Watch Out for Unmanaged Accounts

It’s hard to believe it’s already the end of May. Time has flown by this year as I’ve been working very hard, first at the Olympics and now writing the Microsoft Official Curriculum IT Pro course for SharePoint 2010. Late next week, I begin a “world tour” so this week I want to tell you about where you can catch my sessions and workshops.

Also, I want to give you an important heads up regarding managed accounts in SharePoint 2010—there’s a significant gotcha in the defaults that you’ll want to watch out for!

TechEd 2010

Late next week I fly to New Orleans to be a part of TechEd 2010 North America, from June 7-10 at the New Orleans Convention Center. It’s my first trip to New Orleans, which is the last “great American city” which I’ve not visited, so I’m looking forward to experiencing a bit of the Big Easy! TechEd itself should be a great event, as it will celebrate the launch of the entire 2010 “wave.” I’ll be delivering three sessions at TechEd. In the SharePoint track, I’ll be talking about content security, looking at security from the item level on up to Web application policies. It’s a nuts-and-bolts session, so if you’re not completely on top of issues like group management, administrative roles, policies and zones, there will be some great information for you!

In the Windows Client track, I’m doing a new session about application management. It’s a “meta” session that looks at both business and technical issues around building a dynamic, managed enterprise and supporting applications on desktops, laptops, and virtualized environments. The content comes from a couple of big consulting projects I’ve done over the last few years, so it will be practical and full of prescriptive guidance. Finally, in the Windows Server track, I’m doing the latest iteration of my Administrators’ Idol session, which digs into great solutions for administering Windows enterprises, including client, server, and Active Directory management topics. This session has been very popular each year that I’ve delivered it, and each year I build in new tips and solutions that go beyond the box to address common and painful administrative scenarios.

I’ll also be hanging around the Technical Learning Centers, particularly for SharePoint. I hope to run into many of my readers there, so please don’t hesitate to come up and introduce yourself! I’m there to be useful, so bring your questions!!

MasterClass in London and Munich

From June 29 – July 2, I’ll be delivering the new, one-day version of my Dan Holme’s MasterClass series. In both London and Munich I’ll be spending a full day diving into the most important information for administrators and enterprises that are implementing (or planning to deploy) SharePoint 2010. In Munich, I will also be delivering a one-day Windows Technologies MasterClass, which will be a full day of incredible tips, tricks, and best practices guidance for Windows client, server, and Active Directory administration.

Unmanaged Accounts

I promised in the introduction to this week’s newsletter that I’d give you an important “heads up” warning about managed accounts. I began a discussion of managed accounts in this newsletter a few weeks ago, in which I described the benefits and configuration of managed accounts. They really are an important capability of any complex service like SharePoint, and I’m thrilled that Microsoft began to build SharePoint 2010 using managed accounts.

The problem is the word “began.” Unfortunately, there are more than a few places in SharePoint in which the accounts you register are not managed accounts. For example, the default crawler is configured with a standard form in which you enter the user name and password for a crawl account. There are two big problems. First, this is in fact an unmanaged account. You’re back to “square one” with the default crawl account. How do you ensure compliance with your enterprise security policy that dictates a password change policy for service accounts? Every 60, 90, or however-many days, you must manually change the account’s password in Active Directory, then change it manually in SharePoint. Bummer. Just when we got a taste of “how good it could be” with managed accounts, we discover that some accounts are not managed.

The second problem is that the default configuration of SharePoint can sometimes cross-pollinate managed and unmanaged accounts. For example, if you use the Farm Configuration Wizard to configure the Search service application, you pick a managed account and that account is assigned both to the services and to the default crawl account. The services are, in fact, using the managed account, but the crawler is being configured with the username and current password of the account. What happens if you manually or automatically change the password of the managed account for search? SharePoint updates the service (because the service uses a managed account) but cannot update the crawler, so crawling breaks.

Here’s the deal. This is a HEADS UP for a problem that’s going to bite you in some shape or form if you take advantage of managed accounts. I don’t have all the details yet, but here’s a summary of things you should be aware of:

• When you assign an account to anything in SharePoint, there are two “forms” (controls) that are used. In one, you are asked to pick from a list of accounts. These are managed accounts. In the other, you are asked to enter a user name and password. These are unmanaged accounts. I imagine Microsoft had to draw the line at some point and that, in future versions, all accounts will be managed. But for now there does appear to be some that are not! That’s how you can recognize them.

• The default crawler, the user profile synchronization account, and all Secure Store application accounts appear to be unmanaged.

• You need to be particularly careful if you use Wizards to do setup, as Wizards can put managed accounts into unmanaged places, which will work until the day you change the managed account password.

Keep your eyes out for this, and I’ll document more as I learn it. Email me (danh at intelliem dot top-level commercial domain) if you learn any more about this issue, or as you discover additional unmanaged accounts used by SharePoint.

 

 

 

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish