none
Managed Accounts Password Management - Access Denied

    Question

  • Hi Guys

    Having a couple of issues with enforcing automatic password change within SharePoint 2010, my setup:

    Standard accounts in AD as service accounts - managed accounts do not have the "User cannot change password" option checked...

    Domain Group Policy Config:

    Enforce Password History: 0 passwords remembered
    Max password age: 9 days
    Min password age: 0 days
    Min Length: 2 characters (Purely for testing)
    Password complexity: Disabled

    When trying to change the password through managed accounts I see the following error:

    1. Access Denied

    Do I need to delegate permissions to the timer job service or farm service account in Active Directory?

    Cheers

    David

     

    Wednesday, March 30, 2011 10:51 AM

Answers

  • Hi David,

    Based on my research, the SharePoint Server 2010 uses Timer Service account, and the Win32 API NetUserChangePassword to change the managed account's password.
    From Books online(BOL), if an application calls the NetUserChangePassword function on a domain controller that is running Active Directory, access is allowed or denied based on the access control list (ACL) for the securable object. The default ACL permits only Domain Admins and Account Operators to call this function.

    So, in this case, you are right. We need to delegate permissions to timer job to perfom the password changing job.

    For more information, please see:
    Configure automatic password change (SharePoint Server 2010): http://technet.microsoft.com/en-us/library/ff724280.aspx#section2
    NetUserChangePassword Function: http://msdn.microsoft.com/en-us/library/aa370650(v=vs.85).aspx

    If you have any more questions, please feel free to ask.

    Thanks,
    Jinchun Chen


    Jin Chen - MSFT
    Sunday, April 03, 2011 6:23 AM