Solved

SharePoint 2013 Health Analyzer: The server farm account should not be used for other services.

Posted on 2014-04-14
4
2,900 Views
Last Modified: 2014-04-28
Hi!

I have a warning in the SharePoint 2013 Health Analyzer - apparenty the farm account is not supposed to be used With other services.

I have the farm account running the User Profile Syncronization Service (which I thought was the only way to make it work). Is there any way to fix this?

Title 
 The server farm account should not be used for other services.  

Severity 
 1 - Error  

Category 
 Security  

Explanation 
 
DOMAIN\svc_sp2013farm, the account used for the SharePoint timer service and the central administration site, is highly privileged and should not be used for any other services on any machines in the server farm.  The following services were found to use this account: User Profile Synchronization Service(Windows Service)

 

Remedy 
 
Browse to http://domain-sp1:2013/_admin/FarmCredentialManagement.aspx and change the account used for the services listed in the explanation. For more information about this rule, see "http://go.microsoft.com/fwlink/?LinkID=142685".
 

Failing Servers 
  

Failing Services 
 
SPTimerService (SPTimerV4)
 

Rule Settings 
 View  

Open in new window

0
Comment
Question by:cegeland
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 12

Accepted Solution

by:
Carlo-Giuliani earned 250 total points
ID: 40000810
You are correct that you must use the farm account for the User Profile Sync Service....or at least you did for SharePoint 2010.  I'm not certain about 2013.  

In  SharePoint 2010 I simply disabled the Health Analyzer check for this.
0
 
LVL 10

Expert Comment

by:Mohit Nair
ID: 40000869
As per the best practice you must not use farm account for other service. Generally farm account should be used while configuring user profile service application in order to crawl users from AD. Even if it is not changed there is no harm. You can ignore the health analyser event as the service will continue to work as expected.
0
 

Author Comment

by:cegeland
ID: 40002370
In order to run everything as per the recommended practice it would be Nice to be able to change the service account from the farm account to a dedicated account.

I've tried to do this through the Central Admin - Security - Configure Service Accounts. This results in being unable to start the User Profile Sync Service.

So is there a correct way to change the service account?
0
 
LVL 10

Assisted Solution

by:Mohit Nair
Mohit Nair earned 250 total points
ID: 40003283
Give replicate directory changes permission in AD to that user account which you recently added and then try starting the service again.

For more information check this link
http://technet.microsoft.com/en-us/library/ff182925(v=office.15).aspx
0

Featured Post

[Webinar] Code, Load, and Grow

Managing multiple websites, servers, applications, and security on a daily basis? Join us for a webinar on May 25th to learn how to simplify administration and management of virtual hosts for IT admins, create a secure environment, and deploy code more effectively and frequently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Note:  There are two main ways to deploy InfoPath forms:  Server-side and directly through the SharePoint site.  Deploying a server-side InfoPath form means the form is approved by the Administrator, thus allowing greater functionality in the form. …
A recent project that involved parsing Tableau Desktop and Server log files to extract reusable user queries for use in other systems. I chose to use PowerShell to gather the data, and SharePoint to present it...
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question