where it starts to fall apart a bit:

  • The Central Admin app pool isn't there, the way Sharepoint - 80 is, so I'm not sure the best way to change that. I know that just changing it in IIS isn't sufficient, but not sure what is. Nor do I understand why it's missing in the GUI.

  • The Timer service also isn't there. For this case, I read somewhere it's okay to change this in the Windows Services screen directly. Does that seem right?

  • A couple of services under Security -> Manage Service accounts allowed me to change them, but when I look under IIS I still see those listed as the Farm Admin account (even though others, like Sharepoint - 80, do in fact reflect the GUI changes under IIS). These include "Service Application Pool - SharePoint Web Services System" and "Service Application Pool - SecurityTokenServiceApplicationPool". I've tried restarting the services, restarting IIS, rebooting the whole machine...nothing. They remain different in each place.

The User Profile Service seems immensely complicated, so I haven't even tried that one yet...

So the questions I have are - 1. is this even an okay plan in the first place? Most of what I've read seem to highly encourage changing these accounts, but is varied as to how many accounts need to be made/involved. And 2. if this is generally okay, how do I overcome the issues in part two above? (The ones that I haven't been able to change.)

Thank you!

Was it helpful?

Solution

Central Administration and the Timer Service are run by the Farm Administrator account. You do not need to change these, but you can certainly change what service account runs them (it then becomes your Farm Admin account):

stsadm –o updatefarmcredentials –userlogin DOMAIN\username –password passWord

I generally run Search under the same service account as what your "SPServicesSvc" is fulfilling. Not much need to separate it out.

The following services must run as the Farm Administrator:

  • Central Administration
  • Timer Service
  • Security Token Service Application Pool
  • SharePoint Web Services System
Licensed under: CC-BY-SA with attribution
Not affiliated with sharepoint.stackexchange
scroll top