Change passwords for administration accounts and service accounts (Search Server 2008)
Applies To: Microsoft Search Server 2008
Topic Last Modified: 2009-05-21
Unless otherwise noted, the information in this article applies to both Microsoft Search Server 2008 and Microsoft Search Server 2008 Express.
Use the procedures in this task to change the passwords for services, application pool identities, and accounts used in Search Server 2008. Domain policies often require that domain account passwords be updated periodically. This change provides additional security in case a password becomes compromised. You can configure each service, application pool identity, and account of Search Server 2008 to run as domain accounts. Because domain policy might require passwords to expire regularly, you might have to change passwords for search-related user accounts for search to continue to function properly.
If the service, feature, or application pool is running as a built-in account, such as Network Service, the password does not expire and therefore does not need to be updated.
The passwords will need to be updated only if they are running under a domain account and domain policies require passwords to be updated.
Passwords for the following must be updated after the passwords are changed on the domain controller:
SQL Server (MSSQLSERVER) service
SQL Server Agent (MSSQLSERVER) service
SQL Server Full Text Search (MSSQLSERVER) service
The SQL Server services listed above are installed if the installation of Search Server uses Microsoft SQL Server 2005 or Microsoft SQL Server 2008.
SQL Server (OFFICESERVER) service
This service is installed only if the Search Server installation uses Microsoft SQL Server 2005 Express or Microsoft SQL Server 2008 Express.
SharePoint Central Administration v3 application pool account
Office SharePoint Server Search service
The content access account for the Windows SharePoint Services Search service
The content access account for the Office SharePoint Server Search service
Windows SharePoint Services Search service
Shared Services Provider application pool account
Windows SharePoint Services Timer service
Application pool identity for Search Server 2008
The OfficeServerApplicationPool identity runs as the Network Service account and will not to have to be changed.
Procedures to change passwords for administrative accounts and service accounts
Some of the following procedures require that a Web application service or Windows service be restarted. This might cause services or content to be momentarily unavailable to users. Each procedure listed states what must be restarted and the possible impact on users.
Each procedure states the level of access required to perform the procedure.
These procedures can only be performed after the password has been changed on the domain controller. The credentials entered are checked against those on the domain controller. If you enter the new password before the password has been changed on the domain controller, an error will result and the settings will not be changed.
To change the passwords, perform the following procedures:
If Microsoft Search Server 2008 is installed in a least-privilege configuration, use one of the following methods to enable the password to be changed:
To change the password by using the Central Administration Web site, use the Services MMC snap-in to start the Windows SharePoint Services Administration (SPAdmin) service on all computers in the farm that are running Search Server before you update the password. Stop the SPAdmin service when the password update is complete.
To change the password by using the Stsadm command-line tool, add the server farm account (also known as the database access account) to the Administrators group on each computer that has the query server role enabled. Log on using that account, and then use the Stsadm operation to update the password. When the password update is complete, remove the database access account from the Administrators group on each computer.