What is a Managed Account?
Managed Account is nothing but an AD Domain Account, which is added to SharePoint to manage Service Applications and Web Application Pools, but with the added advantage that the passwords can now be managed from within SharePoint.
Why do we need a Managed Account?
Pre SharePoint 2010 versions ran into problems while using AD accounts to configure the Web Applications, because if the AD account passwords expired there was no way SharePoint would know about it. Ultimately, wherever the corresponding user has been configured, it would basically lock down the Service/Web Application.
The solution was Managed Accounts. While adding the Managed Accounts, we can set a policy, which would automatically renew the passwords on a regular basis and the update will be pushed to the AD as well. Thus, all the passwords are kept in synchronization. We can configure the managed accounts from the UI as well as using PowerShell.
Change Managed Accounts password from Central Admin
We can configure and change the passwords of existing Managed accounts from the UI by selecting ‘Configure managed accounts’ from the Security tab.
This will list all the managed accounts within the farm. Click Edit option next to the manage the account.
Within the credential management section, check
‘Change password now’. This will give us three options to update the password, which are-
- Generate new password- This will auto generate a new password and assign it to the managed account, but it will remain abstracted from the user, who initiated the password change. There is no way to know the new password.
- Set account password to new value- This will create a new password and update it back to the active directory, which used account as well as SharePoint Managed Account.
- Use existing password- This option is used to update the AD password of the account to SharePoint Managed Account. In this way, the AD password is synchronized with the managed account.
Click OK to save the password to the managed account.
Update managed Account password using PowerShell
Similar to the UI options, we have equivalent PowerShell options to update the password of the managed Account. In order to do it, spin up SharePoint 2016 Management Shell.
Auto generate password
In UI, we had the option to auto generate the password, which remains unknown to the end user.
We can achieve the same functionality, using the PowerShell command, given below-
Set-SPManagedAccount –Identity "AzureAD\SA_ManagedAccount" -AutoGeneratePassword $true
Set new password
The second option is to set a new password to the managed account.
We can use the script, given below, to assign a new password. On running the script, given below, the new password will be updated back to the AD Account, as well as the managed account.
Set-SPManagedAccount -identity "AzureAD\SA_ManagedAccount" -NewPassword (ConvertTo-Securestring "password-2" -AsPlainText -Force) –SetNewPassword
We can check this from the managed accounts page.
Set Existing password
We can set the existing password of the AD Account to the managed account by running the script, given below-
Set-SPManagedAccount -Identity "AzureAD\SA_ManagedAccount" -ExistingPassword (ConvertTo-SecureString "password-1" -AsPlainText -force)
This method can be used to synchronize the AD user password with the managed user account password.
Summary
Thus, we saw, how to configure and change the passwords of Managed account in SharePoint 2016, using Central Administration and PowerShell.