MOSS MVP

I've moved my blog to http://blog.falchionconsulting.com!. Please update your links. This blog is no longer in use--you can find all posts and comments at my new blog; I will no longer be posting to this site and comments have been disabled.

Sunday, October 12, 2008

Changing the Application Pool Identity via STSADM

This past week I presented at the local Colorado Springs SharePoint User Group meeting on using and customizing STSADM.  The talk was really less about STSADM and more about SharePoint administration tips, tricks, and best practices - but we did create a new STSADM command from scratch during the meeting.  I've taken what we did during the meeting and reworked it to add proper validation and help documentation and have included it in my download as gl-updateapppoolaccount.

The purpose of the command is to change out the identity of the application pool associated with a specific web site.  I thought this might be a good one to demo creating because I noticed that there was no existing command to do this (there's a command to change the password, but not change the account) and I recently ran into a situation where it would be beneficial.  As a consultant I often come into environments where the clients MOSS implementation may not have been deployed in the most ideal way.  My current client had all three of their MOSS environments (production, test, and development) using the same service accounts.  I wanted to be able to work with IT to set each environment to run under their own accounts but I typically prefer to give IT a script that they can run so that they don't have to try and figure out how to do this via Central Admin (in this case the IT staff was not yet trained on SharePoint and timelines didn't allow me to wait for them to be trained).  By using a script I could let the IT staff create the new accounts and update SharePoint without having to have them tell me what the passwords were.

The code to update the accounts is really quite simple - all we do is get an SPApplicationPool object via the ApplicationPool property of an SPWebApplication object.  We then update the Username and Password properties and then call Update and finally Deploy (which is a member of the SPProcessIdentity class of which the SPApplicationPool class inherits from.  Update saves the changes to the configuration database and Deploy will push those changes to each of your web servers.

   1: /// <summary>
   2: /// Updates the account.
   3: /// </summary>
   4: /// <param name="url">The URL.</param>
   5: /// <param name="type">The type.</param>
   6: /// <param name="login">The login.</param>
   7: /// <param name="password">The password.</param>
   8: public static void UpdateAccount(string url, IdentityType type, string login, string password)
   9: {
  10:     if (type == IdentityType.LocalSystem)
  11:         throw new ArgumentException("Identity type of LocalSystem is not allowed.");
  12:  
  13:     SPWebApplication webApp = SPWebApplication.Lookup(new Uri(url));
  14:     SPApplicationPool pool = webApp.ApplicationPool;
  15:     pool.CurrentIdentityType = type;
  16:  
  17:     if (type == IdentityType.SpecificUser)
  18:     {
  19:         pool.Username = login.Trim();
  20:         pool.Password = password;
  21:     }
  22:  
  23:     pool.Update();
  24:     pool.Deploy();
  25: }

The help for the command is shown below:

C:\>stsadm -help gl-updateapppoolaccount

stsadm -o gl-updateapppoolaccount


Updates the user account information for the application pool associated with the given URL.

Parameters:
        -url <web application url>
        [-userlogin <DOMAIN\user>]
        [-password <password>]
        [-type <localservice | networkservice | specificuser> (defaults to specificuser)]

The following table summarizes the command and its various parameters:

Command Name Availability Build Date
gl-updateapppoolaccount WSS v3, MOSS 2007 Released: 10/12/2008

Parameter Name Short Form Required Description Example Usage
url   Yes The URL of a web application associated with the application pool whose identity is to be changed.  Note that this will not create a new application pool - any other web applications using this same application pool will also be affected. -url http://portal
userlogin u No, unless type is specificuser The user account to set as the identity of the application pool. -userlogin "domain\user"

-u "domain\user"
password pwd No, Unless type is specificuser The password associated with the specified user account. -password "pa$$w0rd"

-pwd "pa$$w0rd"
type t No Either localservice, networkservice, or specificuser.  Defaults to specificuser if not specified. -type specificuser

-t specificuser

The following is an example of how to set the user account for the portal web application:

stsadm -o gl-updateapppoolaccount -url http://portal -userlogin spdev\spportalapppool -password pa$$w0rd

2 comments:

Madhur said...

Hi

Thanks for the article and the code. This has opened to me a new question. What is the difference between application pool identity stored in central Administration and the one stored in IIS.

Once I change it in IIS, it will not affect the Central Admin. So, how are the two related ?

Thanks for your time.

Madhur

Gary Lapointe said...

SharePoint stores all the IIS settings in the configuration database so that as new WFEs are stood up all the appropriate IIS settings can be made automatically. There are some settings that you might have to make manually within IIS but generally speaking you don't ever want to update IIS if you can avoid it (use central admin/stsadm to update it). The settings you might have to make through IIS are IP address changes, additional host headers to support different AAMs (if host headers are used), and application of SSL certificates. One more thing - setting the identity via central admin/stsadm will also make sure that the identity has the appropriate database rights and is added to the appropriate local groups on each server.