The Service Account change utility has 2 important functions - and while this utility is not needed very often, it saves about 20 minutes of time by providing a wizard interface for a Domain\System Administrator to make changes in these two specific areas by spending 30 seconds filling out some forms:
- Change Service Account's password if this password needs to be changed
- Change the service account to a different service account (this article covers this procedure)
The FileHold Server Application runs under a service account model, it has specific permissions, memberships and rights to run the FileHold Server application. This tool must be run by a domain administrator who also has access to the SQL databases, the FHInstrumentation tool uses Windows authentication to safeguard the process. It depends on the rights of the user running it.
- The service account can be a local account, or a domain account.
- It should not be an administrator or domain administrator level account
- It should have a strong password that complies with your domain security policy.
- It's password should not expire, nor should the account have the ability to change it's own password
It must have SQL Server login permissions where the FileHold databases are stored and managed
- It must be the DB Owner of all of the databases that are part of FileHold
- It must have Login as Service and Login as batch rights under the Local Security Policy.
- It must be a member of the IIS_IUSRS group
- It must run the FH App Pool in IIS 7.X
- It has specific settings in each of the FileHold web services
It must have full control of the FileHoldData storage structure, specifically the:
All of this has to be set for the FH_Service account for the FileHold server to function properly.
Change Service Account - perform this procedure when users are not using the system, or notify them that there will be a few minutes of downtime. This procedure takes about 2-3 minutes at most.
- Launch the Change Service Account tool
- Fill out the form as required
- Enter in the DOMAIN\FH_Service information
- Enter in the password information twice
- leave the scheduled task settings with "localhost" intact
- You will be connecting with your Windows Credentials so leave that intact. You can also use a SQL administrators credentials who is also a member of the Administrators group for this server, but if your system is synchronized with Active Directory then a Domain Admin with SQL administrator credentials will be needed.
- Enter in the path to the WebClient's LoginForm - using the example - add https if you are using SSL.
- Click Next to go to the final form page:
- Your ADAM settings should look the same - a tiny percentage of customers run ADAM under a custom PORT #
- Enter in localhost, DATABASE Server name or DATABASE\INSTANCE name
- Make sure to Update security settings of Windows TEMP directories
- Click Next to go to the Final page for the Action > Status page
- Click Update to start this process.
- Once completed - if all completed successfully, then click FINISH.
- Since the FH App Pool is stopped, the status will complain about this, simply start the FH App Pool if required
- Occasionally, the FileHold Workflow Host Service will not start - simply start it manually to address this
- Restart WWW Service
- Restart FHURM Service
- Restart FH Workflow Host Service (if you are using this)
- Start the FH App Pool
- Login to FileHold with Web Client and Desktop Client
Verify all scheduled tasks can run
- (skip the AD Sync related task if your system is not synchronizing with Active Directory)
- Run the FileHold Health Checker Tool to validate if the system is 100%
End of Procedure: