* In SharePoint 2010 accounts comes in two flavours : Managed accounts and Service accounts.
* Think of the commands as a quick shortcut to get an overview of where certain accounts are used in your farm:
First off, you can get an overview of the existing managed accounts simply by typing
This however does not tell you where an account is used, so lets dig a bit deeper.
First lets see where we should expect accounts to surface. The below list is probably not complete but drop me a comment and I will add any accounts I have missed out:
Managed Service Accounts:
All Service Application Pool Accounts
*Access Service Application
* BCS Service Application
* Excel Services Service Application
* Metadata Service Application
* PerformancePoint Service Application
* Enterprise Search Service Application
* Secure Store Service Application
* Subscription Settings Service Application
* User Profile Service Application
* Visio Services Service Application
* Web Analytics Service Application
* Word Automation Service Application
* Word Viewing Service Application
* PowerPoint Viewing Service Application
* Security Token Service Application
All Content Web Application Pools
Service Instances
* Claims to Windows Token Service
* Document Conversion Launcher Service
* Document Conversion Load Balancer Service
* Microsoft SharePoint Foundation Sandboxed Code Service
* SharePoint Foundation Help Search
* SharePoint Server Search (Enterprise Search)
* Web Analytics Data Processing Service
Service Accounts (should not be managed):
Search Crawl Accounts
* For Foundation Search and Server (Enterprise) Search
Unattended User Accounts
* Excel Services Service Application
* Visio Services Service Application
* PerformancePoint Service Application
(in general, any Secure Store application credentials)
Object Cache Portal Accounts
* Super User Account
* Super Reader Account
User Profile
* Synchronization Service Account (listed incorrectly on the FarmCredentialManagement.aspx page)
* Synchronization Connection Account
Server Search Custom Crawl Rule Accounts
* Any crawl rule that specifies an account other than the default crawl account
<Update>
Get-SPWebApplication -IncludeCentralAdministration | ? IsAdministrationWebApplication | Select -Expand Sites | ? ServerRelativeUrl -eq "/" | Get-SPWeb | Select -Expand SiteGroups | ? Name -eq "Farm Administrators" | Select -expand Users
</Update>
Get-SPServiceApplicationPool
gives you both service application pool name and process account name.
Get-SPServiceApplication | select -expand applicationpool -EA 0
Note that the -EA = 0 (-ErrorAction SilentlyContinue) will swallow any exceptions due to the fact that not all service applications are web based (inherits from SPIisWebServiceApplication).
A special case to be aware of, is the User Profile Synchronization Service Connection. This account is not managed, and can be a bit tricky to find using PowerShell.
First get a hold of the UserProfileConfigManager, then select the connection manager and get the account name:
$configManager = New-Object Microsoft.Office.Server.UserProfiles.UserProfileConfigManager( $(Get-SPServiceContext http://yourSite))
$configManager | select -expand connectionmanager | select AccountUserName
[Microsoft.SharePoint.Administration.SPWebService]::ContentService.ApplicationPools | Select Name, Username
If you want to find out what application pools, and hence accounts, are used by existing web applications this is pretty straight forward:
Get-SPWebApplication | select -expand applicationpool | Select name , username
Get-SPServiceInstance | select -expand service | % { if ( $_.ProcessIdentity -and $_.ProcessIdentity.GetType() -eq "String") { $_.ProcessIdentity } elseif ( $_.ProcessIdentity ) { $_.ProcessIdentity.UserName }}
Fire up PowerShell and type in the following:
Get-WmiObject -Query "select * from win32_service where name LIKE 'SP%v4'" | select name, startname
This should give you output like this:
name startname
---- ---------
SPAdminV4 LocalSystem
SPTimerV4 CONTOSO\svcSPFarm
SPTraceV4 NT AUTHORITY\LocalService
SPUserCodeV4 CONTOSO\svcSPUserCode
SPWriterV4 CONTOSO\svcSPFarm
Other processes ends with "14":
Get-WmiObject -Query "select * from win32_service where name LIKE '%14'" | select name, startname
The values are stored in the Web Application properties and can be fetched like this:
Get-SPWebApplication| % {$_.Properties["portalsuperuseraccount"]}
Get-SPWebApplication| % {$_.Properties["portalsuperreaderaccount"]}
New-Object Microsoft.Office.Server.Search.Administration.content $(Get-SPEnterpriseSearchServiceApplication) | Select DefaultGatheringAccount
* Think of the commands as a quick shortcut to get an overview of where certain accounts are used in your farm:
First off, you can get an overview of the existing managed accounts simply by typing
Get-SPManagedAccount
This however does not tell you where an account is used, so lets dig a bit deeper.
First lets see where we should expect accounts to surface. The below list is probably not complete but drop me a comment and I will add any accounts I have missed out:
Managed Service Accounts:
All Service Application Pool Accounts
*Access Service Application
* BCS Service Application
* Excel Services Service Application
* Metadata Service Application
* PerformancePoint Service Application
* Enterprise Search Service Application
* Secure Store Service Application
* Subscription Settings Service Application
* User Profile Service Application
* Visio Services Service Application
* Web Analytics Service Application
* Word Automation Service Application
* Word Viewing Service Application
* PowerPoint Viewing Service Application
* Security Token Service Application
All Content Web Application Pools
Service Instances
* Claims to Windows Token Service
* Document Conversion Launcher Service
* Document Conversion Load Balancer Service
* Microsoft SharePoint Foundation Sandboxed Code Service
* SharePoint Foundation Help Search
* SharePoint Server Search (Enterprise Search)
* Web Analytics Data Processing Service
Service Accounts (should not be managed):
Search Crawl Accounts
* For Foundation Search and Server (Enterprise) Search
Unattended User Accounts
* Excel Services Service Application
* Visio Services Service Application
* PerformancePoint Service Application
(in general, any Secure Store application credentials)
Object Cache Portal Accounts
* Super User Account
* Super Reader Account
User Profile
* Synchronization Service Account (listed incorrectly on the FarmCredentialManagement.aspx page)
* Synchronization Connection Account
Server Search Custom Crawl Rule Accounts
* Any crawl rule that specifies an account other than the default crawl account
<Update>
Get Farm administrators
Find the farm administrators using the following cmdletsGet-SPWebApplication -IncludeCentralAdministration | ? IsAdministrationWebApplication | Select -Expand Sites | ? ServerRelativeUrl -eq "/" | Get-SPWeb | Select -Expand SiteGroups | ? Name -eq "Farm Administrators" | Select -expand Users
</Update>
Service Application Pool accounts
Using the cmdletGet-SPServiceApplicationPool
gives you both service application pool name and process account name.
Service Application accounts
To find out what service application pools are used for a given service application use this command:Get-SPServiceApplication | select -expand applicationpool -EA 0
Note that the -EA = 0 (-ErrorAction SilentlyContinue) will swallow any exceptions due to the fact that not all service applications are web based (inherits from SPIisWebServiceApplication).
A special case to be aware of, is the User Profile Synchronization Service Connection. This account is not managed, and can be a bit tricky to find using PowerShell.
First get a hold of the UserProfileConfigManager, then select the connection manager and get the account name:
$configManager = New-Object Microsoft.Office.Server.UserProfiles.UserProfileConfigManager( $(Get-SPServiceContext http://yourSite))
$configManager | select -expand connectionmanager | select AccountUserName
Web Application Pool accounts
Getting to the web application pools are not straight forward, as they do not have cmdlets defined like Service Application Pools. To access existing web application pools we use the Content Service:[Microsoft.SharePoint.Administration.SPWebService]::ContentService.ApplicationPools | Select Name, Username
If you want to find out what application pools, and hence accounts, are used by existing web applications this is pretty straight forward:
Get-SPWebApplication | select -expand applicationpool | Select name , username
Service Instance accounts
The command to get these gets a bit longwinded to account for that some are managed and some not:Get-SPServiceInstance | select -expand service | % { if ( $_.ProcessIdentity -and $_.ProcessIdentity.GetType() -eq "String") { $_.ProcessIdentity } elseif ( $_.ProcessIdentity ) { $_.ProcessIdentity.UserName }}
Services
Using Get-Process does not contain information about what accounts the services are running under. Getting this information would require us to dig a bit deeper.Fire up PowerShell and type in the following:
Get-WmiObject -Query "select * from win32_service where name LIKE 'SP%v4'" | select name, startname
This should give you output like this:
name startname
---- ---------
SPAdminV4 LocalSystem
SPTimerV4 CONTOSO\svcSPFarm
SPTraceV4 NT AUTHORITY\LocalService
SPUserCodeV4 CONTOSO\svcSPUserCode
SPWriterV4 CONTOSO\svcSPFarm
Other processes ends with "14":
Get-WmiObject -Query "select * from win32_service where name LIKE '%14'" | select name, startname
Object cache accounts
These accounts are used for accessing cached data. Not setting them causes a performance overhead as explained here.The values are stored in the Web Application properties and can be fetched like this:
Get-SPWebApplication| % {$_.Properties["portalsuperuseraccount"]}
Get-SPWebApplication| % {$_.Properties["portalsuperreaderaccount"]}
Search crawler account
Setting this account can be done using Set-SPEnterpriseSearchServiceApplication -DefaultContentAccessAccountName, but querying it is a bit tricky:New-Object Microsoft.Office.Server.Search.Administration.content $(Get-SPEnterpriseSearchServiceApplication) | Select DefaultGatheringAccount
No comments:
Post a Comment