exchangefaq.org
brought to you by Simpler-Webb

Table of Contents

  1. Administrivia
  2. Definitions
  3. Technical Stuff
  4. Third Party Software and Add-Ons
  5. The End
  6. The Ed Crowley Server Move Method
  7. The Ed Crowley Never Restore Method
  8. How to Upgrade from Exchange 5.0 to Exchange 5.5 SP4
  9. What to Do *Before* You Post
  10. How to Change the Exchange Service Account
  11. Why PST = BAD
  12. Microsoft Outlook Web Access HOWTO
  13. How to Configure the IIS SMTP Service as a Mail Relay
  14. Monitoring Queues
  15. Martin Blackstone's List of Danger
  16. How to: Move a Microsoft Exchange 5.5 Site to a new NT domain


Other FAQs

Exchange 2003 FAQ
Exchange 2000 FAQ
Exchange 5.5 FAQ


Exchange Resource Manager

Find out how you can manage rooms and resources though Exchange with out the hassles and complications of scripting!

ยป Download a free trial today

FAQs / Exchange 5.5 / How to Change the Exchange Service Account

01


First, Q214492 stated: "If for any reason you need to change the Exchange Service account, please call Microsoft Exchange Server Support for assistance." This is good advice. We cannot add enough disclaimers here. In short, botch it and you will be sad.

Second, THIS ONLY WORKS ON A SINGLE SERVER.

Third - Here's the process:

  1. This is fairly major surgery. As such, you are strongly advised to take a full online backup of the Exchange Directory and Information Store, AND a full offline backup of the entire system, AND create a new Emergency Repair Disk.
  2. Create a new service account and assign the following rights:
    Act as part of the Operating System
    Log On As a Service
    Backup Files and Directories permissions.

    For now, set the password the same as the existing service account (if possible).

  3. Start the Administrator program in raw mode (admin.exe /r).
  4. Add the new account to the permissions on the Organization, Site, and Configuration containers as a Service Account Admin.
  5. Add the new account to the Schema object with the following steps:
    1. On the View menu, click Raw Directory.
    2. Click the Schema object on left pane under the Site Object.
    3. On the File menu, click Raw Properties.
    4. Double-click the NT Security Descriptor attribute.
    5. Double-click NT Security Descriptor (no, this is not a repeat of the last step).
    6. Add the new service account. Make sure the role is Service Account Admin.
    7. Click OK, click Set, and then click OK again.
  6. If the new account is not a member of the Local Admin group, give it Full Control on the following registry keys and subkeys:
    [Note: Editing the registry is delicate work. If you botch it you will be sad.]
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
    HKEY_USERS

    Do this in Regedt32.exe by selecting each key and:

    1. Click SECURITY\Permissons.
    2. Click on the Replace Permission on Existing Subkeys box.
    3. Click the Add button.
    4. Select the account in the Add Users and Groups window.
  7. Under the X:\exchsrvr directory, there are five shared directories (Add-ins, Address, Connect, Res and tracking.log). The *default* permissions on these directories are:
    Administrator: Full Control
    Everyone: Read
    <service account>: Full Control

    You must change the permissions on these shares (and possibly the directories) to reflect the new service account. If the computer running Microsoft Exchange Server is on an NTFS partition (and there should be no reason it is not!), you must give Full Control permissions to the new service account on all the Exchange directories (\exchsrvr directory on each drive - including subdirectories).

  8. Stop the Microsoft Exchange Services.
  9. Open the Services Control Panel and change the service account on all the Microsoft Exchange Server services. a. Start the Services applet in the Control Panel. b. Select each Microsoft Exchange service, click the Startup Button, and change the account and password.
  10. Restart all Microsoft Exchange services. All services should start with the new Microsoft Exchange Server Service Account.
  11. At this point, if Exchange is still running, repeat step 3, but delete the old account.
  12. If you want to change the password, you can do it from the Microsoft Exchange Administrator program in the Configuration property page. The password also must be changed in Windows NT by using the User Manager for Domains.
  13. Then stop & restart all exchange services to be sure you got the passwords right.

    Servers in a single site may be changed in a more complex process:

    1. Shut down all the servers in the site.
    2. Bring one server up and follow the procedure above.
    3. Shut the server back down.
    4. Repeat 2-3 until all servers have been modified.
    5. Bring all the servers back up.

Related articles:

  • XADM: How To Change the Service Account CREATED: 24-JUN-1996 MODIFIED: 13-APR-1998
  • Q157780 describes the procedure to change the password.
  • Q155269 points to the Exchange Administrators FAQ. There was a section 1.7 that has been removed which used to give the procedure.
  • Q163686 covers a deleted service account which is arguably a different situation.
  • Q214492 stated: "When Microsoft Exchange Server is installed, the Exchange Setup program asks for a user account to be used as the Service account. This account is then given special permissions in Windows NT as well as inside Exchange Server. Because of the dependency that Exchange Server has on the Service account and the way the Service account interacts with the numerous components in Exchange Server, it is not recommended that you change the Exchange Server Service account for any reason after the Exchange Server Setup has been completed. If for any reason you need to change the Exchange Service account, please call Microsoft Exchange Server Support for assistance."
  • "How to Change the Exchange Server 5.5 Service Account" White Paper.


Last Updated by Simpler-Webb on 8/7/2003 1:59:40 PM (QID #1208)
Categories: Exchange 5.5/How to Change the Exchange Service Account |