在 SharePoint Server 中設定自動變更密碼Configure automatic password change in SharePoint Server

摘要: 了解如何在 SharePoint Server 2016 和 SharePoint 2013 中設定自動密碼變更。Summary: Learn about how to configure the automatic password changes in SharePoint Server 2016 and SharePoint 2013.

自動密碼變更可讓 SharePoint Server 以您決定的排程來自動產生加密長密碼。Automatic password change enables SharePoint Server to automatically generate long, encrypted passwords on a schedule that you can determine.

設定受管理的帳戶Configure managed accounts

您必須一起登錄受管理帳戶與伺服器陣列,才能多項服務使用帳戶。您可以使用 SharePoint 管理中心網站 的 [登錄受管理帳戶] 頁面來登錄受管理的帳戶。[登錄受管理帳戶] 頁面沒有可在 Active Directory 網域服務或本機電腦中建立帳戶的選項。可使用選項在 SharePoint Server 伺服器陣列上登錄現有的帳戶。執行下列程序的步驟,使用 管理中心 來設定受管理帳戶設定。You have to register managed accounts together with the farm to make the accounts available to multiple services. You can register a managed account by using the Register Managed Account page in the SharePoint Central Administration website. There are no options on the Register Managed Account page to create an account in Active Directory Domain Services, or on the local computer. The options can be used to register an existing account on the SharePoint Server farm. Perform the steps in the following procedure to use Central Administration to configure managed account settings.

使用管理中心設定受管理帳戶設定To configure managed account settings by using Central Administration

  1. 確認執行此程序的使用者帳戶是伺服器陣列管理員。Verify that the user account that is performing this procedure is a farm administrator.

  2. 在管理中心中,選取 [安全性]*On the Central Administration, select *Security.

  3. 在 [一般安全性]**** 下,按一下 [設定受管理帳戶]*Under *General Security, click Configure managed accounts.

  4. 在 [受管理帳戶] 頁面上,按一下 [註冊受管理帳戶]*On the Managed Accounts page, click *Register Managed Account.

  5. 在 [登錄受管理帳戶] 頁面的 [帳戶註冊]**** 區段,輸入服務帳戶認證。In the Account Registration section of the Register Managed Account page, enter the service account credentials.

  6. 在 [自動變更密碼]**** 區段中,選取 [啟動自動變更密碼]**** 核取方塊允許 SharePoint Server 管理所選帳戶的密碼。接著輸入數值,指出密碼到期而啟動自動變更密碼程序之前的天數。In the Automatic Password Change section, select the Enable automatic password change check box to allow MOSS_2nd_NoVe to manage the password for the selected account. Next, enter a numeric value that indicates the number of days before password expiration that the automatic password change process will be initiated.

  7. 在 [自動變更密碼]**** 區段中選取 [在密碼變更前]**** 核取方塊,然後輸入數值,指出啟動自動變更密碼程序來傳送電子郵件通知之前的天數。您接著可以設定每週或每月電子郵件通知排程。In the Automatic Password Change section, select the Start notifying by e-mail check box, and then enter a numeric value that indicates the number of days before the initiation of the automatic password change process that an e-mail notification will be sent. You can then configure a weekly or monthly e-mail notification schedule.

  8. 按一下 [確定]*Click *OK.

設定自動變更密碼設定Configure automatic password change settings

使用 管理中心 的 [密碼管理設定] 頁面來設定自動變更密碼的伺服器陣列層級設定。伺服器陣列管理員除了監視和排程選項,也可以設定通知電子郵件地址來傳送所有密碼變更通知電子郵件。執行下列程序的步驟,使用 管理中心 設定自動變更密碼設定。Use the Password Management Settings page of Central Administration to configure farm-level settings for automatic password changes. Farm administrators can configure the notification e-mail address that will be used to send all password change notification e-mails in addition to monitoring and scheduling options. Perform the steps in the following procedure to use Central Administration to configure automatic password change settings.

使用管理中心設定自動變更密碼設定To configure automatic password change settings by using Central Administration

  1. 確認執行此程序的使用者帳戶是伺服器陣列管理員。Verify that the user account that is performing this procedure is a farm administrator.

  2. 在管理中心首頁上,按一下 [安全性]*On the Central Administration Home page, click *Security.

  3. 在 [一般安全性]**** 下,按一下 [設定密碼變更設定]*Under *General Security, click Configure password change settings.

  4. 在 [密碼管理設定] 頁面的 [通知電子郵件地址]**** 區段中,輸入要接收任何急迫的密碼變更或到期事件通知的某個人或群組的電子郵件地址。In the Notification E-Mail Address section of the Password Management Settings page, enter the e-mail address of one person or group to be notified of any imminent password change or expiration events.

  5. 若未針對受管理帳戶設定自動變更密碼,請在 [帳戶監視程序設定]**** 區段中輸入數值來指示密碼到期前的天數,之後將通知傳送給 [通知電子郵件地址]**** 區段中設定的電子郵件地址。If automatic password change is not configured for a managed account, enter a numeric value in the Account Monitoring Process Settings section that indicates the number of days before password expiration that a notification will be sent to the e-mail address configured in the Notification E-Mail Address section.

  6. 在 [自動變更密碼設定]**** 區段中輸入數值,指示在啟動變更之前自動變更密碼將等待的秒數 (通知擱置密碼變更服務後)。輸入輸值,指示在程序停止前將嘗試變更密碼的次數。In the Automatic Password Change Settings section, enter a numeric value that indicates the number of seconds that automatic password change will wait (after notifying services of a pending password change) before starting the change. Enter a numeric value that indicates the number of times a password change will be tried before the process stops.

  7. 按一下 [確定]*Click *OK.

自動變更密碼疑難排解Troubleshooting automatic password change

使用下列指示以避免設定自動變更密碼時最常發生的問題。Use the following guidance to avoid the most common issues that can occur when you configure automatic password change.

密碼不相符Password mismatch

如果因 Active Directory 網域服務 (AD DS) 與 SharePoint Server 之間的密碼不符而造成自動變更密碼程序失敗,則密碼變更程序可能導致登入時存取遭拒、帳戶鎖定或 AD DS 讀取錯誤。如果發生其中任何問題,請確定 AD DS 密碼已正確設定,且 AD DS 帳戶具備安裝程式的讀取存取權。使用 Microsoft PowerShell 修正可能發生的任何密碼不符問題,然後繼續密碼變更程序。If the automatic password change process fails because there is a password mismatch between Active Directory Domain Services (AD DS) and SharePoint Server, the password change process can result in access denial at logon, an account lockout, or AD DS read errors. If any of these issues occur, make sure that your AD DS passwords are configured correctly and that the AD DS account has read access for setup. Use Microsoft PowerShell to fix any password mismatch issues that might occur, and then resume the password change process.

使用 PowerShell 更正密碼不符情況To correct for a password mismatch by using PowerShell

  1. 確認您具備下列成員身分:Verify that you have the following memberships:

    • SQL Server 執行個體上的 securityadmin 固定伺服器角色。securityadmin fixed server role on the SQL Server instance.

    • 所有要更新之資料庫上的 db_owner 固定資料庫角色。db_owner fixed database role on all databases that are to be updated.

    • 正在執行 PowerShell Cmdlet 之所在伺服器上的系統管理員群組。Administrators group on the server on which you are running the PowerShell cmdlets.

    • 請以高於上述基本要求新增必要的成員資格。Add memberships that are required beyond the minimums above.

      系統管理員可以使用 Add-SPShellAdmin Cmdlet 授與使用 SharePoint Server Cmdlet 的權限。An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint Server cmdlets.

      注意

      如果您不具備上述權限,請連絡安裝程式系統管理員或 SQL Server 系統管理員要求權限。如需 PowerShell 權限的其他資訊,請參閱 Add-SPShellAdminIf you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about PowerShell permissions, see Add-SPShellAdmin.

  2. 啟動 SharePoint 管理命令介面。Start the SharePoint Management Shell.

  3. 在 PowerShell 命令提示字元處,輸入下列項目:From the PowerShell command prompt, type the following:

    Set-SPManagedAccount [-Identity] <SPManagedAccountPipeBind> -ExistingPassword <SecureString> -UseExistingPassword $true
    

    如需詳細資訊,請參閱<Set-SPManagedAccount>。For more information, see Set-SPManagedAccount.

服務帳戶佈建失敗Service account provisioning failure

如果伺服器陣列的一或多台伺服器發生服務帳戶佈建或重新佈建失敗,請檢查計時器服務的狀態。如果計時器服務已停止,請重新啟動服務。請考慮使用下列 Stsadm 命令來立即啟動計時器服務管理工作: stsadm -o execadmsvcjobsIf service account provisioning or re-provisioning fails on one or more servers in the farm, check the status of the Timer Service. If the Timer Service has stopped, restart it. Consider using the following Stsadm command to immediately start Timer Service administration jobs: stsadm -o execadmsvcjobs

如果重新啟動計時器服務無法解決問題,請使用 PowerShell ,修復伺服器陣列的每台伺服器上發生佈建失敗的受管理帳戶。If restarting the Timer Service does not resolve the issue, use PowerShell to repair the managed account on each server in the farm that has experienced a provisioning failure.

解決服務帳戶佈建失敗To resolve a service account provisioning failure

  1. 確認您具備下列成員身分:Verify that you have the following memberships:

    • SQL Server 執行個體上的 securityadmin 固定伺服器角色。securityadmin fixed server role on the SQL Server instance.

    • 所有要更新之資料庫上的 db_owner 固定資料庫角色。db_owner fixed database role on all databases that are to be updated.

    • 正在執行 PowerShell Cmdlet 之所在伺服器上的系統管理員群組。Administrators group on the server on which you are running the PowerShell cmdlets.

    • 請以高於上述基本要求新增必要的成員資格。Add memberships that are required beyond the minimums above.

      系統管理員可以使用 Add-SPShellAdmin Cmdlet 授與使用 SharePoint Server Cmdlet 的權限。An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint Server cmdlets.

      注意

      如果您不具備上述權限,請連絡安裝程式系統管理員或 SQL Server 系統管理員要求權限。如需 PowerShell 權限的其他資訊,請參閱 Add-SPShellAdminIf you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about PowerShell permissions, see Add-SPShellAdmin.

  2. 啟動 SharePoint 管理命令介面。Start the SharePoint Management Shell.

  3. 在 PowerShell 命令提示字元處,輸入下列項目:From the PowerShell command prompt, type the following:

    Repair-SPManagedAccountDeployment
    

    如需詳細資訊,請參閱Repair-SPManagedAccountDeploymentFor more information, see Repair-SPManagedAccountDeployment.

如果先前的程序未解決服務帳戶佈建失敗,則可能是因為無法加密伺服器陣列加密金龠。若是此問題,請使用 PowerShell 更新本機伺服器複雜密碼以符合伺服器陣列的複雜密碼。If the previous procedure does not resolve a service account provisioning failure, it is likely because the farm encryption key cannot be decrypted. If this is the issue, use PowerShell to update the local server pass phrase to match the pass phrase for the farm.

更新本機伺服器複雜密碼To update the local server pass phrase

  1. 確認您具備下列成員身分:Verify that you have the following memberships:

    • SQL Server 執行個體上的 securityadmin 固定伺服器角色。securityadmin fixed server role on the SQL Server instance.

    • 所有要更新之資料庫上的 db_owner 固定資料庫角色。db_owner fixed database role on all databases that are to be updated.

    • 正在執行 PowerShell Cmdlet 之所在伺服器上的系統管理員群組。Administrators group on the server on which you are running the PowerShell cmdlets.

    • 請以高於上述基本要求新增必要的成員資格。Add memberships that are required beyond the minimums above.

      系統管理員可以使用 Add-SPShellAdmin Cmdlet 授與使用 SharePoint Server Cmdlet 的權限。An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint Server cmdlets.

      注意

      如果您不具備上述權限,請連絡安裝程式系統管理員或 SQL Server 系統管理員要求權限。如需 PowerShell 權限的其他資訊,請參閱 Add-SPShellAdminIf you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about PowerShell permissions, see Add-SPShellAdmin.

  2. 啟動 SharePoint 管理命令介面。Start the SharePoint Management Shell.

  3. 在 PowerShell 命令提示字元處,輸入下列項目:From the PowerShell command prompt, type the following:

    Set-SPPassPhrase -PassPhrase <SecureString> -ConfirmPassPhrase <SecureString> -LocalServerOnly $true
    

    如需詳細資訊,請參閱Set-SPPassPhraseFor more information, see Set-SPPassPhrase.

密碼即將到期Imminent password expiration

如果密碼即將到期,但尚未針對此帳戶設定自動變更密碼,請使用 PowerShell 將帳戶密碼更新為管理員可選擇的新值,或可自動產生的新值。更新帳戶密碼後,確定在伺服器陣列的所有伺服器上啟動計時器服務和啟用管理員服務。接著可將密碼變更傳播至伺服器陣列的所有伺服器。If the password is about to expire, but automatic password change has not been configured for this account, use PowerShell to update the account password to a new value that can be chosen by the administrator or automatically generated. After you have updated the account password, make sure that the Timer Service is started and the Administrator Service is enabled on all servers in the farm. Then, the password change can be propagated to all of the servers in the farm.

注意

當管理員針對 SharePoint 搜尋拓樸中的伺服器執行密碼變更時,會在重新啟動服務時出現隱含的查詢停機時間。查詢停機時間一般介於 3 至 5 分鐘。When an administrator performs a password change for the servers in the SharePoint search topology, there is an implied query downtime when the services are restarted. The query downtime is typically in the range of 3-5 minutes.

更新帳戶密碼To update the account password

  1. 確認您具備下列成員身分:Verify that you have the following memberships:

    • SQL Server 執行個體上的 securityadmin 固定伺服器角色。securityadmin fixed server role on the SQL Server instance.

    • 所有要更新之資料庫上的 db_owner 固定資料庫角色。db_owner fixed database role on all databases that are to be updated.

    • 正在執行 PowerShell Cmdlet 之所在伺服器上的系統管理員群組。Administrators group on the server on which you are running the PowerShell cmdlets.

    • 請以高於上述基本要求新增必要的成員資格。Add memberships that are required beyond the minimums above.

      系統管理員可以使用 Add-SPShellAdmin Cmdlet 授與使用 SharePoint Server Cmdlet 的權限。An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint Server cmdlets.

      注意

      如果您不具備上述權限,請連絡安裝程式系統管理員或 SQL Server 系統管理員要求權限。如需 PowerShell 權限的其他資訊,請參閱 Add-SPShellAdminIf you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about PowerShell permissions, see Add-SPShellAdmin.

  2. 啟動 SharePoint 管理命令介面。Start the SharePoint Management Shell.

  3. 若要將帳戶密碼更新為自動產生的新值,請從 PowerShell 命令提示字元處輸入:To update the account password to a new automatically generated value, from the PowerShell command prompt, type the following:

    Set-SPManagedAccount [-Identity] <SPManagedAccountPipeBind> -AutoGeneratePassword $true
    

    如需詳細資訊,請參閱Set-SPManagedAccountFor more information, see Set-SPManagedAccount.

將伺服器陣列帳戶變更為不同帳戶的需求Requirement to change the farm account to a different account

如果必須將伺服器陣列帳戶變更為不同的帳戶,請使用下列 Stsadm 命令: stsadm.exe -o updatefarmcredentials -userlogin DOMAIN\username -password passwordIf you must change the farm account to a different account, use the following Stsadm command: stsadm.exe -o updatefarmcredentials -userlogin DOMAIN\username -password password