Keep service and feature account passwords up-to-date in SharePoint 2013


Applies to: SharePoint Foundation 2013, SharePoint Server 2013

Topic Last Modified: 2014-06-04

Summary: Learn about keeping account passwords current for features and services in SharePoint 2013.

Some SharePoint 2013 services and features must be associated with a Windows account in order to run. SharePoint 2013 records the domain account’s password and uses it to authenticate the account. However, by default, SharePoint 2013 does not automatically update the password when the password is changed in Active Directory Domain Services (AD DS). This means that you must do one of two things:

  • Manually change the passwords for all of the accounts that are used for services or features when the passwords change (not recommended).

  • Create managed accounts in SharePoint 2013 and configure them to use automatic password change (recommended).

    Managed accounts are AD DS user accounts that SharePoint manages and stores the credentials for. Besides storing the credentials of the object, SharePoint can also take advantage of AD DS domain policies to automatically reset passwords and meet the policy requirements.

To synchronize passwords automatically, you can register managed accounts and configure SharePoint 2013 to change the managed accounts’ passwords according to a schedule. For example, domain policies might require domain account passwords to be changed every 90 days. If you configure managed accounts with automatic password change, SharePoint 2013 automatically generates a new password, updates the password in AD DS, and propagates the changes to other servers in the farm.

For more information about managed accounts, see Managed Accounts in SharePoint 2010 and Plan automatic password change in SharePoint 2013. For information about configuring automatic password change for managed accounts, see Configure automatic password change in SharePoint 2013.

You do not have to synchronize the passwords for the following accounts:
  • Local System account

  • Local Service account

  • Network Service account

Windows Server 2008 R2 and Windows Server 2012 include managed accounts at the operating-system level. Do not use Windows Server 2008 R2 and Windows Server 2012 managed accounts. They are incompatible with SharePoint 2013 managed accounts. For more information, see Group Managed Service Accounts Overview.

When managed accounts are unsuitable, you must change passwords in SharePoint 2013 manually when the passwords change in AD DS. Passwords must be changed manually for the following: