規劃 SharePoint Server 中的自動密碼變更Plan automatic password change in SharePoint Server

摘要:了解自動密碼變更以及如何在 SharePoint 2013 與 SharePoint Server 2016 中加以部署。Summary: Learn about the automatic password changes and how to deploy them in SharePoint 2013 and SharePoint Server 2016.

若要簡化密碼管理,您可以使用自動變更密碼功能來更新和部署密碼,而不必跨多個帳戶、服務和 Web 應用程式執行手動密碼更新工作。您可以設定自動變更密碼功能來判定密碼是否即將到期, 並使用較長的密碼編譯強式隨機字串來重設密碼。若要實作自動變更密碼功能,您必須設定受管理帳戶。To simplify password management, the automatic password change feature enables you to update and deploy passwords without having to perform manual password update tasks across multiple accounts, services, and web applications. You can configure the automatic password change feature to determine whether a password is about to expire and reset the password using a long, cryptographically-strong random string. To implement the automatic password change feature, you have to configure managed accounts.

設定受管理的帳戶Configure managed accounts

SharePoint Server 支援如何建立受管理的帳戶以改善安全性和保證應用程式隔離。使用受管理的帳戶,您可以設定自動變更密碼功能來部署跨伺服器陣列中的所有服務的密碼。您可以設定 SharePoint web 應用程式與 SharePoint 伺服器陣列中的應用程式伺服器上執行的服務使用不同的網域帳戶。您可以在 Active Directory 網域服務 (AD DS) 中建立多個帳戶,然後將每個這些帳戶登錄 SharePoint Server 中。您可以將受管理的帳戶對應至不同的服務和伺服器陣列中的 web 應用程式。SharePoint Server supports how to create managed accounts to improve security and guarantee application isolation. By using managed accounts, you can configure the automatic password change feature to deploy passwords across all services in the farm. You can configure SharePoint web applications and services, running on application servers in a SharePoint farm, to use different domain accounts. You can create multiple accounts in Active Directory Domain Services (AD DS), and then register each of these accounts in SharePoint Server. You can map managed accounts to various services and web applications in the farm.

在排程上自動重設密碼Reset passwords automatically on a schedule

之前實作的自動密碼變更功能、 更新重設在 AD DS 中的每個帳戶密碼,並以手動方式更新帳戶密碼在所有伺服器陣列中的所有電腦上執行之服務所需的密碼。為達成此目的,您有執行 Stsadm 命令列工具或使用 [SharePoint 管理中心 web 應用程式。使用自動變更密碼功能,可以立即註冊受管理的帳戶與啟用 SharePoint Server 以控制帳戶密碼。使用者必須通知計劃的密碼變更和相關的服務中斷的處理。不過,在 SharePoint 伺服器陣列、 web 應用程式及各種服務所使用的帳戶可以自動重設及部署視情況下,伺服器陣列內個別設定的密碼重設排程為基礎。Prior to the implementation of the automatic password change feature, updating passwords required resetting each account password in AD DS and then manually updating account passwords on all of the services that are running on all the computers in the farm. To do this, you had to run the Stsadm command-line tool or use the SharePoint Central Administration web application. By using the automatic password change feature, you can now register managed accounts and enable SharePoint Server to control account passwords. Users have to be notified about planned password changes and related service interruptions. However, the accounts that are used by a SharePoint farm, web applications, and various services can be automatically reset and deployed within the farm as necessary, based on individually configured password reset schedules.

偵測到密碼到期Detect password expiration

IT 部門通常時各有一個原則,規定所有的網域帳戶密碼會重設定期,例如每 60 天。偵測到密碼即將到期,並將電子郵件通知傳送給指定的系統管理員可以設定 SharePoint Server。即使而不需要管理員介入,可以設定 SharePoint Server 產生及自動重設密碼。自動密碼重設排程也是可確保在重設密碼期間的可能服務中斷的影響極小。IT departments typically impose a policy requiring that all domain account passwords be reset regularly, for example, every 60 days. SharePoint Server can be configured to detect imminent password expiration, and send an e-mail notification to a designated administrator. Even without requiring administrator intervention, SharePoint Server can be configured to generate and reset passwords automatically. The automatic password reset schedule is also configurable to guarantee that the impact of possible service interruptions during a password reset will be minimal.

立即重設帳戶密碼Reset the account password immediately

一律可以覆寫任何自動密碼重設排程及強制使用特定密碼值重設立即服務帳戶密碼。在此案例中,服務帳戶的密碼可以也變更 AD DS 中 SharePoint Server。新密碼然後立即傳播到其他伺服器陣列中。You can always override any automatic password reset schedule and force an immediate service account password reset by using a specific password value. In this scenario, the password for the service account can also be changed in AD DS by SharePoint Server. The new password is then immediately propagated to other servers in the farm.

同步處理 SharePoint Foundation 帳戶密碼與 Active Directory 網域服務Synchronize SharePoint Foundation account passwords with Active Directory Domain Services

如果 AD DS 與 SharePoint Server 的帳戶密碼不同步,不會開始在 SharePoint 伺服器陣列中的服務。如果 Active Directory 管理員變更 Active Directory 帳戶密碼不含協調與 SharePoint 管理員的密碼變更,沒有服務中斷的風險。在此案例中,SharePoint 管理員可以立即重設使用密碼值已在 AD DS 中變更 「 帳戶管理 」 頁面中的密碼。密碼已更新並立即傳播至 SharePoint 伺服器陣列中的其他伺服器。If AD DS and SharePoint Server account passwords are not synchronized, services in the SharePoint farm won't start. If an Active Directory administrator changes an Active Directory account password without coordinating the password change with a SharePoint administrator, there is a risk of service interruptions. In this scenario, a SharePoint administrator can immediately reset the password from the Account Management page using the password value that was changed in AD DS. The password is updated and immediately propagated to the other servers in the SharePoint farm.

立即重設所有密碼Reset all passwords immediately

如果管理員突然離開貴組織中,或如果服務帳戶密碼必須立即重設為任何其他原因,您可以快速地建立密碼變更指令程式會呼叫 Microsoft PowerShell 指令碼。您可以使用指令碼來產生新的隨機密碼和立即部署新的密碼。If an administrator suddenly leaves your organization, or if the service account passwords need to be immediately reset for any other reason, you can quickly create a Microsoft PowerShell script that calls the password change cmdlets. You can use the script to generate new random passwords and deploy the new passwords immediately.

認證變更程序Credential change process

SharePoint Server 變更受管理帳戶的認證,會在伺服器陣列中某部伺服器上發生認證變更程序。在伺服器陣列中的每部伺服器將會收到通知的認證是若要變更與伺服器可以執行重大變更前動作,並視需要。如果尚未變更帳戶密碼、 SharePoint Server 會嘗試變更使用手動輸入的密碼或 long、 密碼編譯的強式隨機字串的密碼。會從適當的原則 (網路或本機) 查詢的複雜性設定並產生的密碼等於偵測到的設定。SharePoint Server 會嘗試將認可變更密碼。如果無法認可變更密碼,它會重試會使用新的順序,針對指定的次數。如果成功的帳戶密碼更新程序,它將繼續進行下一個相依服務,其中它會再次嘗試認可變更密碼。如果最終成功,每個相依服務將會收到通知他們可以繼續正常的活動。在認可變更密碼或確認失敗的任一 success 會導致自動的密碼變更狀態通知,並使用電子郵件傳送到伺服器陣列管理員產生。When SharePoint Server changes the credentials for a managed account, the credential change process will occur on one server in the farm. Each server in the farm will be notified that the credentials are about to change and servers can perform critical pre-change actions, if they are necessary. If the account password has not yet been changed, then SharePoint Server will attempt to change the password using either a manually entered password, or a long, cryptographically-strong random string. The complexity settings will be queried from the appropriate policy (network or local), and the generated password will be equivalent to the detected settings. SharePoint Server will attempt to commit a password change. If it is unable to commit the password change, it will retry by using a new sequence, for a specified number of times. If the account password update process succeeds, it will proceed to the next dependent service, where it will again attempt to commit a password change. If it does not ultimately succeed, each dependent service will be notified that they can resume normal activity. Either success in committing a password change or failure to commit will result in the generation of an automated password change status notification that will be sent by e-mail to farm administrators.

變更密碼對服務的影響Service impact when you change passwords

[!附註] 當管理員針對 SharePoint 搜尋拓樸中的伺服器執行密碼變更時,會在重新啟動服務時出現隱含的查詢停機時間。查詢停機時間一般介於 3 至 5 分鐘。When an administrator performs a password change for the servers in the SharePoint search topology, there is an implied query downtime when the services are restarted. The query downtime is typically in the range of 3-5 minutes.

另請參閱See also

概念Concepts

在 SharePoint Server 中設定自動變更密碼Configure automatic password change in SharePoint Server