Change the service account password
From time-to-time it may be necessary to change the windows user or password associated with FileHold. For example, you may switch from a local user account to a domain user account. Or, your IT security policy requires you to periodically change user passwords even for headless technical users like the FileHold service account. This user information must be changed in all services and tasks that are part of FileHold. Although you could change these manually, this is both error prone and time consuming. The Service Account change utility allows you to change the password or the user id and password of your FileHold service account in all places at once.
The service account for FileHold is a critical part of the FileHold configuration. If this value is not correct your FileHold system will not operate. Take the appropriate care when making any changes to this value. It is recommended you familiarize yourself with this process and trial this change on a test server before making the change in a production server. Plan to make this change during off hours as users will be offline for a short period of time. These instructions are intended for a skilled Windows administrator with administration access to the FileHold server.
Overview of the FileHold service user
The FileHold Server Application runs under a service account model, it has specific permissions, memberships and rights to run the FileHold Server application. There are a number of components that rely on the service user.
- The FileHold application pool(s). For example, FH App Pool in IIS.
- All FileHold tasks in the task scheduler. Each task name begins with FH.
A number of requirements must be met related to the FileHold service user and the FileHold and SQL servers.
- The service account can be a local server or a domain account.
- The service account should have the least possible permissions in your network. It should never have administrative privileges.
- It should have a strong password that complies with your corporate security policy.
- Ideally the service account password should not expire and it should not be able to change its own password. Your IT policy may require periodic password changes. Plan for this situation well in advance to ensure minimal or zero user downtime.
- It must have SQL Server login permissions where the FileHold databases are stored and managed and it must be the database owner for each of the four FileHold databases.
- It must have Log on as a service and Logon as a batch job rights in the Local Security Policy settings.
- It must be a member of the IIS_IUSRS group
- It must have full control of the FileHold data storage locations including the document repository, full text search index, web client temporary upload, and any ADI watched folders.
- It must be the owner of the IIS virtual directories.
Changing the service account password
You may want to notify your users that FileHold will be unavailable for a few minutes before beginning.
- Log into the FileHold server with administrative privileges.
- Start FHIT and select Service account change > Change Service Account's password.
- Click Change.
- Enter the service account credentials.
- Enter the server name for the scheduled tasks.
- Select or enter the user account credentials.
- Enter in the URL to the Web Client.
- Click Next.
From this point forward your users will be offline until you restart the system.
- Disable all FileHold scheduled tasks.
- Stop the WWW service.
- Click Update.
- Click Finish to exit the tool.
- Start the WWW service.
- Enable all FileHold scheduled tasks.
- Run each of the scheduled tasks to ensure they can run without errors.
- Run the FileHold Health Checker Tool to validate the system.
- Login to FileHold using the desktop and web client, verify you can search, download, and upload documents.