Managed Accounts Password Management - Access Denied RRS feed

  • Question

  • Hi Guys

    Having a couple of issues with enforcing automatic password change within SharePoint 2010, my setup:

    Standard accounts in AD as service accounts - managed accounts do not have the "User cannot change password" option checked...

    Domain Group Policy Config:

    Enforce Password History: 0 passwords remembered
    Max password age: 9 days
    Min password age: 0 days
    Min Length: 2 characters (Purely for testing)
    Password complexity: Disabled

    When trying to change the password through managed accounts I see the following error:

    1. Access Denied

    Do I need to delegate permissions to the timer job service or farm service account in Active Directory?




    Wednesday, March 30, 2011 10:51 AM


  • Hi David,

    Based on my research, the SharePoint Server 2010 uses Timer Service account, and the Win32 API NetUserChangePassword to change the managed account's password.
    From Books online(BOL), if an application calls the NetUserChangePassword function on a domain controller that is running Active Directory, access is allowed or denied based on the access control list (ACL) for the securable object. The default ACL permits only Domain Admins and Account Operators to call this function.

    So, in this case, you are right. We need to delegate permissions to timer job to perfom the password changing job.

    For more information, please see:
    Configure automatic password change (SharePoint Server 2010): http://technet.microsoft.com/en-us/library/ff724280.aspx#section2
    NetUserChangePassword Function: http://msdn.microsoft.com/en-us/library/aa370650(v=vs.85).aspx

    If you have any more questions, please feel free to ask.

    Jinchun Chen

    Jin Chen - MSFT
    Sunday, April 3, 2011 6:23 AM