The Service Account change utility has 2 important functions - and while this utility is not needed very often, it saves about 20 minutes of time by providing a wizard interface for a Domain\System Administrator to make changes in these two specific areas by spending 30 seconds filling out some forms:
- Change Service Account's password if this password needs to be changed
- Change the service account to a different service account (this article covers this procedure)
The FileHold Server Application runs under a service account model, it has specific permissions, memberships and rights to run the FileHold Server application. This tool must be run by a domain administrator who also has access to the SQL databases, the FHInstrumentation tool uses Windows authentication to safeguard the process. It depends on the rights of the user running it.
- The service account can be a local account, or a domain account.
- It should not be an administrator or domain administrator level account
- It should have a strong password that complies with your domain security policy.
- It's password should not expire, nor should the account have the ability to change its own password
- It must have SQL Server login permissions where the FileHold databases are stored and managed
- It must be the DB Owner of all of the databases that are part of FileHold
- It must have Login as Service and Login as batch rights under the Local Security Policy.
- It must be a member of the IIS_IUSRS group
- It must run the FH App Pool in IIS 7.X
- It has specific settings in each of the FileHold web services
- It must have full control of the FileHoldData storage structure, specifically the:
All of this has to be set for the FH_Service account for the FileHold server to function properly.
Change Service Account - perform this procedure when users are not using the system, or notify them that there will be a few minutes of downtime. This procedure takes about 2-3 minutes at most.
- Launch the Change Service Account tool
- Fill out the form as required
- Enter in the DOMAIN\FH_Service information
- Enter in the password information twice
- leave the scheduled task settings with "localhost" intact
- You will be connecting with your Windows Credentials so leave that intact. You can also use a SQL administrators credentials who is also a member of the Administrators group for this server, but if your system is synchronized with Active Directory then a Domain Admin with SQL administrator credentials will be needed.
- Enter in the path to the WebClient's LoginForm - using the example - add https if you are using SSL.
- Click Next to go to the final form page.
- Your ADAM settings should look the same - a tiny percentage of customers run ADAM under a custom PORT #
- Enter in localhost, DATABASE Server name or DATABASE\INSTANCE name
- Make sure to Update security settings of Windows TEMP directories
- Click Next to go to the Final page for the Action > Status page
- Click Update to start this process.
- Once completed - if all completed successfully, then click FINISH.
- Since the FH App Pool is stopped, the status will complain about this, simply start the FH App Pool if required
- Occasionally, the FileHold Workflow Host Service will not start - simply start it manually to address this
- Restart WWW Service
- Restart FHURM Service
- Restart FH Workflow Host Service (if you are using this)
- Start the FH App Pool
- Login to FileHold with Web Client and Desktop Client
- Verify all scheduled tasks can run
- (skip the AD Sync related task if your system is not synchronizing with Active Directory)
- Run the FileHold Health Checker Tool to validate if the system is 100%
End of Procedure: