After installing SharePoint, you start noticing some health warnings in Central Administration which tell you that you shouldn’t use built-in accounts for application pools or service identities.
For SharePoint 2013, 2 of the services which you will find running typically under a built-in account are:
- SharePoint Tracing Service (SPTraceV4)
- Distributed Cache Service (AppFabricCachingService)
It’s actually pretty easy to change the identities of those services and switch them to a domain account.
Just use the following 2 scripts to make it happen.
SPTraceV4
<#
.SYNOPSIS
Specify a new service identity for the SPTraceV4 Windows Service.
.DESCRIPTION
Specify a new service identity for the SPTraceV4 Windows Service.
.NOTES
File Name: Set-ServiceIdentityForSPTraceV4Service.ps1
Version : 1.0
.PARAMETER AccountName
Specifies the name of the account which will be used (domain\name).
.EXAMPLE
PS > .\Set-ServiceIdentityForSPTraceV4Service.ps1 -AccountName "westeros\sp_service"
#>
[CmdletBinding()]
param(
[parameter(Position=0,Mandatory=$true,ValueFromPipeline=$false)]
[string]$AccountName
)
# Load the SharePoint PowerShell snapin if needed
if ((Get-PSSnapin -Name Microsoft.SharePoint.PowerShell -EA SilentlyContinue) -eq $null)
{
Write-Host "Loading the SharePoint PowerShell snapin..."
Add-PSSnapin Microsoft.SharePoint.PowerShell
}
# Get the tracing service.
$svc = (Get-SPFarm).Services | ? {$_.Name -eq "SPTraceV4"}
# Get the managed account from SharePoint
$svcIdentity = Get-SPManagedAccount $AccountName
# Set the tracing service to run under the managed account. $svc.ProcessIdentity.CurrentIdentityType = "SpecificUser"
$svc.ProcessIdentity.ManagedAccount = $svcIdentity
$svc.ProcessIdentity.Update()
# This actually changes the "Run As" account of the Windows service.
$svc.ProcessIdentity.Deploy()
# Add the domain account to the local "Performance Log Users" group
$Domain,$User = $AccountName.Split("\")
Try
{
[ADSI]"WinNT://$env:COMPUTERNAME/Performance Log Users,group").Add("WinNT://$Domain/$User")
}
catch
{
Write-Host "$UserName is already a member of the Performance Log Users group."
}
After you run this script, make sure that you repeat the last part of the script (the part where you add the account to the Performance Log Users) on the other servers of your farm as well. Otherwise, you will see your ULS logfiles getting created on those servers but they are not filled.
AppFabricCachingService
You need to run this script on the server which is used for the Distributed Cache Service.
<#
.SYNOPSIS
Specify a new service identity for the Distributed Cache Service.
.DESCRIPTION
Specify a new service identity for the Distributed Cache Service.
.NOTES
File Name: Set-ServiceIdentityForDistributedCacheService.ps1
Version : 1.0
.PARAMETER AccountName
Specifies the name of the account which will be used (domain\name).
.EXAMPLE
PS > .\Set-ServiceIdentityForDistributedCacheService.ps1 -AccountName "westeros\sp_service"
#>
[CmdletBinding()]
param(
[parameter(Position=0,Mandatory=$true,ValueFromPipeline=$false)]
[string]$AccountName
)
# Load the SharePoint PowerShell snapin if needed
if ((Get-PSSnapin -Name Microsoft.SharePoint.PowerShell -EA SilentlyContinue) -eq $null)
{
Write-Host "Loading the SharePoint PowerShell snapin..."
Add-PSSnapin Microsoft.SharePoint.PowerShell
}
# Get the tracing service.
$svc = (Get-SPFarm).Services | ? {$_.Name -eq "AppFabricCachingService"}
# Get the managed account from SharePoint
$svcIdentity = Get-SPManagedAccount $AccountName
# Set the tracing service to run under the managed account. $svc.ProcessIdentity.CurrentIdentityType = "SpecificUser"
$svc.ProcessIdentity.ManagedAccount = $svcIdentity
$svc.ProcessIdentity.Update()
# This actually changes the "Run As" account of the Windows service.
$svc.ProcessIdentity.Deploy()
Should do the trick.