A Managed account in SharePoint is an account that is completely managed by Active Directory.
Service accounts are a prime example. These accounts
are typically domain-level accounts that are managed in Active Directory
(AD)&;. Being an active directory account means it is subject to
the policies implemented across the organization. For example, a user
may have to change their password every six months. The policy may
dictate that the password meet certain criteria such as containing upper
case and lower case characters.
The problem with this scenario in SharePoint
terms occurs when the password needs to be changed. The service stops
working when the password expires. If the account is the identity for
multiple services, they stop working too, which potentially brings a
working SharePoint installation to a stop.
In many organizations, there is a division of
responsibilities that can prohibit the SharePoint Farm Administrator
from changing the password of an AD account. The Managed account
resolves this issue. SharePoint manages this account and, through
central administration, you can register these accounts.
In this recipe, we see how to create and manage an account.
Getting ready
You must have farm-level administrative permissions to the Central Administration site.
The account that you are configuring must be set up in Active Directory. It must be an existing AD account.
How to do it...
Open up the SharePoint 2010 Central Administration website.
Under the section titled General Security, select the Configure managed accounts option.
Click Register Managed Account. The following form appears:
Fill in the required information:
User name: Supply the AD account. It does not have to be prefaced with domain.
Password: This must match the account password in AD.
Enable automatic password change: Checking this will allow you to set the time and notifications by e-mail.
When finished filling the required data, click OK. The account is now added.
How it works...
When the account is added as shown in the recipe, its
credentials are now managed and stored within SharePoint. SharePoint
2010 can leverage the AD policies to automatically reset passwords.
Once the account is in SharePoint, it is encrypted
using the farm encryption key that was specified when the farm was
created based on the passphrase. A key benefit of using managed accounts
is the ability conferred upon the Farm Administrator to join machines
to the farm without specifying the credentials.
There's more...
PowerShell can be used to do anything you can do through the Central Administration user interface.
Powershell: Get a listing of managed accounts&;
Powershell: Create a new account&;
Powershell: Set&;
Set-SPManagedAccount -identity
Powershell: Delete a managed account&;
More info
You cannot use the Central Administration UI
to assign local accounts to be managed accounts. This is achievable,
but only through PowerShell.
