Built-in accounts are used as application pool or service identities
April 7th, 2011- Posted By: Jonathan Adams
- 7 Comments
Detail: Using built-in accounts like Network Service or Local System as application pool or as service identities is not supported in a farm configuration. The following services are currently running as built-in identities on one or more servers:
- SPTraceV4(Windows Service)
- SPSearch4(Windows Service)
Solution: SPSearch4 will be assigned to run under a domain user with no additional priviledges. This is done through Central Administration -> Manage Service Accounts. Be certain to register the account as a managed account first at Central Administration -> Security -> Configure Managed Accounts.
SPTracev4 needs to be altered via a powershell command as detailed below:
Original source: http://blog.octavie.nl/index.php/2010/11/12/using-a-domain-account-for-sptracev4-service/
Run the powershell command to change the account to a domain user
- # Get the tracing service.
- $farm = Get-SPFarm
- $tracingService = $farm.Services | where {$_.Name -eq “SPTraceV4”}
- # Get the “svc_sp_services” managed account.
- $managedAccount = Get-SPManagedAccount “Domain\account”
- # Set the tracing service to run under the managed account.
- $tracingService.ProcessIdentity.CurrentIdentityType = “SpecificUser”
- $tracingService.ProcessIdentity.ManagedAccount = $managedAccount
- $tracingService.ProcessIdentity.Update()
- # This actually changes the “Run As” account of the Windows service.
- $tracingService.ProcessIdentity.Deploy()
Add the domain user to the Performance Log Users group on all SharePoint servers.
Emma
April 26, 2011 at 8:16PMWould you be more specific about how to fix the “SPSearch4” error?
Your post says “SPSearch4 will be assigned to run under a domain user with no additional priviledges. This is done through Central Administration -> Manage Service Accounts” but I don’t see that option in CA
Thank you.
Jonathan Adams
August 3, 2011 at 6:52PMThis was for SharePoint 2010, if you are using 2007 you will not have that option.
Bobby_at_BBC
October 14, 2011 at 1:04AMWorked! Many thanks 😀
bj
December 9, 2011 at 12:59AMWhat worked for me was to create a new domain account sp_trace(or whatever you want to call it)…Go to Central administration > Security > General Security > Configure Managed accoutns > register managed accounts add your new domain account, i.e. “your domain\sp_trace” and password click OK. Go to windows service change the SharePoint 2010 Timer and Trace service to this new account restart the service then do a iisreset /noforce and Viola no more messages
Doug
March 20, 2012 at 6:39PMFor the Tracing account, why not simply go into the Services control panel applet, locate the “Sharepoint 2010 Tracing” entry, and change the log on account there? Are there some things going on in SharePoint that happen when using the powershell commands?
Donny
July 18, 2012 at 10:14PMIn the line for resolving the Trace issue I am confused (yes I am pretty green with SharePoint) the “Specific User” in step #7. Do I have to specify a certain user for this? I hope this thread is still live.
Bob Campbell
January 17, 2017 at 9:28PMI have found that when following all of the guidance to change the Tracing Service service account, that everything goes to hell when it’s time to change the service account’s password.
Using SharePoint to change the password works all well and good except SharePoint does not change the Identity’s password for the Windows service. When farm servers start rebooting (for patches or whatever), the SPTracingV4 service tries to start but it can’t because it still has the old password for the account in the Identity section. Result: No more logging.
Since I am required to use “Automatic Password Changing” in my SharePoint farm, the ULS logs become useless. Unless someone can provide additional suggestions, I must keep my SPTraceV4 service set to run under the Local Service account. My SharePoint Health Monitor doesn’t complain about it either for some reason. Someone must have removed the Timer job that checks that.