Skip Ribbon Commands
Skip to main content

Anders Rask on SharePoint

:

Anders Rask on SharePoint > Posts > Getting an overview over used accounts on a SharePoint 2010 farm
June 05
Getting an overview over used accounts on a SharePoint 2010 farm

​In SharePoint 2010 accounts comes in two flavours: Managed accounts and Service accounts. This means we have to dig a bit around to get an overview over what accounts are actually used. Since some are managed account and some are not, the PowerShell commands below in some cases return the same accounts. Think of the commands as a quick shortcut to get an overview of where certain accounts are used in your farm:

First off, you can get an overview of the existing managed accounts simply by typing

Get-SPManagedAccount

This however does not tell you where an account is used, so lets dig a bit deeper.

First lets see where we should expect accounts to surface. The below list is probably not complete but drop me a comment and I will add any accounts I have missed out:

  • Service Application Pools (managed accounts)
  • Service Applications  (mostly managed accounts)
  • Web Application Pools (managed accounts)
  • Service instances - (mostly managed accounts)
  • Services (like SPTimerV4)
  • Object cache accounts (reader and user)
  • Search crawler account (managed account)

<Update>

Get Farm administrators

Find the farm administrators using the following cmdlets

Get-SPWebApplication -IncludeCentralAdministration | ? IsAdministrationWebApplication | Select -Expand Sites | ? ServerRelativeUrl -eq "/" | Get-SPWeb | Select -Expand SiteGroups | ? Name -eq "Farm Administrators" | Select -expand Users

 </Update>

Service Application Pool accounts

Using the cmdlet

Get-SPServiceApplicationPool

gives you both service application pool name and process account name.

Service Application accounts

To find out what service application pools are used for a given service application use this command:

Get-SPServiceApplication | select -expand applicationpool -EA 0

Note that the -EA = 0 (-ErrorAction SilentlyContinue) will swallow any exceptions due to the fact that not all service applications are web based (inherits from SPIisWebServiceApplication).

A special case  to be aware of, is the User Profile Synchronization Service Connection. This account is not managed, and can be a bit tricky to find using PowerShell.

First get a hold of the UserProfileConfigManager, then select the connection manager and get the account name:

$configManager = New-Object Microsoft.Office.Server.UserProfiles.UserProfileConfigManager( $(Get-SPServiceContext http://yourSite))
$configManager | select -expand connectionmanager | select AccountUserName

Web Application Pool accounts

Getting to the web application pools are not straight forward, as they do not have cmdlets defined like Service Application Pools. To access existing web application pools we use the Content Service:

[Microsoft.SharePoint.Administration.SPWebService]::ContentService.ApplicationPools | Select Name, Username

 If you want to find out what application pools, and hence accounts, are used by existing web applications this is pretty straight forward:

Get-SPWebApplication | select -expand applicationpool | Select name , username

 

Service Instance accounts

The command to get these gets a bit longwinded to account for that some are managed and some not:

Get-SPServiceInstance | select -expand service | % { if ( $_.ProcessIdentity -and $_.ProcessIdentity.GetType() -eq "String") { $_.ProcessIdentity } elseif ( $_.ProcessIdentity ) { $_.ProcessIdentity.UserName }}

 

Services

Using Get-Process does not contain information about what accounts the services are running under. Getting this information would require us to dig a bit deeper.

Fire up PowerShell and type in the following:

Get-WmiObject -Query "select * from win32_service where name LIKE 'SP%v4'" | select name, startname

This should give you output like this:

name               startname
----               ---------
SPAdminV4          LocalSystem
SPTimerV4          CONTOSO\svcSPFarm
SPTraceV4          NT AUTHORITY\LocalService
SPUserCodeV4       CONTOSO\svcSPUserCode
SPWriterV4         CONTOSO\svcSPFarm

Other processes ends with "14":

Get-WmiObject -Query "select * from win32_service where name LIKE '%14'" | select name, startname 

Object cache accounts

These accounts are used for accessing cached data. Not setting them causes a performance overhead as explained here.

The values are stored in the Web Application properties and can be fetched like this:

Get-SPWebApplication| % {$_.Properties["portalsuperuseraccount"]} 

Get-SPWebApplication| % {$_.Properties["portalsuperreaderaccount"]}

 

Search crawler account 

Setting this account can be done using Set-SPEnterpriseSearchServiceApplication -DefaultContentAccessAccountName, but querying it is a bit tricky:

New-Object Microsoft.Office.Server.Search.Administration.content $(Get-SPEnterpriseSearchServiceApplication) | Select DefaultGatheringAccount

 

Conclusion 

The above commands should give you an overview of where your accounts are used. There are more accounts not listed above, for example all accounts used for Secure Store, unattended service accounts for services like Visio, but most are covered above.

If I have forgotten some important accounts or if you see something blatently wrong in the above, feel free to comment :-)

Comments

Super! This covers what I need

I have 19(!) farms to document, so these scripts are really helpful.

I had trouble finding what URL to use in the SP_ProfileSync account using the UserProfileConfigManager and what to replace http://yourSite with. As it turned out, it's the Central Admin URL which lead me to improving the script so it can be used regardless of farm.

$caWebApp = [Microsoft.SharePoint.Administration.SPAdministrationWebApplication]::Local
$configManager = New-Object Microsoft.Office.Server.UserProfiles.UserProfileConfigManager( $(Get-SPServiceContext $caWebApp.Sites[0].Url))

Thanks for the post, Anders
 on 5/27/2015 7:05 AM

Re: Getting an overview over used accounts on a SharePoint 2010 farm

approval
 on 1/24/2017 4:09 PM

Re: Getting an overview over used accounts on a SharePoint 2010 farm

 on 1/24/2017 4:09 PM

Add Comment

Title


Body *


Migrated Source URL


Commentator Name


Commentator Email


BotCheck *


Are you human? What is the sum of fifty-two minus ten?

Attachments